Troubleshoot service principal authentication

This article provides guidance on dealing with issues encountered when authenticating Azure SDK for Java applications via service principal, through various TokenCredential implementations. For more information, see Azure authentication with service principal.

Troubleshoot ClientSecretCredential

When you use ClientSecretCredential, you can optionally try/catch for ClientAuthenticationException. The following table shows the errors that this exception indicates, and methods of mitigation:

Error code Issue Mitigation
AADSTS7000215 An invalid client secret was provided. Ensure that the clientSecret provided when constructing the credential is valid. If unsure, create a new client secret using the Azure portal. For more information, see the Create a new application secret section of Create a Microsoft Entra application and service principal that can access resources.
AADSTS7000222 An expired client secret was provided. Create a new client secret using the Azure portal. For more information, see the Create a new application secret section of Create a Microsoft Entra application and service principal that can access resources.
AADSTS700016 The specified application wasn't found in the specified tenant. Ensure the specified clientId and tenantId are correct for your application registration. For multi-tenant apps, ensure that a tenant admin has added the application to the desired tenant. For more information, see Create a Microsoft Entra application and service principal that can access resources.

Troubleshoot ClientCertificateCredential

When you use ClientCertificateCredential, you can optionally try/catch for ClientAuthenticationException. The following table shows the errors that this exception indicates, and methods of mitigation:

Error code Description Mitigation
AADSTS700027 Client assertion contains an invalid signature. Ensure that you've uploaded the specified certificate to the Microsoft Entra application registration. For more information, see the Upload a trusted certificate issued by a certificate authority section of Create a Microsoft Entra application and service principal that can access resources.
AADSTS700016 The specified application wasn't found in the specified tenant. Ensure that the specified clientId and tenantId are correct for your application registration. For multi-tenant apps, ensure that a tenant admin has added the application to the desired tenant. For more information, see Create a Microsoft Entra application and service principal that can access resources.

Troubleshoot ClientAssertionCredential

When you use ClientAssertionCredential, you can optionally try/catch for ClientAuthenticationException. The following table shows the errors that this exception indicates, and methods of mitigation:

Error code Description Mitigation
AADSTS700021 The client assertion application identifier doesn't match the client_id parameter. Ensure that the JWT assertion created has the correct values specified for the sub and issuer value of the payload. Both of these fields should be equal to clientId. For the client assertion format, see Microsoft identity platform application authentication certificate credentials.
AADSTS700023 The client assertion audience claim doesn't match the Realm issuer. Ensure that the audience aud field in the JWT assertion created has the correct value for the audience specified in the payload. Set this field to https://login.microsoftonline.com/{tenantId}/v2.
AADSTS50027 JWT token is invalid or malformed. Ensure that the JWT assertion token is in the valid format. For more information, see Microsoft identity platform application authentication certificate credentials.

Next steps

If the troubleshooting guidance in this article doesn't help to resolve issues when you use the Azure SDK for Java client libraries, we recommended that you file an issue in the Azure SDK for Java GitHub repository.