Knowledgebase
Office 365 user synchronization fails suddenly (The provided client secret keys are expired / Invalid client secret is provided)
Posted by Philip Schaffrath on 21 Aug 2020 16:00


Symptom/Problem:

During user synchronization appears the error message:
Requesting Microsoft Graph API token failed: AADSTS70002: Error validating credentials. AADSTS50012: Invalid client secret is provided.
OR
Die Anforderung eines Microsoft Graph API-Tokens ist fehlgeschlagen: AADSTS7000222: The provided client secret keys are expired.


Root Cause:

A "Service Principal" is required to synchronize users from the Office 365 Azure Active Directory with MailStore.
In case the password of the "Service Principal" has expired the mentioned error message appears.


Solution:

Please check with the "Get-MsolServicePrincipalCredential" PowerShell command if the password of the "Service Principal" has expired:
https://docs.microsoft.com/en-us/powershell/module/msonline/get-msolserviceprincipalcredential

Use the name of the "Service Principal" that is configured in MailStore to check the password.

Example:


Connect-MsolService

Get-MsolServicePrincipalCredential -ReturnKeyValues 1 -ServicePrincipalName "MailStoreSP"



You can use the "New-MsolServicePrincipalCredential" PowerShell command to create a new Password for the current "Service Principal":
https://docs.microsoft.com/en-us/powershell/module/msonline/new-msolserviceprincipalcredential

Replace the Value 'Pa$$w0rd' with your own password.

Example:


Connect-MsolService

New-MsolServicePrincipalCredential -ServicePrincipalName "MailStoreSP" -Type Password -Value 'Pa$$w0rt' -StartDate (Get-Date) -EndDate (Get-Date).AddYears(1)


Important Note:

On September 20th, 2019 Microsoft announced the end of support for Basic Authentication for Exchange Online APIs in the future. This affects any MailStore Server version prior to 13, which will therefore no longer be able to authenticate users against Microsoft 365 when trying to log into MailStore Server.

In MailStore Server 13, support for modern authentication methods via OAuth 2.0 & OpenID Connect as per Microsoft's recommendation was introduced. Therefore, please refer to the chapter Synchronizing User Accounts with Microsoft 365 (Modern Authentication).


Article-ID: KB20171123-0-EN (Deutsche Version)

(5 vote(s))
Helpful
Not helpful

Navigation
Remote Support

Please download our TeamViewer client in order to allow the MailStore support team a one-time only access to your system.

Premium Support

If your MailStore Server license includes Premium Support or you are using the MailStore Service Provider Edition, you are entitled to get in touch with our support team directly via phone.

Phone:

+49 2162 50299 0

USA:

+1 800 747 2915