Tagging service principals with az ad sp update --id appID --add tags throws "Update to existing credential with KeyId 'keyID' is not allowed."
See original GitHub issueDescribe the bug @jiasli New issue here. Thanks for all the examples of utilizing az rest to call service principals. I’m fighting with a possible edge case now. In an attempt to categorize and programmatically rotate client secrets we’re aiming to use Tags on service principal objects. For the most part, this works fine by running az commands like: az ad sp update --id appID --add tags “tags:value”
Before I got to this point I ran into the nanosecond/microsecond Azure Portal bug with az cli and I am getting similar behavior when trying to update tags on a service principal using the above command. The client secrets were set using the “old” method, outlined below:
$servicePrincipal = New-AzureRmADServicePrincipal -ApplicationId $spn.ApplicationId
$BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($servicePrincipal.Secret)
$spnPassword = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR)
[Runtime.InteropServices.Marshal]::ZeroFreeBSTR($BSTR)
$SecureStringPassword = ConvertTo-SecureString -String $spnPassword -AsPlainText -Force
New-AzureRmADAppCredential -ApplicationId $spn.ApplicationId -Password $SecureStringPassword
When trying to tag service principals created this way I am finding the generic error: az : Update to existing credential with KeyId ‘keyID’ is not allowed.
Do you have any working examples of updating tags with the az rest method? I can’t seem to get the payload correct. az rest -m “PATCH” -u https://graph.microsoft.com/v1.0/servicePrincipals/objID --headers “Content-Type=application/json” -b ‘{"tags":"“tag:value”"}’
Any help is appreciated, thanks!
To Reproduce Trying to apply a tag on service principal objects which contain “un-supported” client secrets throws the below error: az : Update to existing credential with KeyId ‘keyID’ is not allowed.
Expected behavior
Tags are set on the service principal successfully when I use the az ad sp tag command against service principals created the below method:
$servicePrincipal = New-AzADServicePrincipal -ApplicationId $appRegistration.ApplicationId
$azContext = Get-AzContext
$cache = $azContext.TokenCache
$cacheItems = $cache.ReadItems()
$azureADToken = ($cacheItems | where { $_.Resource -eq "https://graph.windows.net/" })
Connect-AzureAD -AadAccessToken $azureADToken.AccessToken -AccountId $azContext.Account.Id -TenantId $azContext.Tenant.Id
$endDate = (Get-Date).AddMonths(16)
$spnPassword = New-AzureADApplicationPasswordCredential -ObjectId $appRegistration.ObjectId -EndDate $endDate
Issue Analytics
- State:
- Created 3 years ago
- Comments:8 (4 by maintainers)
Top GitHub Comments
@SjoerdV, as
az ad sp list
is working as expected, I think this is a service issue. Could you create a support ticket to AAD team instead? Thanks for understanding.I did notice that the tags were present after running
az ad sp list
:But they were not in the Manifest page of the app in the Azure Portal: https://portal.azure.com/#view/Microsoft_AAD_RegisteredApps/ApplicationMenuBlade/~/Manifest/appId/00000000-0000-0000-0000-000000000000/isMSAApp~/false