Lately while working with the Application team to rotate the expiring secret of one of the in use Azure AD service principle, team created and provided a new client secret however application team encountered an error like "invalid client secret...." with that new secret.
Initially we thought application team must be making some mistake during the secret update at the application end however before pointing to that we decided to test the same at our end using Az login however to my surprise we also got a similar invalid client secret error.
At this point we realized that we need to give the newly created secret some time so the changes get propagate before we can use it (however most of the time it works instantly). By this time 15 - 20 minutes had already been passed, so we tested it again with second secret but still encountered the same error however when used the initially created secret the login was successful. Later application team also confirmed this.
Later I further checked for this however couldn't find any official documentation so here the bottom line is that at times we might required to wait for some time before we can use the newly created service principle client secret.
In case if you are wondering about the difference between App registration and Service principle then would recommend taking a look here, Application and service principal objects in Microsoft Entra ID.
Hope this will help, thanks.
