az ad sp credential list --id xxxxx-xxxx-xxx customKeyIdentifier value is null

[paulpuvi06]

az feedback auto-generates most of the information requested below, as of CLI version 2.0.62

Describe the bug
Credential property customKeyIdentifier value is null for the secrets created using new improved app registration UI.

To Reproduce
-Add a client secret using new UI.
-execute az ad sp credential list --id xxxxx-xxxx-xxx

Expected behavior
it should return the "description" of the secrets which works for the secrets created using old UI.

Environment summary
az --version
azure-cli 2.0.69 *

OS version
sw_vers
ProductName: Mac OS X
ProductVersion: 10.14.5
BuildVersion: 18F132

Additional context
Add any other context about the problem here.

[jiasli]

I can reproduce. This doesn't seem like a CLI issue. When adding keys in Azure Portal using new UI, the corresponding items created in manifest have passwordCredentials.displayName. Meanwhile the public AAD REST only has PasswordCredential.customKeyIdentifier: https://github.com/Azure/azure-rest-api-specs/blob/ad6d5f6467aaab8cda44ceaa2863f84359c1e022/specification/graphrbac/data-plane/Microsoft.GraphRbac/stable/1.6/graphrbac.json#L2785.
@lmazuel @yugangw-msft @amarzavery

[paulpuvi06]

@jiasli 👍, is there a plan to update to get the value of 'customKeyIdentifier' for the secrets created through portal?

[jiasli]

Thank you for the feedback. We will work with REST specs team to fix this issue as soon as possible.

[paulpuvi06]

@jiasli did you get an update from REST specs team ?

[jkewley]

Pinging this.

It looks like the graph API now returns displayName and a hint for a passwordCredential in the portal using https://graph.windows.net/myorganization/applicationsByAppId/<appId>?api-version=2.0 whereas az ad app list and az ad sp credential --id xxx return a subset of the credential properties. Would be nice to have access to hint, displayName, and createdOn properties for administrative tooling.

Portal:

CLI:

[jiasli]

The API you used is AD Graph API v2.0 which contains those fields. Without the REST spec for 2.0, we can't generate the Python SDK and build the CLI commands accordingly. We are still working with AAD team on this issue. Thanks for your patience.

Meanwhile, you may directly use az rest with Microsoft Graph API to get unblocked.

Using List applications, replacing {appId} with the application ID:

az rest --method get \
        --uri "https://graph.microsoft.com/v1.0/applications?$filter=appId eq '{appId}'"

Using Get application, replacing {objectId} with the object ID of the application:

az rest --method get \
        --uri https://graph.microsoft.com/v1.0/applications/{objectId}

Then you may use --query to query on the result and --output to configure the output format:

>az rest --method get \
         --uri https://graph.microsoft.com/v1.0/applications/{objectId} \
         --query passwordCredentials[].displayName \
         --output tsv
key2
key1

[jiasli]

We will track MS Graph issues at #12946

[ernani]

The API you used is AD Graph API v2.0 which contains those fields. Without the REST spec for 2.0, we can't generate the Python SDK and build the CLI commands accordingly. We are still working with AAD team on this issue. Thanks for your patience.

Meanwhile, you may directly use az rest with Microsoft Graph API to get unblocked.

Using List applications, replacing {appId} with the application ID:

az rest --method get \
        --uri "https://graph.microsoft.com/v1.0/applications?$filter=appId eq '{appId}'"

Using Get application, replacing {objectId} with the object ID of the application:

az rest --method get \
        --uri https://graph.microsoft.com/v1.0/applications/{objectId}

Then you may use --query to query on the result and --output to configure the output format:

>az rest --method get \
         --uri https://graph.microsoft.com/v1.0/applications/{objectId} \
         --query passwordCredentials[].displayName \
         --output tsv
key2
key1

This is not working for me, it returns an empty value. I am trying to get the password for an SP tied to this app...

This is because the following command:

az ad sp credential reset \
  --name myappid \
  --credential-description "my-rand-app-sp-pwd" \
  --query password -o tsv

Fails with the following error:

When present, application key identifier cannot be empty and can be at most 32 bytes.
Parameter name: applicationKeyIdentifierValue

$ az version
{
  "azure-cli": "2.6.0",
  "azure-cli-command-modules-nspkg": "2.0.3",
  "azure-cli-core": "2.6.0",
  "azure-cli-nspkg": "3.0.4",
  "azure-cli-telemetry": "1.0.4",
  "extensions": {
    "aro": "1.0.0",
    "azure-firewall": "0.3.1",
    "interactive": "0.4.4",
    "spring-cloud": "0.2.3"
  }
}

[jiasli]

Hi @ernani,

Root cause and solution

As the error suggested,

When present, application key identifier cannot be empty and can be at most 32 bytes.
Parameter name: applicationKeyIdentifierValue

The --credential-description "my-rand-app-sp-pwd" you are using is too long. It will be encoded as "customKeyIdentifier": "//5tAHkALQByAGEAbgBkAC0AYQBwAHAALQBzAHAALQBwAHcAZAA=". Please shorten it and try again.

az ad sp credential reset is actually patching the application's credential

As you can see from the source code, az ad sp credential reset is actually patching the application's credential, instead of the service principal's:

azure-cli/src/azure-cli/azure/cli/command_modules/role/custom.py

Line 1661 in 2b6fe1e

client.applications.patch(app.object_id, app_patch_param)

We have an ongoing PR #11466 discussing this issue.

Using Microsoft Graph API

According to Microsoft Graph API passwordCredential resource type, customKeyIdentifier is deprecated.

We don't recommend using this legacy command az ad sp credential reset anymore. Please use Microsoft Graph API servicePrincipal: addPassword instead:

$ id="{service principal object ID}"
$ az rest -m POST -u https://graph.microsoft.com/v1.0/servicePrincipals/$id/addPassword -b '{
   "passwordCredential": {
     "displayName": "behold-my-very-long-password-description"
   }
 }'
{
  "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#microsoft.graph.passwordCredential",
  "customKeyIdentifier": null,
  "displayName": "behold-my-very-long-password-description",
  "endDateTime": "2022-06-03T02:30:42.0816985Z",
  "hint": null,
  "keyId": "592e77f1-10d6-49a5-9a2b-d9a79840bf68",
  "secretText": "LGO_9xxxxxxxxxxxxxxxxxxxx",
  "startDateTime": "2020-06-03T02:30:42.0816985Z"
}