Error: The provided client secret keys are expired

If you have been using Microsoft Graph Data Connect for a while, you might have configured a recurring pipeline that has been running for several months. In that case, you might run into this error:

Operation on target task_name failed:
ErrorCode=UserErrorOffice365SinkValidationError,
'Type=Microsoft.DataTransfer.Common.Shared.HybridDeliveryException,
Message=Office365 data loading job failed to validate the sink data store.
Possible causes are the name of the data store or its folder path is invalid,
or the provided credentials do not have enough permission to access the folder.
Detailed error: ADLS Gen2 operation failed for: Failed to get access token by using service principal.
Error: invalid_client, Error Message: A configuration issue is preventing authentication –
check the error message from the server for details.
You can modify the configuration in the application registration portal.
See https://aka.ms/msal-net-invalid-client for details. 
Original exception: AADSTS7000222:
The provided client secret keys for app 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' are expired.
Visit the Azure portal to create new keys for your app: https://aka.ms/NewClientSecret,
or consider using certificate credentials for added security: https://aka.ms/certCreds.
Trace ID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Correlation ID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Timestamp: 2024-11-26 18:35:23Z.
Account: 'account_name'.
FileSystem: 'container_name'.
Path: 'folder_name'.,
Source=Microsoft.DataTransfer.ClientLibrary,'

The main error is really "The provided client secret keys for app 'x' are expired."
The solution is simple. Go back to Azure Entra ID to configure a new secret for the App Registration. You can follow the instructions at step 1b in our Synapse step-by-step instructions to add a new secret. 

Finally, be sure to add the new secret to the link services of the pipeline (you need to update both the source (Source/MGDC) and the destination (Sink/Storage).

You avoid this issue completely by keeping track of the secret expiration date and creating a new one (and updating the pipeline) ahead of time. You can have multiple secrets in place, allowing for this secret rotation to be done proactively.