Unable to append password credential to ServicePrincipal

[x10an14]

This is autogenerated. Please review and update as needed.

Describe the bug

Unable to append a new password credential to a Service Principal (read: az ad app Azure Application).

Command Name
az ad sp credential reset

Errors:

Update to existing credential with KeyId 'b88fbf58-8ff1-420d-b0b2-640bfd5262b9' is not allowed.

To Reproduce:

Steps to reproduce the behavior. Note that argument values have been redacted, as they may contain sensitive information.

• Put any pre-requisite steps here...
• az ad sp credential reset --append --name 1fabc626-4309-49e4-bb47-ec9e67251a4a --debug --query "password" -o tsv

Hopefully scrubbed-for-sensitive-details debug output

[2020-03-12 09:49:09] 2 x10an14@x10-desktop:~
-> $ az ad sp credential reset --append --name 1fabc626-4309-49e4-bb47-ec9e67251a4a --debug
Command arguments: ['ad', 'sp', 'credential', 'reset', '--append', '--name', '1fabc626-4309-49e4-bb47-ec9e67251a4a', '--debug']
Event: Cli.PreExecute []
Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x7f1c16787d08>, <function OutputProducer.on_global_arguments at 0x7f1c166c8ae8>, <function CLIQuery.on_global_arguments at 0x7f1c166f2b70>]
Event: CommandInvoker.OnPreCommandTableCreate []
Installed command modules ['acr', 'acs', 'advisor', 'ams', 'apim', 'appconfig', 'appservice', 'backup', 'batch', 'batchai', 'billing', 'botservice', 'cdn', 'cloud', 'cognitiveservices', 'configure', 'consumption', 'container', 'cosmosdb', 'deploymentmanager', 'dla', 'dls', 'dms', 'eventgrid', 'eventhubs', 'extension', 'feedback', 'find', 'hdinsight', 'interactive', 'iot', 'iotcentral', 'keyvault', 'kusto', 'lab', 'managedservices', 'maps', 'monitor', 'natgateway', 'netappfiles', 'network', 'policyinsights', 'privatedns', 'profile', 'rdbms', 'redis', 'relay', 'reservations', 'resource', 'role', 'search', 'security', 'servicebus', 'servicefabric', 'signalr', 'sql', 'sqlvm', 'storage', 'vm']
Loaded module 'acr' in 0.004 seconds.
Loaded module 'acs' in 0.015 seconds.
Loaded module 'advisor' in 0.001 seconds.
Event: CommandLoader.OnLoadCommandTable []
Loaded module 'ams' in 0.004 seconds.
Loaded module 'apim' in 0.001 seconds.
Loaded module 'appconfig' in 0.002 seconds.
Loaded module 'appservice' in 0.008 seconds.
Loaded module 'backup' in 0.003 seconds.
Event: CommandLoader.OnLoadCommandTable []
Loaded module 'batch' in 0.007 seconds.
Loaded module 'batchai' in 0.002 seconds.
Loaded module 'billing' in 0.001 seconds.
Loaded module 'botservice' in 0.003 seconds.
Event: CommandLoader.OnLoadCommandTable []
Loaded module 'cdn' in 0.028 seconds.
Loaded module 'cloud' in 0.001 seconds.
Loaded module 'cognitiveservices' in 0.001 seconds.
Loaded module 'configure' in 0.001 seconds.
Loaded module 'consumption' in 0.001 seconds.
Loaded module 'container' in 0.001 seconds.
Loaded module 'cosmosdb' in 0.005 seconds.
Loaded module 'deploymentmanager' in 0.002 seconds.
Loaded module 'dla' in 0.003 seconds.
Loaded module 'dls' in 0.003 seconds.
Loaded module 'dms' in 0.001 seconds.
Loaded module 'eventgrid' in 0.002 seconds.
Loaded module 'eventhubs' in 0.002 seconds.
Loaded module 'extension' in 0.001 seconds.
Loaded module 'feedback' in 0.000 seconds.
Loaded module 'find' in 0.001 seconds.
Loaded module 'hdinsight' in 0.001 seconds.
Loaded module 'interactive' in 0.000 seconds.
Loaded module 'iot' in 0.003 seconds.
Loaded module 'iotcentral' in 0.001 seconds.
Loaded module 'keyvault' in 0.004 seconds.
Loaded module 'kusto' in 0.001 seconds.
Loaded module 'lab' in 0.003 seconds.
Loaded module 'managedservices' in 0.001 seconds.
Loaded module 'maps' in 0.001 seconds.
Loaded module 'monitor' in 0.004 seconds.
Loaded module 'natgateway' in 0.001 seconds.
Event: CommandLoader.OnLoadCommandTable []
Loaded module 'netappfiles' in 0.002 seconds.
Loaded module 'network' in 0.025 seconds.
Loaded module 'policyinsights' in 0.001 seconds.
Loaded module 'privatedns' in 0.004 seconds.
Loaded module 'profile' in 0.001 seconds.
Loaded module 'rdbms' in 0.005 seconds.
Loaded module 'redis' in 0.001 seconds.
Loaded module 'relay' in 0.002 seconds.
Loaded module 'reservations' in 0.001 seconds.
Loaded module 'resource' in 0.007 seconds.
Loaded module 'role' in 0.003 seconds.
Loaded module 'search' in 0.001 seconds.
Loaded module 'security' in 0.002 seconds.
Loaded module 'servicebus' in 0.004 seconds.
Loaded module 'servicefabric' in 0.002 seconds.
Loaded module 'signalr' in 0.001 seconds.
Loaded module 'sql' in 0.006 seconds.
Loaded module 'sqlvm' in 0.002 seconds.
Event: CommandLoader.OnLoadCommandTable []
Loaded module 'storage' in 0.024 seconds.
Loaded module 'vm' in 0.012 seconds.
Loaded all modules in 0.227 seconds. (note: there's always an overhead with the first module loaded)
Extensions directory: '/home/x10an14/.azure/cliextensions'
Found 1 extensions: ['azure-devops']
Extensions directory: '/home/x10an14/.azure/cliextensions'
Extension compatibility result: is_compatible=True cli_core_version=2.2.0 min_required=2.0.69 max_required=None
Extensions directory: '/home/x10an14/.azure/cliextensions'
Loaded extension 'azure-devops' in 0.040 seconds.
Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x7f1c165457b8>]
az_command_data_logger : command args: ad sp credential reset --append --name {} --debug
metadata file logging enabled - writing logs to '/home/x10an14/.azure/commands'.
Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument.<locals>.add_subscription_parameter at 0x7f1c164e0620>]
Event: CommandInvoker.OnPostArgumentLoad []
Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument.<locals>.add_ids_arguments at 0x7f1c1649d488>, <function register_cache_arguments.<locals>.add_cache_arguments at 0x7f1c1649d620>]
Event: CommandInvoker.OnCommandTableLoaded []
Event: CommandInvoker.OnPreParseArgs [<function _documentdb_deprecate at 0x7f1c149f86a8>]
Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x7f1c166c8b70>, <function CLIQuery.handle_query_parameter at 0x7f1c166f2bf8>, <function register_ids_argument.<locals>.parse_ids_arguments at 0x7f1c1649d510>, <function handler at 0x7f1c148c6ea0>, <function DevCommandsLoader.post_parse_args at 0x7f1c140569d8>]
msrest.universal_http.requests : Configuring retry: max_retries=4, backoff_factor=0.8, max_backoff=90
msrest.async_paging : Paging async iterator protocol is not available for ServicePrincipalPaged
attempting to read file /home/x10an14/.azure/accessTokens.json as utf-8-sig
adal-python : 4e7ef18b-b1fa-4a11-a8c8-1f1f0fda6364 - Authority:Performing instance discovery: ...
adal-python : 4e7ef18b-b1fa-4a11-a8c8-1f1f0fda6364 - Authority:Performing static instance discovery
adal-python : 4e7ef18b-b1fa-4a11-a8c8-1f1f0fda6364 - Authority:Authority validated via static instance discovery
adal-python : 4e7ef18b-b1fa-4a11-a8c8-1f1f0fda6364 - TokenRequest:Getting token from cache with refresh if necessary.
adal-python : 4e7ef18b-b1fa-4a11-a8c8-1f1f0fda6364 - CacheDriver:finding with query keys: {'_clientId': '...', 'userId': '...'}
adal-python : 4e7ef18b-b1fa-4a11-a8c8-1f1f0fda6364 - CacheDriver:Looking for potential cache entries: {'_clientId': '...', 'userId': '...'}
adal-python : 4e7ef18b-b1fa-4a11-a8c8-1f1f0fda6364 - CacheDriver:Found 4 potential entries.
adal-python : 4e7ef18b-b1fa-4a11-a8c8-1f1f0fda6364 - CacheDriver:Resource specific token found.
adal-python : 4e7ef18b-b1fa-4a11-a8c8-1f1f0fda6364 - CacheDriver:Returning token from cache lookup, AccessTokenId: b'UN2Hk7jmYh9TC+xiAHbsD80pScDhnlnf0MUaD8zW6VE=', RefreshTokenId: b'oklwner9DVnW+nura6s+MZaOEpN00CL4va/I9rxBhWk='
msrest.http_logger : Request URL: 'https://graph.windows.net/0abe8783-2c3e-4c42-9848-54e419bcdeb0/servicePrincipals?$filter=servicePrincipalNames%2Fany%28x%3Ax%20eq%20%271fabc626-4309-49e4-bb47-ec9e67251a4a%27%29%20or%20displayName%20eq%20%271fabc626-4309-49e4-bb47-ec9e67251a4a%27&api-version=1.6'
msrest.http_logger : Request method: 'GET'
msrest.http_logger : Request headers:
msrest.http_logger :     'Accept': 'application/json'
msrest.http_logger :     'accept-language': 'en-US'
msrest.http_logger :     'User-Agent': 'python/3.6.5 (Linux-4.19.0-8-amd64-x86_64-with-debian-10.3) msrest/0.6.9 msrest_azure/0.6.2 azure-graphrbac/0.60.0 Azure-SDK-For-Python AZURECLI/2.2.0'
msrest.http_logger : Request body:
msrest.http_logger : None
msrest.universal_http : Configuring redirects: allow=True, max=30
msrest.universal_http : Configuring request: timeout=100, verify=True, cert=None
msrest.universal_http : Configuring proxies: ''
msrest.universal_http : Evaluate proxies against ENV settings: True
urllib3.connectionpool : Starting new HTTPS connection (1): graph.windows.net:443
urllib3.connectionpool : https://graph.windows.net:443 "GET /0abe8783-2c3e-4c42-9848-54e419bcdeb0/servicePrincipals?$filter=servicePrincipalNames%2Fany%28x%3Ax%20eq%20%271fabc626-4309-49e4-bb47-ec9e67251a4a%27%29%20or%20displayName%20eq%20%271fabc626-4309-49e4-bb47-ec9e67251a4a%27&api-version=1.6 HTTP/1.1" 200 1994
msrest.http_logger : Response status: 200
msrest.http_logger : Response headers:
msrest.http_logger :     'Cache-Control': 'no-cache'
msrest.http_logger :     'Pragma': 'no-cache'
msrest.http_logger :     'Content-Type': 'application/json; odata=minimalmetadata; streaming=true; charset=utf-8'
msrest.http_logger :     'Expires': '-1'
msrest.http_logger :     'ocp-aad-diagnostics-server-name': 'pwUyLrBoMK4kKT+CnK+HcDKa4J1N9UtKfqpLQxbd1cE='
msrest.http_logger :     'request-id': 'f0a3c38a-98c1-4e6e-a0f5-231081b013a4'
msrest.http_logger :     'client-request-id': '5e375005-643e-11ea-ae94-7085c2836702'
msrest.http_logger :     'x-ms-dirapi-data-contract-version': '1.6'
msrest.http_logger :     'ocp-aad-session-key': '<redacted>'
msrest.http_logger :     'DataServiceVersion': '3.0;'
msrest.http_logger :     'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'
msrest.http_logger :     'Access-Control-Allow-Origin': '*'
msrest.http_logger :     'X-AspNet-Version': '4.0.30319'
msrest.http_logger :     'X-Powered-By': 'ASP.NET'
msrest.http_logger :     'Duration': '1075524'
msrest.http_logger :     'Date': 'Thu, 12 Mar 2020 08:49:22 GMT'
msrest.http_logger :     'Content-Length': '1994'
msrest.http_logger : Response content:
msrest.http_logger : {"odata.metadata":"https://graph.windows.net/0abe8783-2c3e-4c42-9848-54e419bcdeb0/$metadata#directoryObjects","value":[{"odata.type":"Microsoft.DirectoryServices.ServicePrincipal","objectType":"ServicePrincipal","objectId":"a9f94626-e169-496b-b6ea-ad1129e0a832","deletionTimestamp":null,"accountEnabled":true,"addIns":[],"alternativeNames":[],"appDisplayName":"bertelosteen-Gemini-15ea10b3-c25a-4569-b4c2-46054c6f5227","appId":"1fabc626-4309-49e4-bb47-ec9e67251a4a","applicationTemplateId":null,"appOwnerTenantId":"0abe8783-2c3e-4c42-9848-54e419bcdeb0","appRoleAssignmentRequired":false,"appRoles":[],"displayName":"bertelosteen-Gemini-15ea10b3-c25a-4569-b4c2-46054c6f5227","errorUrl":null,"homepage":"https://VisualStudio/SPN","informationalUrls":{"termsOfService":null,"support":null,"privacy":null,"marketing":null},"keyCredentials":[],"logoutUrl":null,"notificationEmailAddresses":[],"oauth2Permissions":[{"adminConsentDescription":"Allow the application to access bertelosteen-Gemini-15ea10b3-c25a-4569-b4c2-46054c6f5227 on behalf of the signed-in user.","adminConsentDisplayName":"Access bertelosteen-Gemini-15ea10b3-c25a-4569-b4c2-46054c6f5227","id":"8dd4ee58-2794-4006-9a1a-6c1dbbdf4367","isEnabled":true,"type":"User","userConsentDescription":"Allow the application to access bertelosteen-Gemini-15ea10b3-c25a-4569-b4c2-46054c6f5227 on your behalf.","userConsentDisplayName":"Access bertelosteen-Gemini-15ea10b3-c25a-4569-b4c2-46054c6f5227","value":"user_impersonation"}],"passwordCredentials":[],"preferredSingleSignOnMode":null,"preferredTokenSigningKeyEndDateTime":null,"preferredTokenSigningKeyThumbprint":null,"publisherName":"Bertel O. Steen AS","replyUrls":["https://VisualStudio/SPN"],"samlMetadataUrl":null,"samlSingleSignOnSettings":null,"servicePrincipalNames":["https://VisualStudio/SPNdf7ee2e3-0c63-42c4-9024-4ba35f23d78a","1fabc626-4309-49e4-bb47-ec9e67251a4a"],"servicePrincipalType":"Application","signInAudience":"AzureADMyOrg","tags":[],"tokenEncryptionKeyId":null}]}
msrest.async_paging : Paging async iterator protocol is not available for ApplicationPaged
adal-python : 6ae3e197-ddc4-46bf-9d97-13c885f49853 - Authority:Performing instance discovery: ...
adal-python : 6ae3e197-ddc4-46bf-9d97-13c885f49853 - Authority:Performing static instance discovery
adal-python : 6ae3e197-ddc4-46bf-9d97-13c885f49853 - Authority:Authority validated via static instance discovery
adal-python : 6ae3e197-ddc4-46bf-9d97-13c885f49853 - TokenRequest:Getting token from cache with refresh if necessary.
adal-python : 6ae3e197-ddc4-46bf-9d97-13c885f49853 - CacheDriver:finding with query keys: {'_clientId': '...', 'userId': '...'}
adal-python : 6ae3e197-ddc4-46bf-9d97-13c885f49853 - CacheDriver:Looking for potential cache entries: {'_clientId': '...', 'userId': '...'}
adal-python : 6ae3e197-ddc4-46bf-9d97-13c885f49853 - CacheDriver:Found 4 potential entries.
adal-python : 6ae3e197-ddc4-46bf-9d97-13c885f49853 - CacheDriver:Resource specific token found.
adal-python : 6ae3e197-ddc4-46bf-9d97-13c885f49853 - CacheDriver:Returning token from cache lookup, AccessTokenId: b'UN2Hk7jmYh9TC+xiAHbsD80pScDhnlnf0MUaD8zW6VE=', RefreshTokenId: b'oklwner9DVnW+nura6s+MZaOEpN00CL4va/I9rxBhWk='
msrest.http_logger : Request URL: 'https://graph.windows.net/0abe8783-2c3e-4c42-9848-54e419bcdeb0/applications?$filter=identifierUris%2Fany%28s%3As%20eq%20%271fabc626-4309-49e4-bb47-ec9e67251a4a%27%29&api-version=1.6'
msrest.http_logger : Request method: 'GET'
msrest.http_logger : Request headers:
msrest.http_logger :     'Accept': 'application/json'
msrest.http_logger :     'accept-language': 'en-US'
msrest.http_logger :     'User-Agent': 'python/3.6.5 (Linux-4.19.0-8-amd64-x86_64-with-debian-10.3) msrest/0.6.9 msrest_azure/0.6.2 azure-graphrbac/0.60.0 Azure-SDK-For-Python AZURECLI/2.2.0'
msrest.http_logger : Request body:
msrest.http_logger : None
msrest.universal_http : Configuring redirects: allow=True, max=30
msrest.universal_http : Configuring request: timeout=100, verify=True, cert=None
msrest.universal_http : Configuring proxies: ''
msrest.universal_http : Evaluate proxies against ENV settings: True
urllib3.connectionpool : Starting new HTTPS connection (1): graph.windows.net:443
urllib3.connectionpool : https://graph.windows.net:443 "GET /0abe8783-2c3e-4c42-9848-54e419bcdeb0/applications?$filter=identifierUris%2Fany%28s%3As%20eq%20%271fabc626-4309-49e4-bb47-ec9e67251a4a%27%29&api-version=1.6 HTTP/1.1" 200 121
msrest.http_logger : Response status: 200
msrest.http_logger : Response headers:
msrest.http_logger :     'Cache-Control': 'no-cache'
msrest.http_logger :     'Pragma': 'no-cache'
msrest.http_logger :     'Content-Type': 'application/json; odata=minimalmetadata; streaming=true; charset=utf-8'
msrest.http_logger :     'Expires': '-1'
msrest.http_logger :     'ocp-aad-diagnostics-server-name': 'pwUyLrBoMK4kKT+CnK+HcDKa4J1N9UtKfqpLQxbd1cE='
msrest.http_logger :     'request-id': '25ab80db-a454-4ca8-b95a-b7056f50fe1b'
msrest.http_logger :     'client-request-id': '5e375005-643e-11ea-ae94-7085c2836702'
msrest.http_logger :     'x-ms-dirapi-data-contract-version': '1.6'
msrest.http_logger :     'ocp-aad-session-key': 'F778BQomAYRLKCAHO-MkF6KZTc-Ba255r9l6hb6mr7uAH8YdXukpJGC1AnFhA9AuanlKxpsjEjTlriBJdzrI4IOMn9LZS5dwpCb2zEq7sC5Zj_tPndKgxBBCZUmcLktv.D-qmf4vH_UQpe0fqUXdtsvaOJBsxHEr636VVf9y7PAs'
msrest.http_logger :     'DataServiceVersion': '3.0;'
msrest.http_logger :     'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'
msrest.http_logger :     'Access-Control-Allow-Origin': '*'
msrest.http_logger :     'X-AspNet-Version': '4.0.30319'
msrest.http_logger :     'X-Powered-By': 'ASP.NET'
msrest.http_logger :     'Duration': '436229'
msrest.http_logger :     'Date': 'Thu, 12 Mar 2020 08:49:22 GMT'
msrest.http_logger :     'Content-Length': '121'
msrest.http_logger : Response content:
msrest.http_logger : {"odata.metadata":"https://graph.windows.net/0abe8783-2c3e-4c42-9848-54e419bcdeb0/$metadata#directoryObjects","value":[]}
msrest.async_paging : Paging async iterator protocol is not available for ApplicationPaged
adal-python : 7da345e9-4d03-4b29-bb82-99b3f2934005 - Authority:Performing instance discovery: ...
adal-python : 7da345e9-4d03-4b29-bb82-99b3f2934005 - Authority:Performing static instance discovery
adal-python : 7da345e9-4d03-4b29-bb82-99b3f2934005 - Authority:Authority validated via static instance discovery
adal-python : 7da345e9-4d03-4b29-bb82-99b3f2934005 - TokenRequest:Getting token from cache with refresh if necessary.
adal-python : 7da345e9-4d03-4b29-bb82-99b3f2934005 - CacheDriver:finding with query keys: {'_clientId': '...', 'userId': '...'}
adal-python : 7da345e9-4d03-4b29-bb82-99b3f2934005 - CacheDriver:Looking for potential cache entries: {'_clientId': '...', 'userId': '...'}
adal-python : 7da345e9-4d03-4b29-bb82-99b3f2934005 - CacheDriver:Found 4 potential entries.
adal-python : 7da345e9-4d03-4b29-bb82-99b3f2934005 - CacheDriver:Resource specific token found.
adal-python : 7da345e9-4d03-4b29-bb82-99b3f2934005 - CacheDriver:Returning token from cache lookup, AccessTokenId: b'<redacted>', RefreshTokenId: b'<redacted>'
msrest.http_logger : Request URL: 'https://graph.windows.net/0abe8783-2c3e-4c42-9848-54e419bcdeb0/applications?$filter=appId%20eq%20%271fabc626-4309-49e4-bb47-ec9e67251a4a%27&api-version=1.6'
msrest.http_logger : Request method: 'GET'
msrest.http_logger : Request headers:
msrest.http_logger :     'Accept': 'application/json'
msrest.http_logger :     'accept-language': 'en-US'
msrest.http_logger :     'User-Agent': 'python/3.6.5 (Linux-4.19.0-8-amd64-x86_64-with-debian-10.3) msrest/0.6.9 msrest_azure/0.6.2 azure-graphrbac/0.60.0 Azure-SDK-For-Python AZURECLI/2.2.0'
msrest.http_logger : Request body:
msrest.http_logger : None
msrest.universal_http : Configuring redirects: allow=True, max=30
msrest.universal_http : Configuring request: timeout=100, verify=True, cert=None
msrest.universal_http : Configuring proxies: ''
msrest.universal_http : Evaluate proxies against ENV settings: True
urllib3.connectionpool : Starting new HTTPS connection (1): graph.windows.net:443
urllib3.connectionpool : https://graph.windows.net:443 "GET /0abe8783-2c3e-4c42-9848-54e419bcdeb0/applications?$filter=appId%20eq%20%271fabc626-4309-49e4-bb47-ec9e67251a4a%27&api-version=1.6 HTTP/1.1" 200 2457
msrest.http_logger : Response status: 200
msrest.http_logger : Response headers:
msrest.http_logger :     'Cache-Control': 'no-cache'
msrest.http_logger :     'Pragma': 'no-cache'
msrest.http_logger :     'Content-Type': 'application/json; odata=minimalmetadata; streaming=true; charset=utf-8'
msrest.http_logger :     'Expires': '-1'
msrest.http_logger :     'ocp-aad-diagnostics-server-name': 'NCLikt5gA/KhTFVr9i6W+Ah7pWAcW54TIy83Z9kJVH0='
msrest.http_logger :     'request-id': '7ae2ad10-2acd-4f76-a778-45efd5bbb8e6'
msrest.http_logger :     'client-request-id': '5e375005-643e-11ea-ae94-7085c2836702'
msrest.http_logger :     'x-ms-dirapi-data-contract-version': '1.6'
msrest.http_logger :     'ocp-aad-session-key': '<redacted>'
msrest.http_logger :     'DataServiceVersion': '3.0;'
msrest.http_logger :     'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'
msrest.http_logger :     'Access-Control-Allow-Origin': '*'
msrest.http_logger :     'X-AspNet-Version': '4.0.30319'
msrest.http_logger :     'X-Powered-By': 'ASP.NET'
msrest.http_logger :     'Duration': '499985'
msrest.http_logger :     'Date': 'Thu, 12 Mar 2020 08:49:23 GMT'
msrest.http_logger :     'Content-Length': '2457'
msrest.http_logger : Response content:
msrest.http_logger : {"odata.metadata":"https://graph.windows.net/0abe8783-2c3e-4c42-9848-54e419bcdeb0/$metadata#directoryObjects","value":[{"odata.type":"Microsoft.DirectoryServices.Application","objectType":"Application","objectId":"6be4c527-2805-4cf9-afec-a3dc2753622b","deletionTimestamp":null,"acceptMappedClaims":null,"addIns":[],"appId":"1fabc626-4309-49e4-bb47-ec9e67251a4a","applicationTemplateId":null,"appRoles":[],"availableToOtherTenants":false,"displayName":"bertelosteen-Gemini-15ea10b3-c25a-4569-b4c2-46054c6f5227","errorUrl":null,"groupMembershipClaims":null,"homepage":"https://VisualStudio/SPN","identifierUris":["https://VisualStudio/SPNdf7ee2e3-0c63-42c4-9024-4ba35f23d78a"],"informationalUrls":{"termsOfService":null,"support":null,"privacy":null,"marketing":null},"isDeviceOnlyAuthSupported":null,"keyCredentials":[],"knownClientApplications":[],"logoutUrl":null,"[email protected]":"directoryObjects/6be4c527-2805-4cf9-afec-a3dc2753622b/Microsoft.DirectoryServices.Application/logo","logoUrl":null,"[email protected]":"directoryObjects/6be4c527-2805-4cf9-afec-a3dc2753622b/Microsoft.DirectoryServices.Application/mainLogo","oauth2AllowIdTokenImplicitFlow":true,"oauth2AllowImplicitFlow":false,"oauth2AllowUrlPathMatching":false,"oauth2Permissions":[{"adminConsentDescription":"Allow the application to access bertelosteen-Gemini-15ea10b3-c25a-4569-b4c2-46054c6f5227 on behalf of the signed-in user.","adminConsentDisplayName":"Access bertelosteen-Gemini-15ea10b3-c25a-4569-b4c2-46054c6f5227","id":"8dd4ee58-2794-4006-9a1a-6c1dbbdf4367","isEnabled":true,"type":"User","userConsentDescription":"Allow the application to access bertelosteen-Gemini-15ea10b3-c25a-4569-b4c2-46054c6f5227 on your behalf.","userConsentDisplayName":"Access bertelosteen-Gemini-15ea10b3-c25a-4569-b4c2-46054c6f5227","value":"user_impersonation"}],"oauth2RequirePostResponse":false,"optionalClaims":null,"orgRestrictions":[],"parentalControlSettings":{"countriesBlockedForMinors":[],"legalAgeGroupRule":"Allow"},"passwordCredentials":[{"customKeyIdentifier":null,"endDate":"2022-03-12T07:50:52.4637406Z","keyId":"b88fbf58-8ff1-420d-b0b2-640bfd5262b9","startDate":"2020-03-12T07:50:52.4637406Z","value":null}],"publicClient":null,"publisherDomain":"bertelosteen.onmicrosoft.com","recordConsentConditions":null,"replyUrls":["https://VisualStudio/SPN"],"requiredResourceAccess":[],"samlMetadataUrl":null,"signInAudience":"AzureADMyOrg","tokenEncryptionKeyId":null}]}
adal-python : 2bde713b-cf8a-4fbf-9062-ba1bde79c19f - Authority:Performing instance discovery: ...
adal-python : 2bde713b-cf8a-4fbf-9062-ba1bde79c19f - Authority:Performing static instance discovery
adal-python : 2bde713b-cf8a-4fbf-9062-ba1bde79c19f - Authority:Authority validated via static instance discovery
adal-python : 2bde713b-cf8a-4fbf-9062-ba1bde79c19f - TokenRequest:Getting token from cache with refresh if necessary.
adal-python : 2bde713b-cf8a-4fbf-9062-ba1bde79c19f - CacheDriver:finding with query keys: {'_clientId': '...', 'userId': '...'}
adal-python : 2bde713b-cf8a-4fbf-9062-ba1bde79c19f - CacheDriver:Looking for potential cache entries: {'_clientId': '...', 'userId': '...'}
adal-python : 2bde713b-cf8a-4fbf-9062-ba1bde79c19f - CacheDriver:Found 4 potential entries.
adal-python : 2bde713b-cf8a-4fbf-9062-ba1bde79c19f - CacheDriver:Resource specific token found.
adal-python : 2bde713b-cf8a-4fbf-9062-ba1bde79c19f - CacheDriver:Returning token from cache lookup, AccessTokenId: b'UN2Hk7jmYh9TC+xiAHbsD80pScDhnlnf0MUaD8zW6VE=', RefreshTokenId: b'oklwner9DVnW+nura6s+MZaOEpN00CL4va/I9rxBhWk='
msrest.http_logger : Request URL: 'https://graph.windows.net/0abe8783-2c3e-4c42-9848-54e419bcdeb0/applications/6be4c527-2805-4cf9-afec-a3dc2753622b?api-version=1.6'
msrest.http_logger : Request method: 'GET'
msrest.http_logger : Request headers:
msrest.http_logger :     'Accept': 'application/json'
msrest.http_logger :     'accept-language': 'en-US'
msrest.http_logger :     'User-Agent': 'python/3.6.5 (Linux-4.19.0-8-amd64-x86_64-with-debian-10.3) msrest/0.6.9 msrest_azure/0.6.2 azure-graphrbac/0.60.0 Azure-SDK-For-Python AZURECLI/2.2.0'
msrest.http_logger : Request body:
msrest.http_logger : None
msrest.universal_http : Configuring redirects: allow=True, max=30
msrest.universal_http : Configuring request: timeout=100, verify=True, cert=None
msrest.universal_http : Configuring proxies: ''
msrest.universal_http : Evaluate proxies against ENV settings: True
urllib3.connectionpool : Starting new HTTPS connection (1): graph.windows.net:443
urllib3.connectionpool : https://graph.windows.net:443 "GET /0abe8783-2c3e-4c42-9848-54e419bcdeb0/applications/6be4c527-2805-4cf9-afec-a3dc2753622b?api-version=1.6 HTTP/1.1" 200 2454
msrest.http_logger : Response status: 200
msrest.http_logger : Response headers:
msrest.http_logger :     'Cache-Control': 'no-cache'
msrest.http_logger :     'Pragma': 'no-cache'
msrest.http_logger :     'Content-Type': 'application/json; odata=minimalmetadata; streaming=true; charset=utf-8'
msrest.http_logger :     'Expires': '-1'
msrest.http_logger :     'ocp-aad-diagnostics-server-name': 'zi8SJdF5ZKK5+jVaeQOTnjs6Bc4PEnEFkTAl6ewTz/A='
msrest.http_logger :     'request-id': '9c78be40-4d28-454b-9692-ae638372234b'
msrest.http_logger :     'client-request-id': '5e375005-643e-11ea-ae94-7085c2836702'
msrest.http_logger :     'x-ms-dirapi-data-contract-version': '1.6'
msrest.http_logger :     'ocp-aad-session-key': '5Aks3a3-Uba3Pe_rw5u8BKsARysM6yjOmvyBmUtEikrWx5EPrlsl95pBtEWWLsVj7YIK08pb7-PeNwBvd53-8UlZphDO1zhazPLZhYJoiN83FGpNJy1VD13h5NgoGcyW.C7czUYd_0sjNmBiDMohi5feXlWe2oV4Idh0OIIsRpwg'
msrest.http_logger :     'DataServiceVersion': '3.0;'
msrest.http_logger :     'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'
msrest.http_logger :     'Access-Control-Allow-Origin': '*'
msrest.http_logger :     'X-AspNet-Version': '4.0.30319'
msrest.http_logger :     'X-Powered-By': 'ASP.NET'
msrest.http_logger :     'Duration': '524264'
msrest.http_logger :     'Date': 'Thu, 12 Mar 2020 08:49:22 GMT'
msrest.http_logger :     'Content-Length': '2454'
msrest.http_logger : Response content:
msrest.http_logger : {"odata.metadata":"https://graph.windows.net/0abe8783-2c3e-4c42-9848-54e419bcdeb0/$metadata#directoryObjects/@Element","odata.type":"Microsoft.DirectoryServices.Application","objectType":"Application","objectId":"6be4c527-2805-4cf9-afec-a3dc2753622b","deletionTimestamp":null,"acceptMappedClaims":null,"addIns":[],"appId":"1fabc626-4309-49e4-bb47-ec9e67251a4a","applicationTemplateId":null,"appRoles":[],"availableToOtherTenants":false,"displayName":"bertelosteen-Gemini-15ea10b3-c25a-4569-b4c2-46054c6f5227","errorUrl":null,"groupMembershipClaims":null,"homepage":"https://VisualStudio/SPN","identifierUris":["https://VisualStudio/SPNdf7ee2e3-0c63-42c4-9024-4ba35f23d78a"],"informationalUrls":{"termsOfService":null,"support":null,"privacy":null,"marketing":null},"isDeviceOnlyAuthSupported":null,"keyCredentials":[],"knownClientApplications":[],"logoutUrl":null,"[email protected]":"directoryObjects/6be4c527-2805-4cf9-afec-a3dc2753622b/Microsoft.DirectoryServices.Application/logo","logoUrl":null,"[email protected]":"directoryObjects/6be4c527-2805-4cf9-afec-a3dc2753622b/Microsoft.DirectoryServices.Application/mainLogo","oauth2AllowIdTokenImplicitFlow":true,"oauth2AllowImplicitFlow":false,"oauth2AllowUrlPathMatching":false,"oauth2Permissions":[{"adminConsentDescription":"Allow the application to access bertelosteen-Gemini-15ea10b3-c25a-4569-b4c2-46054c6f5227 on behalf of the signed-in user.","adminConsentDisplayName":"Access bertelosteen-Gemini-15ea10b3-c25a-4569-b4c2-46054c6f5227","id":"8dd4ee58-2794-4006-9a1a-6c1dbbdf4367","isEnabled":true,"type":"User","userConsentDescription":"Allow the application to access bertelosteen-Gemini-15ea10b3-c25a-4569-b4c2-46054c6f5227 on your behalf.","userConsentDisplayName":"Access bertelosteen-Gemini-15ea10b3-c25a-4569-b4c2-46054c6f5227","value":"user_impersonation"}],"oauth2RequirePostResponse":false,"optionalClaims":null,"orgRestrictions":[],"parentalControlSettings":{"countriesBlockedForMinors":[],"legalAgeGroupRule":"Allow"},"passwordCredentials":[{"customKeyIdentifier":null,"endDate":"2022-03-12T07:50:52.4637406Z","keyId":"b88fbf58-8ff1-420d-b0b2-640bfd5262b9","startDate":"2020-03-12T07:50:52.4637406Z","value":null}],"publicClient":null,"publisherDomain":"bertelosteen.onmicrosoft.com","recordConsentConditions":null,"replyUrls":["https://VisualStudio/SPN"],"requiredResourceAccess":[],"samlMetadataUrl":null,"signInAudience":"AzureADMyOrg","tokenEncryptionKeyId":null}
msrest.async_paging : Paging async iterator protocol is not available for PasswordCredentialPaged
adal-python : f8d3b663-c6b6-4cea-848a-cc9a88328620 - Authority:Performing instance discovery: ...
adal-python : f8d3b663-c6b6-4cea-848a-cc9a88328620 - Authority:Performing static instance discovery
adal-python : f8d3b663-c6b6-4cea-848a-cc9a88328620 - Authority:Authority validated via static instance discovery
adal-python : f8d3b663-c6b6-4cea-848a-cc9a88328620 - TokenRequest:Getting token from cache with refresh if necessary.
adal-python : f8d3b663-c6b6-4cea-848a-cc9a88328620 - CacheDriver:finding with query keys: {'_clientId': '...', 'userId': '...'}
adal-python : f8d3b663-c6b6-4cea-848a-cc9a88328620 - CacheDriver:Looking for potential cache entries: {'_clientId': '...', 'userId': '...'}
adal-python : f8d3b663-c6b6-4cea-848a-cc9a88328620 - CacheDriver:Found 4 potential entries.
adal-python : f8d3b663-c6b6-4cea-848a-cc9a88328620 - CacheDriver:Resource specific token found.
adal-python : f8d3b663-c6b6-4cea-848a-cc9a88328620 - CacheDriver:Returning token from cache lookup, AccessTokenId: b'<redacted>', RefreshTokenId: b'<redacted>'
msrest.http_logger : Request URL: 'https://graph.windows.net/0abe8783-2c3e-4c42-9848-54e419bcdeb0/applications/6be4c527-2805-4cf9-afec-a3dc2753622b/passwordCredentials?api-version=1.6'
msrest.http_logger : Request method: 'GET'
msrest.http_logger : Request headers:
msrest.http_logger :     'Accept': 'application/json'
msrest.http_logger :     'accept-language': 'en-US'
msrest.http_logger :     'User-Agent': 'python/3.6.5 (Linux-4.19.0-8-amd64-x86_64-with-debian-10.3) msrest/0.6.9 msrest_azure/0.6.2 azure-graphrbac/0.60.0 Azure-SDK-For-Python AZURECLI/2.2.0'
msrest.http_logger : Request body:
msrest.http_logger : None
msrest.universal_http : Configuring redirects: allow=True, max=30
msrest.universal_http : Configuring request: timeout=100, verify=True, cert=None
msrest.universal_http : Configuring proxies: ''
msrest.universal_http : Evaluate proxies against ENV settings: True
urllib3.connectionpool : Starting new HTTPS connection (1): graph.windows.net:443
urllib3.connectionpool : https://graph.windows.net:443 "GET /0abe8783-2c3e-4c42-9848-54e419bcdeb0/applications/6be4c527-2805-4cf9-afec-a3dc2753622b/passwordCredentials?api-version=1.6 HTTP/1.1" 200 335
msrest.http_logger : Response status: 200
msrest.http_logger : Response headers:
msrest.http_logger :     'Cache-Control': 'no-cache'
msrest.http_logger :     'Pragma': 'no-cache'
msrest.http_logger :     'Content-Type': 'application/json; odata=minimalmetadata; streaming=true; charset=utf-8'
msrest.http_logger :     'Expires': '-1'
msrest.http_logger :     'ocp-aad-diagnostics-server-name': 'nXlz28L4mvclWaIr6aYrPLvkq+aZFBTjRwfxg/IAWtA='
msrest.http_logger :     'request-id': '987fd688-937c-4804-bb64-e51d73e6d10d'
msrest.http_logger :     'client-request-id': '5e375005-643e-11ea-ae94-7085c2836702'
msrest.http_logger :     'x-ms-dirapi-data-contract-version': '1.6'
msrest.http_logger :     'ocp-aad-session-key': '<redacted>'
msrest.http_logger :     'DataServiceVersion': '3.0;'
msrest.http_logger :     'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'
msrest.http_logger :     'Access-Control-Allow-Origin': '*'
msrest.http_logger :     'X-AspNet-Version': '4.0.30319'
msrest.http_logger :     'X-Powered-By': 'ASP.NET'
msrest.http_logger :     'Duration': '514931'
msrest.http_logger :     'Date': 'Thu, 12 Mar 2020 08:49:23 GMT'
msrest.http_logger :     'Content-Length': '335'
msrest.http_logger : Response content:
msrest.http_logger : {"odata.metadata":"https://graph.windows.net/0abe8783-2c3e-4c42-9848-54e419bcdeb0/$metadata#Collection(Microsoft.DirectoryServices.PasswordCredential)","value":[{"customKeyIdentifier":null,"endDate":"2022-03-12T07:50:52.4637406Z","keyId":"b88fbf58-8ff1-420d-b0b2-640bfd5262b9","startDate":"2020-03-12T07:50:52.4637406Z","value":null}]}
msrest.service_client : Accept header absent and forced to application/json
adal-python : 00b1c47d-7087-4c7d-9dc9-f5dcbac785d3 - Authority:Performing instance discovery: ...
adal-python : 00b1c47d-7087-4c7d-9dc9-f5dcbac785d3 - Authority:Performing static instance discovery
adal-python : 00b1c47d-7087-4c7d-9dc9-f5dcbac785d3 - Authority:Authority validated via static instance discovery
adal-python : 00b1c47d-7087-4c7d-9dc9-f5dcbac785d3 - TokenRequest:Getting token from cache with refresh if necessary.
adal-python : 00b1c47d-7087-4c7d-9dc9-f5dcbac785d3 - CacheDriver:finding with query keys: {'_clientId': '...', 'userId': '...'}
adal-python : 00b1c47d-7087-4c7d-9dc9-f5dcbac785d3 - CacheDriver:Looking for potential cache entries: {'_clientId': '...', 'userId': '...'}
adal-python : 00b1c47d-7087-4c7d-9dc9-f5dcbac785d3 - CacheDriver:Found 4 potential entries.
adal-python : 00b1c47d-7087-4c7d-9dc9-f5dcbac785d3 - CacheDriver:Resource specific token found.
adal-python : 00b1c47d-7087-4c7d-9dc9-f5dcbac785d3 - CacheDriver:Returning token from cache lookup, AccessTokenId: b'<redacted>', RefreshTokenId: b'<redacted>'
msrest.http_logger : Request URL: 'https://graph.windows.net/0abe8783-2c3e-4c42-9848-54e419bcdeb0/applications/6be4c527-2805-4cf9-afec-a3dc2753622b?api-version=1.6'
msrest.http_logger : Request method: 'PATCH'
msrest.http_logger : Request headers:
msrest.http_logger :     'Content-Type': 'application/json; charset=utf-8'
msrest.http_logger :     'accept-language': 'en-US'
msrest.http_logger :     'Accept': 'application/json'
msrest.http_logger :     'Content-Length': '346'
msrest.http_logger :     'User-Agent': 'python/3.6.5 (Linux-4.19.0-8-amd64-x86_64-with-debian-10.3) msrest/0.6.9 msrest_azure/0.6.2 azure-graphrbac/0.60.0 Azure-SDK-For-Python AZURECLI/2.2.0'
msrest.http_logger : Request body:
msrest.http_logger : {"passwordCredentials": [{"startDate": "2020-03-12T07:50:52.46374Z", "endDate": "2022-03-12T07:50:52.46374Z", "keyId": "b88fbf58-8ff1-420d-b0b2-640bfd5262b9"}, {"startDate": "2020-03-12T08:49:22.465023Z", "endDate": "2021-03-12T08:49:22.465023Z", "keyId": "a8e3dbf1-c9c4-4e9b-b5d8-3a1a0f42a859", "value": "1ca9a08c-dbf9-4044-8422-bd9fbe05ba49"}]}
msrest.universal_http : Configuring redirects: allow=True, max=30
msrest.universal_http : Configuring request: timeout=100, verify=True, cert=None
msrest.universal_http : Configuring proxies: ''
msrest.universal_http : Evaluate proxies against ENV settings: True
urllib3.connectionpool : Starting new HTTPS connection (1): graph.windows.net:443
urllib3.connectionpool : https://graph.windows.net:443 "PATCH /0abe8783-2c3e-4c42-9848-54e419bcdeb0/applications/6be4c527-2805-4cf9-afec-a3dc2753622b?api-version=1.6 HTTP/1.1" 400 375
msrest.http_logger : Response status: 400
msrest.http_logger : Response headers:
msrest.http_logger :     'Cache-Control': 'no-cache'
msrest.http_logger :     'Pragma': 'no-cache'
msrest.http_logger :     'Content-Type': 'application/json; odata=minimalmetadata; streaming=true; charset=utf-8'
msrest.http_logger :     'Expires': '-1'
msrest.http_logger :     'ocp-aad-diagnostics-server-name': 'Oj5ns9oDZVo50kYEm8liRNgpMetz71dzy7JCgicT2uE='
msrest.http_logger :     'request-id': '653c5cc2-54bf-4284-be89-299dca398070'
msrest.http_logger :     'client-request-id': '5e375005-643e-11ea-ae94-7085c2836702'
msrest.http_logger :     'x-ms-dirapi-data-contract-version': '1.6'
msrest.http_logger :     'ocp-aad-session-key': '<redacted>'
msrest.http_logger :     'DataServiceVersion': '3.0;'
msrest.http_logger :     'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'
msrest.http_logger :     'Access-Control-Allow-Origin': '*'
msrest.http_logger :     'X-AspNet-Version': '4.0.30319'
msrest.http_logger :     'X-Powered-By': 'ASP.NET'
msrest.http_logger :     'Duration': '829410'
msrest.http_logger :     'Date': 'Thu, 12 Mar 2020 08:49:23 GMT'
msrest.http_logger :     'Content-Length': '375'
msrest.http_logger : Response content:
msrest.http_logger : {"odata.error":{"code":"Request_BadRequest","message":{"lang":"en","value":"Update to existing credential with KeyId 'b88fbf58-8ff1-420d-b0b2-640bfd5262b9' is not allowed."},"requestId":"653c5cc2-54bf-4284-be89-299dca398070","date":"2020-03-12T08:49:23","values":[{"item":"PropertyName","value":"passwordCredentials"},{"item":"PropertyErrorCode","value":"KeyNotUpdatable"}]}}
msrest.exceptions : Update to existing credential with KeyId 'b88fbf58-8ff1-420d-b0b2-640bfd5262b9' is not allowed.
cli.azure.cli.core.util : Update to existing credential with KeyId 'b88fbf58-8ff1-420d-b0b2-640bfd5262b9' is not allowed.
Update to existing credential with KeyId 'b88fbf58-8ff1-420d-b0b2-640bfd5262b9' is not allowed.
az_command_data_logger : exit code: 1
telemetry.save : Save telemetry record of length 2497 in cache
telemetry.check : Negative: The /home/x10an14/.azure/telemetry.txt was modified at 2020-03-12 09:49:05.436291, which in less than 600.000000 s
command ran in 1.787 seconds.
[2020-03-12 09:49:24] 1 x10an14@x10-desktop:~
-> $ 

Expected Behavior

An output in the terminal which would've been equivalent to echo "$NEW_PASSWORD".

Environment Summary

Linux-4.19.0-8-amd64-x86_64-with-debian-10.3
Python 3.6.5

azure-cli 2.2.0

Extensions:
azure-devops 0.17.0

Additional Context

Said SP/App has been created by Azure DevOps, as an Azure DevOps Service Connection/Endpoint's attached (and created for said Service Connection/Endpoint) ServicePrincipal.

This has worked for us multiple times previously, as late as last week.

[x10an14]

also referenced/first mentioned here: #7957 (comment)

[x10an14]

A colleague of mine who's more comfortable with Azure Portal than the Azure CLI helped me and managed to add the new password-credential via Portal (this says to me the problem most likely lies within the az CLI itself):

[2020-03-12 12:25:14] 0 x10an14@x10-desktop:~
-> $ az ad sp credential list --id 1fabc626-4309-49e4-bb47-ec9e67251a4a  -o jsonc
[
  {
    "additionalProperties": null,
    "customKeyIdentifier": null,
    "endDate": "2022-03-12T10:39:44.873000+00:00",
    "keyId": "5f309054-2814-49a9-8657-dbde5a6ba145",
    "startDate": "2020-03-12T10:41:26.673000+00:00",
    "value": null
  },
  {
    "additionalProperties": null,
    "customKeyIdentifier": null,
    "endDate": "2022-03-12T07:50:52.463740+00:00",
    "keyId": "b88fbf58-8ff1-420d-b0b2-640bfd5262b9",
    "startDate": "2020-03-12T07:50:52.463740+00:00",
    "value": null
  }
]
[2020-03-12 12:25:52] 0 x10an14@x10-desktop:~
-> $ 

keyId 5f309054-2814-49a9-8657-dbde5a6ba145 is the new one, the other (the old) one being the one referenced in the error message.

[x10an14]

Attempting to add anew with the CLI after having done so via Portal still returns the same error message;

[2020-03-12 12:13:57] 0 x10an14@x10-desktop:~
-> $ az ad sp credential reset --append --name 1fabc626-4309-49e4-bb47-ec9e67251a4a --end-date '2020-03-12'
Update to existing credential with KeyId 'b88fbf58-8ff1-420d-b0b2-640bfd5262b9' is not allowed.
[2020-03-12 12:28:36] 1 x10an14@x10-desktop:~
-> $

[yungezz]

HI @jiasli could you pls have a look?

[yonzhan]

add to S168

[jiasli]

@x10an14, according to the log provided at #7957 (comment), the response from AD Graph is:

{
    "customKeyIdentifier": null,
    "endDate": "2022-03-12T07:50:52.4637406Z",
                                          ^
    "keyId": "b88fbf58-8ff1-420d-b0b2-640bfd5262b9",
    "startDate": "2020-03-12T07:50:52.4637406Z",
                                            ^
    "value": null
}

This credential was created by Azure Portal with nanosecond datetime. The last digit 6 in 2022-03-12T07:50:52.4637406Z and 2020-03-12T07:50:52.4637406Z is exceeding Python's datetime limit which is microsecond, and causes Python to truncate it:

2022-03-12T07:50:52.4637406Z -> 2022-03-12T07:50:52.463740Z
                          ^

When the JSON payload is sent back to AD Graph, it detects endDate and startDate have been changed, thus rejecting the request.

Azure Portal has already fixed this issue by limiting the precision to millisecond.

2 ways to solve it:

• Fix: Delete the old credential and recreate it either with Azure CLI or Azure Portal.
• Workaround: Use az rest to invoke Microsoft Graph application: addPassword API so that Azure CLI doesn't need to echo the JSON payload: Unable to append password credential to ServicePrincipal #12561 (comment)

[x10an14]

Hi!

@jiasli suggestion's response

To fix it, you may delete the old credential and recreate it either with Azure CLI or Azure Portal. Please let me know if that works.

This is not an acceptable solution for us, since in this particular instance that first credential was created along with the Service Principal whose credential(s) this bug-report describes.

Why that suggestion won't work for us

The reason why that is not acceptable for us, is that this credential you suggest we delete is the credential our https://dev.azure.com utilizes to modify/read our Azure Subscription's.

Hence, deleting the credential breaks our Azure DevOps pipelines/forces us to re-authorize them.
We'd rather just use Portals then, since that's an equally manual work-around.

Next step suggestion

The idea of using the Azure CLI is so that we can automate this need - instead of using Portal - when setting up an automated process somewhere requires the permissions/access this already-created SP has.

With my current understanding, this is firmly either

1. an Azure CLI problem where a handling the correct amount of accuray - e.g. by leveraging some Python library in the already huge ecosystem - is the solution,
2. or an Azure REST API problem since one cannot append a new credential without downloading/re-uploading the old/existing credential ID(s).

[jiasli]

@x10an14, for the suggestions:

1. The reason we are not fixing this issue anymore is because it is caused by Azure Portal itself and Azure Portal has already fixed it, so newly created application doesn't have this issue anymore.

2. According to AD Graph Application REST API, passwordCredentials and keyCredentials are properties of the application object, rather than objects themselves.

   According to the Resource path doc, even though properties can be retrieved in the form of /{resource_collection}/{resource_id}/{property_name},

   Note: This form of addressing is only available for reads.

   While using PATCH operation on the application, all credential entities must be preserved, otherwise they will be removed from the server. That's why the REST API can't "append a new credential without downloading/re-uploading the old/existing credential ID(s)".

[jiasli]

An alternative is to call MS Graph application: addPassword API with az rest:

# bash
$ az rest -m "POST" -u https://graph.microsoft.com/v1.0/applications/b4e4d2ab-e2cb-45d5-a31a-98eb3f364001/addPassword --headers "Content-Type=application/json" -b '{"passwordCredential":{"displayName":"Password friendly name"}}'
{
  "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#microsoft.graph.passwordCredential",
  "customKeyIdentifier": null,
  "displayName": "Password friendly name",
  "endDateTime": "2022-03-30T02:26:22.6376224Z",
  "hint": "8si",
  "keyId": "86a7cf73-ad6f-4e63-b247-b690cca70cd9",
  "secretText": "8siLhjYou...",
  "startDateTime": "2020-03-30T02:26:22.6376224Z"
}

In PowerShell terminal, please replace " in the body with \".

This will add a new password to the application.

⚠ This API doesn't accept user-created password for security reasons. Manually set a password will trigger an error:

$ az rest -m "POST" -u https://graph.microsoft.com/v1.0/applications/b4e4d2ab-e2cb-45d5-a31a-98eb3f364001/addPassword --headers "Content-Type=application/json" -b '{"passwordCredential":{"displayName":"Password friendly name", "secretText":"1ca9a08c-dbf9-4044-8422-bd9fbe05ba49"}}'
Bad Request({
  "error": {
    "code": "Request_BadRequest",
    "message": "The password value is automatically generated and should not be specified.",
    "innerError": {
      "request-id": "6f6503d0-0228-44d0-ba02-f88e4e7a600b",
      "date": "2020-03-30T02:22:26"
    }
  }
})

⚠ The password can ONLY be retrieved while creating, not afterward. To retrieve it, use --query secretText --output tsv

$ passwordText=$(az rest -m "POST" -u https://graph.microsoft.com/v1.0/applications/b4e4d2ab-e2cb-45d5-a31a-98eb3f364001/addPassword --headers "Content-Type=application/json" -b '{"passwordCredential":{"displayName":"Password friendly name"}}' --query secretText --output tsv)
$ echo $passwordText
d0Xd8B:...

[x10an14]

@jiasli; If this below claim of yours is correct, then how is it possible for us to have ended up in this situation?

The reason we are not fixing this issue anymore is because it is caused by Azure Portal itself and Azure Portal has already fixed it, so newly created application doesn't have this issue anymore.

We did not create this SP (and the credential the error message pertains to) in Azure Portal
But with the REST API directly (or so I hope) through Azure DevOps -ClickOps.

Next steps

Pick your poison;

1. Should I verify whether or not your claim affects SPs created in Azure DevOps?
   I was hoping to have an answer from you that matches my understanding on why it'd be different before I do so.

2. Call it quits with the suggested az rest method to avoid Python

3. Continue sparring with me (read: and for posterity all others with a similar issue) so that we can close this issue ticket having "nailed down" what the cause and effect was.
   (I can only posit this would make it easier for you to maintain these tickets and refer people to old ones/ask them create new ones in a more apt fashion).

[jiasli]

If the service principal is created by DevOps, you may contact the DevOps support and share this issue with them. The extra precision digit is possibly caused by .NET which uses 100-nanosecond intervals.

Azure CLI relies on Azure Python SDK which is generated from the REST spec which defines startDate as date-time.

Since AAD's focus has been moved to MS Graph, they are not actively maintaining AD Graph anymore. We actually did discuss with AAD team about limiting this on the service's side, but they recommended using MS Graph with az rest instead.

Thanks for your understanding.

[jiasli]

We will track MS Graph issues at #12946