ad app credential reset not allowed

See original GitHub issue

Describe the bug az ad app credential reset --append on not newly created apps with existing keys results in error “Update to existing credential with KeyId ‘XXXXXXX-XXXXX-XXX-XXXX-03b6b0c4f7bf’ is not allowed.” Key creation for impacted apps works through portal just not CLI. Can’t reproduce for newly created apps.

To Reproduce az ad app credential reset --append --id <app-id> --append --credential-description "test" where the app is not a newly created and has existing keys.

Expected behavior New key is successfully appended without error.

Environment summary azure-cli 2.0.62

acr 2.2.4 acs 2.3.21 advisor 2.0.0 ams 0.4.4 appservice 0.2.17 backup 1.2.3 batch 4.0.0 batchai 0.4.8 billing 0.2.1 botservice 0.1.10 cdn 0.2.2 cloud 2.1.1 cognitiveservices 0.2.5 command-modules-nspkg 2.0.2 configure 2.0.21 consumption 0.4.2 container 0.3.16 core 2.0.62 cosmosdb 0.2.9 dla 0.2.5 dls 0.1.8 dms 0.1.3 eventgrid 0.2.2 eventhubs 0.3.4 extension 0.2.5 feedback 2.2.0 find 0.3.2 hdinsight 0.3.3 interactive 0.4.3 iot 0.3.7 iotcentral 0.1.6 keyvault 2.2.14 kusto 0.2.2 lab 0.1.6 maps 0.3.4 monitor 0.2.12 network 2.3.6 nspkg 3.0.3 policyinsights 0.1.2 privatedns 1.0.0 profile 2.1.5 rdbms 0.3.9 redis 0.4.2 relay 0.1.4 reservations 0.4.2 resource 2.1.13 role 2.5.0 search 0.1.1 security 0.1.1 servicebus 0.3.4 servicefabric 0.1.16 signalr 1.0.0 sql 2.2.1 sqlvm 0.1.1 storage 2.4.0 telemetry 1.0.2 vm 2.2.18

Additional context The key descriptions are displayed normally from dashboard but retrieving them from CLI the “customKeyIdentifier” are showing as “null” or just corrupted. Perhaps this additional issue is related to why append fails? { “additionalProperties”: null, “customKeyIdentifier”: null, “endDate”: “2028-12-03T23:59:59+00:00”, “keyId”: “XXXXXXX-XXXXX-XXX-XXXX-03b6b0c4f7bf”, “startDate”: “2018-12-04T00:13:45.332911+00:00”, “value”: null }, { “additionalProperties”: null, “customKeyIdentifier”: “牤癩ⵥ牰捯獥潳⵲数晲攭獵”, “endDate”: “2028-11-30T23:59:59+00:00”, “keyId”: “XXXXXXX-XXXXX-XXX-XXXX-22dc9e4ea9a8”, “startDate”: “2018-11-30T23:53:27.887027+00:00”, “value”: null },

Issue Analytics

State:
Created 4 years ago
Comments:6 (3 by maintainers)

Top GitHub Comments

1reaction

Daniel-Ronsoncommented, Mar 9, 2021

Explicitly sending the Start Date from Az Powershell fixes the problem.
Thank you for the details.

1reaction

jiaslicommented, Mar 9, 2021

@Daniel-Ronson, the explanation is provided at https://github.com/Azure/azure-cli/issues/12561#issuecomment-606003675.

Azure PowerShell which uses .NET SDK created

"startDate":"2021-03-09T03:06:50.0271052Z"
                                       ^

This corrupted Python SDK.

> $AD_OBJECT_ID = "8a6472d5-59d2-476f-971a-b003d4cba1ee"
> $expiration_date = '{0:yyyy-MM-ddTHH:mmZ}' -f (Get-Date).AddYears(2)
> $Secure_Password = ConvertTo-SecureString "P@ssW0rD!" -AsPlainText
> New-AzADAppCredential -ObjectId $AD_OBJECT_ID -Password $Secure_Password -EndDate $expiration_date

StartDate          EndDate             KeyId                                Type
---------          -------             -----                                ----
2021-03-09 3:06:50 2023-03-09 19:03:00 a927d627-4f46-4574-932c-e6c00a25629f Password

> az ad app credential list --id 8a6472d5-59d2-476f-971a-b003d4cba1ee --debug
msrest.http_logger: {"odata.metadata":"https://graph.windows.net/54826b22-38d6-4fb2-bad9-b7b93a3e9c5a/$metadata#Collection(Microsoft.DirectoryServices.PasswordCredential)","value":[{"customKeyIdentifier":null,"endDate":"2023-03-09T11:03:00Z","keyId":"a927d627-4f46-4574-932c-e6c00a25629f","startDate":"2021-03-09T03:06:50.0271052Z","value":null}]}
[
  {
    "additionalProperties": null,
    "customKeyIdentifier": null,
    "endDate": "2023-03-09T11:03:00+00:00",
    "keyId": "a927d627-4f46-4574-932c-e6c00a25629f",
    "startDate": "2021-03-09T03:06:50.027105+00:00",
    "value": null
  }
]

If you have to use a mixture of Azure PowerShell and Azure CLI, please consider calling MS Graph application: addPassword API with az rest (https://github.com/Azure/azure-cli/issues/12561#issuecomment-605752672).

Top Results From Across the Web

az ad app credential | Microsoft Learn

(The content of the password or certificate credential is not retrievable.). az ad app ... Reset an application's password or certificate credentials.

Running az ad sp credential reset as part of a deployment ...

I am trying to run the following command from an Azure Powershell CLI task in a deployment: az ad sp credential reset --name...

Azure - Developer Handbook

Azure. AD. Authentication flows and application scenarios · App registration. Azure CLI. Login. Ways to login.

Resetting and Appending to Client Secrets on Service ...

But I can use it and it works! I also tried to reset the existing Client Secret (without the append flag) by calling:...

Credential Store for Password Reset for Microsoft Azure AD

A credential store type is the set of flows to manage password and account of Microsoft Azure AD user. Navigate to Password Reset...