What causes AADSTS70002?

The client secret configured in the embedded application has expired and a new one has not been generated and deployed. The client_secret or password value passed in the token request does not match what is registered in Microsoft Entra ID. The application is using an old or rotated secret that was replaced in the Azure portal but not updated in the app configuration. A copy-paste or encoding error introduced invalid characters into the secret value during configuration

How do I fix AADSTS70002?

Step 1: Navigate to the Azure portal > Microsoft Entra ID > App Registrations, select your Power BI app, and open Certificates & Secrets to review the expiry dates of all client secrets. Step 2: If the current secret is expired or unknown, generate a new client secret and immediately note the value (it is only shown once). Step 3: Update the new secret value in every location where it is stored — application config files, Key Vault references, environment variables, and CI/CD pipelines. Step 4: Redeploy or restart the embedded application so it picks up the updated credentials and retry the token acquisition flow. Step 5: Set a calendar reminder or automated alert for secret expiry 30–60 days before the new secret expires to prevent recurrence

Critical severityauthentication

Power BI Refresh Error:
AADSTS70002

What does this error mean?

AADSTS70002 means Microsoft Entra ID (Azure AD) rejected the credentials provided during token acquisition, typically because the client secret or password supplied by the application is incorrect or expired. This error blocks Power BI Embedded authentication flows.

Common causes

1The client secret configured in the embedded application has expired and a new one has not been generated and deployed
2The client_secret or password value passed in the token request does not match what is registered in Microsoft Entra ID
3The application is using an old or rotated secret that was replaced in the Azure portal but not updated in the app configuration
4A copy-paste or encoding error introduced invalid characters into the secret value during configuration

How to fix it

1Step 1: Navigate to the Azure portal > Microsoft Entra ID > App Registrations, select your Power BI app, and open Certificates & Secrets to review the expiry dates of all client secrets
2Step 2: If the current secret is expired or unknown, generate a new client secret and immediately note the value (it is only shown once)
3Step 3: Update the new secret value in every location where it is stored — application config files, Key Vault references, environment variables, and CI/CD pipelines
4Step 4: Redeploy or restart the embedded application so it picks up the updated credentials and retry the token acquisition flow
5Step 5: Set a calendar reminder or automated alert for secret expiry 30–60 days before the new secret expires to prevent recurrence

Frequently asked questions

How often do Azure App Registration client secrets expire?

Client secrets can be configured with expiry of 6 months, 12 months, 24 months, or a custom date. Many organizations use 12-month secrets by default. Microsoft Entra ID sends no automatic notification when a secret is about to expire, so proactive monitoring or alerts are essential.

Is AADSTS70002 the same as AADSTS50053 — what is the difference?

No. AADSTS70002 indicates invalid credentials (wrong or expired secret/password), while AADSTS50053 indicates the account is locked out due to too many failed sign-in attempts. Both block authentication but require different remediation paths.