Skip to main content
Applies to:
  • Plan -
  • Deployment -

Summary

Users are immediately signed out and see AADSTS7000215 (Invalid client secret).
Cause: the Entra/Azure AD app registration client secret was rotated, deleted, or expired while Braintrust still had the old secret.
Fix: update Braintrust with the new client secret (or switch to a federated credential) and verify sign‑in.

What is happening

When Azure AD rejects the token request because the app secret is invalid, the SSO token exchange fails.
All users for that tenant can be blocked from signing in until the app registration’s active client secret matches the secret stored by Braintrust.
Azure returns AADSTS7000215 and provides diagnostic metadata (timestamp, tenant ID, client ID, trace and correlation IDs) useful for troubleshooting.

Fix or suggestion

Option 1: Update the client secret (most common fix)

  1. Confirm an Entra/Azure AD admin rotated, deleted, or allowed the client secret to expire.
  2. In the Entra portal, create a new client secret for the Braintrust/Clerk app registration. Note the new secret value once only.
  3. Collect these diagnostics and share them securely with Braintrust support:
    • Tenant ID and Client ID (application ID).
    • Timestamp of a failing attempt.
    • Azure trace ID and correlation ID from the AAD error (if visible).
    • A HAR file of the failed sign‑in request (optional but helpful).
  4. Deliver the new client secret to Braintrust using a secure vault or one‑time share link (do not post the secret in ticket text or chat).
  5. Ask Braintrust to update the stored secret.
  6. Wait for Braintrust to confirm the secret was updated, then test sign‑in.

Option 2: Use federated credentials / workload identity (prevents secret rotation outages)

  1. Decide to replace long‑lived client secrets with a federated credential (Azure AD workload identity) for the app registration.
  2. Create a federated credential on the app registration with the correct audience and subject rules for Braintrust.
  3. Coordinate with Braintrust support to configure the application to use the federated credential.
  4. Remove or disable long‑lived client secrets after successful validation.

How to confirm it worked

  • Sign in via your org SSO and confirm you are not returned to the AADSTS7000215 error.
  • Verify multiple org users can sign in. Optionally, confirm the HAR shows a successful token exchange.

Notes

  • Never share client secrets in ticket text or public chat. Use an approved secure vault or one‑time share link.
  • Consider scheduling secret rotations and notifying Braintrust in advance to avoid org‑wide lockouts.
  • For Microsoft guidance on AADSTS7000215 and app credentials, refer to Microsoft’s Azure AD documentation.