Unable to add service principal password: CannotUpdateLockedServicePrincipalProperty

[mmelndezlujn]

Describe the bug

I am trying to add a service principal password using the commands from the official documentation, but I keep getting an error message that reads: "Property PasswordCredentials is invalid". I have Global Admin rights in my tenant and app admin role within my app to make sure I have the permissions needed to perform this action. I tried different combinations of parameters and looked for alternatives, but I still cannot add the password.

Related command

with az ad sp credential reset --id myServicePrincipalID

Errors

Property PasswordCredentials is invalid

Issue script & Debug output

cli.knack.cli: init debug log: Enable color in terminal. Enable VT mode. cli.knack.cli: Event: Cli.PreExecute [] cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x0235E988>, <function OutputProducer.on_global_arguments at 0x02487A78>, <function CLIQuery.on_global_arguments at 0x024A7848>] cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate [] cli.azure.cli.core: Modules found from index for 'ad': ['azure.cli.command_modules.role'] cli.azure.cli.core: Loading command modules: cli.azure.cli.core: Name Load Time Groups Commands cli.azure.cli.core: role 0.014 17 61 cli.azure.cli.core: Total (1) 0.014 17 61 cli.azure.cli.core: These extensions are not installed and will be skipped: ['azext_ai_examples', 'azext_next'] cli.azure.cli.core: Loading extensions: cli.azure.cli.core: Name Load Time Groups Commands Directory cli.azure.cli.core: Total (0) 0.000 0 0 cli.azure.cli.core: Loaded 17 groups, 61 commands. cli.azure.cli.core: Found a match in the command table. cli.azure.cli.core: Raw command : ad sp credential reset cli.azure.cli.core: Command table: ad sp credential reset cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x047A4708>] cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to 'C:\Users\mmelndezlujn.azure\commands\2024-04-11.13-22-31.ad_sp_credential_reset.16428.log'. az_command_data_logger: command args: ad sp credential reset --id {} --debug cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument..add_subscription_parameter at 0x047D0848>] cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad [] cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument..add_ids_arguments at 0x047E2B18>, <function register_cache_arguments..add_cache_arguments at 0x047E2B68>] cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded [] cli.knack.cli: Event: CommandInvoker.OnPreParseArgs [] cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x02487AC8>, <function CLIQuery.handle_query_parameter at 0x024A7898>, <function register_ids_argument..parse_ids_arguments at 0x047E2A28>] cli.azure.cli.core.util: Retrieving token for resource https://graph.microsoft.com/ cli.azure.cli.core.auth.persistence: build_persistence: location='C:\Users\mmelndezlujn\.azure\msal_token_cache.bin', encrypt=True cli.azure.cli.core.auth.binary_cache: load: C:\Users\mmelndezlujn.azure\msal_http_cache.bin urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None) msal.authority: openid_config = {'token_endpoint': 'https://login.microsoftonline.com/3cd87a41-1f61-4aef-a212-cefdecd9a2d1/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/3cd87a41-1f61-4aef-a212-cefdecd9a2d1/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/3cd87a41-1f61-4aef-a212-cefdecd9a2d1/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/3cd87a41-1f61-4aef-a212-cefdecd9a2d1/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/3cd87a41-1f61-4aef-a212-cefdecd9a2d1/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/3cd87a41-1f61-4aef-a212-cefdecd9a2d1/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/3cd87a41-1f61-4aef-a212-cefdecd9a2d1/kerberos', 'tenant_region_scope': 'NA', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'} msal.application: Broker enabled? None cli.azure.cli.core.auth.msal_authentication: UserCredential.get_token: scopes=('https://graph.microsoft.com//.default',), claims=None, kwargs={} msal.application: Cache hit an AT msal.telemetry: Generate or reuse correlation_id: b193f2b2-7a1c-4df6-9864-c25392afc8fd cli.azure.cli.core.util: Request URL: 'https://graph.microsoft.com/v1.0/servicePrincipals?$filter=servicePrincipalNames%2Fany%28c%3Ac%20eq%20%27%27%29' cli.azure.cli.core.util: Request method: 'GET' cli.azure.cli.core.util: Request headers: cli.azure.cli.core.util: 'User-Agent': 'python/3.11.8 (Windows-10-10.0.22631-SP0) AZURECLI/2.59.0 (MSI)' cli.azure.cli.core.util: 'Accept-Encoding': 'gzip, deflate' cli.azure.cli.core.util: 'Accept': '/' cli.azure.cli.core.util: 'Connection': 'keep-alive' cli.azure.cli.core.util: 'x-ms-client-request-id': '40331190-3b5d-4249-88b5-446f8d77d06f' cli.azure.cli.core.util: 'CommandName': 'ad sp credential reset' cli.azure.cli.core.util: 'ParameterSetName': '--id --debug' cli.azure.cli.core.util: 'Authorization': 'Bearer eyJ0eXAiOiJKV...' cli.azure.cli.core.util: Request body: cli.azure.cli.core.util: None urllib3.connectionpool: Starting new HTTPS connection (1): graph.microsoft.com:443 urllib3.connectionpool: https://graph.microsoft.com:443 "GET /v1.0/servicePrincipals?$filter=servicePrincipalNames%2Fany%28c%3Ac%20eq%20%27%27%29 HTTP/1.1" 200 None cli.azure.cli.core.util: Response status: 200 cli.azure.cli.core.util: Response headers: cli.azure.cli.core.util: 'Date': 'Thu, 11 Apr 2024 20:22:32 GMT' cli.azure.cli.core.util: 'Content-Type': 'application/json;odata.metadata=minimal;odata.streaming=true;IEEE754Compatible=false;charset=utf-8' cli.azure.cli.core.util: 'Transfer-Encoding': 'chunked' cli.azure.cli.core.util: 'Connection': 'keep-alive' cli.azure.cli.core.util: 'Cache-Control': 'no-cache' cli.azure.cli.core.util: 'Content-Encoding': 'gzip' cli.azure.cli.core.util: 'Vary': 'Accept-Encoding' cli.azure.cli.core.util: 'Strict-Transport-Security': 'max-age=31536000' cli.azure.cli.core.util: 'request-id': '9e96cb1b-f7c0-4456-bde4-d93fb7ea0a8b' cli.azure.cli.core.util: 'client-request-id': '9e96cb1b-f7c0-4456-bde4-d93fb7ea0a8b' cli.azure.cli.core.util: 'x-ms-ags-diagnostic': '{"ServerInfo":{"DataCenter":"South Central US","Slice":"E","Ring":"5","ScaleUnit":"002","RoleInstance":"SN1PEPF0003797D"}}' cli.azure.cli.core.util: 'x-ms-resource-unit': '1' cli.azure.cli.core.util: 'OData-Version': '4.0' cli.azure.cli.core.util: 'X-Cache': 'CONFIG_NOCACHE' cli.azure.cli.core.util: Response content: cli.azure.cli.core.util: {"@odata.context":"https://graph.microsoft.com/v1.0/$metadata#servicePrincipals","value":[]} cli.azure.cli.core.util: Retrieving token for resource https://graph.microsoft.com/ urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None) msal.authority: openid_config = {'token_endpoint': 'https://login.microsoftonline.com/3cd87a41-1f61-4aef-a212-cefdecd9a2d1/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/3cd87a41-1f61-4aef-a212-cefdecd9a2d1/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/3cd87a41-1f61-4aef-a212-cefdecd9a2d1/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/3cd87a41-1f61-4aef-a212-cefdecd9a2d1/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/3cd87a41-1f61-4aef-a212-cefdecd9a2d1/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/3cd87a41-1f61-4aef-a212-cefdecd9a2d1/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/3cd87a41-1f61-4aef-a212-cefdecd9a2d1/kerberos', 'tenant_region_scope': 'NA', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'} msal.application: Broker enabled? None cli.azure.cli.core.auth.msal_authentication: UserCredential.get_token: scopes=('https://graph.microsoft.com//.default',), claims=None, kwargs={} msal.application: Cache hit an AT msal.telemetry: Generate or reuse correlation_id: 0c2bfc07-509c-40a4-9f6d-70c221a2f5df cli.azure.cli.core.util: Request URL: 'https://graph.microsoft.com/v1.0/servicePrincipals/' cli.azure.cli.core.util: Request method: 'GET' cli.azure.cli.core.util: Request headers: cli.azure.cli.core.util: 'User-Agent': 'python/3.11.8 (Windows-10-10.0.22631-SP0) AZURECLI/2.59.0 (MSI)' cli.azure.cli.core.util: 'Accept-Encoding': 'gzip, deflate' cli.azure.cli.core.util: 'Accept': '/' cli.azure.cli.core.util: 'Connection': 'keep-alive' cli.azure.cli.core.util: 'x-ms-client-request-id': '940ca9de-88be-4ae0-8ef9-246646c795a9' cli.azure.cli.core.util: 'CommandName': 'ad sp credential reset' cli.azure.cli.core.util: 'ParameterSetName': '--id --debug' cli.azure.cli.core.util: 'Authorization': 'Bearer eyJ0eXAiOiJKV...' cli.azure.cli.core.util: Request body: cli.azure.cli.core.util: None urllib3.connectionpool: Starting new HTTPS connection (1): graph.microsoft.com:443 urllib3.connectionpool: https://graph.microsoft.com:443 "GET /v1.0/servicePrincipals/ HTTP/1.1" 200 None cli.azure.cli.core.util: Response status: 200 cli.azure.cli.core.util: Response headers: cli.azure.cli.core.util: 'Date': 'Thu, 11 Apr 2024 20:22:33 GMT' cli.azure.cli.core.util: 'Content-Type': 'application/json;odata.metadata=minimal;odata.streaming=true;IEEE754Compatible=false;charset=utf-8' cli.azure.cli.core.util: 'Transfer-Encoding': 'chunked' cli.azure.cli.core.util: 'Connection': 'keep-alive' cli.azure.cli.core.util: 'Cache-Control': 'no-cache' cli.azure.cli.core.util: 'Content-Encoding': 'gzip' cli.azure.cli.core.util: 'Vary': 'Accept-Encoding' cli.azure.cli.core.util: 'Strict-Transport-Security': 'max-age=31536000' cli.azure.cli.core.util: 'request-id': '8833d933-cff3-4de3-9468-34e4e882e545' cli.azure.cli.core.util: 'client-request-id': '8833d933-cff3-4de3-9468-34e4e882e545' cli.azure.cli.core.util: 'x-ms-ags-diagnostic': '{"ServerInfo":{"DataCenter":"South Central US","Slice":"E","Ring":"5","ScaleUnit":"002","RoleInstance":"SN1PEPF0003797D"}}' cli.azure.cli.core.util: 'x-ms-resource-unit': '1' cli.azure.cli.core.util: 'OData-Version': '4.0' cli.azure.cli.core.util: 'X-Cache': 'CONFIG_NOCACHE' cli.azure.cli.core.util: Response content: cli.azure.cli.core.util: {"@odata.context":"https://graph.microsoft.com/v1.0/$metadata#servicePrincipals/$entity","id":"","deletedDateTime":null,"accountEnabled":true,"alternativeNames":[],"appDisplayName":"ARTBAS Stage 5 App","appDescription":null,"appId":"dfbd6152-e2f7-483e-b775-7b915bdf02ed","applicationTemplateId":null,"appOwnerOrganizationId":"3cd87a41-1f61-4aef-a212-cefdecd9a2d1","appRoleAssignmentRequired":false,"createdDateTime":"2024-04-10T17:29:19Z","description":null,"disabledByMicrosoftStatus":null,"displayName":"ARTBAS Stage 5 App","homepage":null,"loginUrl":null,"logoutUrl":null,"notes":null,"notificationEmailAddresses":[],"preferredSingleSignOnMode":null,"preferredTokenSigningKeyThumbprint":null,"replyUrls":[],"servicePrincipalNames":["dfbd6152-e2f7-483e-b775-7b915bdf02ed"],"servicePrincipalType":"Application","signInAudience":"AzureADMyOrg","tags":["HideApp","WindowsAzureActiveDirectoryIntegratedApp"],"tokenEncryptionKeyId":null,"samlSingleSignOnSettings":null,"addIns":[],"appRoles":[],"info":{"logoUrl":null,"marketingUrl":null,"privacyStatementUrl":null,"supportUrl":null,"termsOfServiceUrl":null},"keyCredentials":[],"oauth2PermissionScopes":[],"passwordCredentials":[],"resourceSpecificApplicationPermissions":[],"verifiedPublisher":{"displayName":null,"verifiedPublisherId":null,"addedDateTime":null}} cli.azure.cli.core.util: Retrieving token for resource https://graph.microsoft.com/ urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None) msal.authority: openid_config = {'token_endpoint': 'https://login.microsoftonline.com/3cd87a41-1f61-4aef-a212-cefdecd9a2d1/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/3cd87a41-1f61-4aef-a212-cefdecd9a2d1/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/3cd87a41-1f61-4aef-a212-cefdecd9a2d1/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/3cd87a41-1f61-4aef-a212-cefdecd9a2d1/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/3cd87a41-1f61-4aef-a212-cefdecd9a2d1/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/3cd87a41-1f61-4aef-a212-cefdecd9a2d1/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/3cd87a41-1f61-4aef-a212-cefdecd9a2d1/kerberos', 'tenant_region_scope': 'NA', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'} msal.application: Broker enabled? None cli.azure.cli.core.auth.msal_authentication: UserCredential.get_token: scopes=('https://graph.microsoft.com//.default',), claims=None, kwargs={} msal.application: Cache hit an AT msal.telemetry: Generate or reuse correlation_id: b86432d9-95cf-4156-a4c0-b6aa5f9bbf3e cli.azure.cli.core.util: Request URL: 'https://graph.microsoft.com/v1.0/servicePrincipals//addPassword' cli.azure.cli.core.util: Request method: 'POST' cli.azure.cli.core.util: Request headers: cli.azure.cli.core.util: 'User-Agent': 'python/3.11.8 (Windows-10-10.0.22631-SP0) AZURECLI/2.59.0 (MSI)' cli.azure.cli.core.util: 'Accept-Encoding': 'gzip, deflate' cli.azure.cli.core.util: 'Accept': '/' cli.azure.cli.core.util: 'Connection': 'keep-alive' cli.azure.cli.core.util: 'x-ms-client-request-id': '2a1989e0-9318-40d1-95bb-fc15ba590c7d' cli.azure.cli.core.util: 'Content-Type': 'application/json' cli.azure.cli.core.util: 'CommandName': 'ad sp credential reset' cli.azure.cli.core.util: 'ParameterSetName': '--id --debug' cli.azure.cli.core.util: 'Authorization': 'Bearer eyJ0eXAiOiJKV...' cli.azure.cli.core.util: 'Content-Length': '125' cli.azure.cli.core.util: Request body: cli.azure.cli.core.util: {"passwordCredential": {"displayName": null, "endDateTime": "2025-04-11T20:22:33Z", "startDateTime": "2024-04-11T20:22:33Z"}} urllib3.connectionpool: Starting new HTTPS connection (1): graph.microsoft.com:443 urllib3.connectionpool: https://graph.microsoft.com:443 "POST /v1.0/servicePrincipals//addPassword HTTP/1.1" 400 None cli.azure.cli.core.util: Response status: 400 cli.azure.cli.core.util: Response headers: cli.azure.cli.core.util: 'Date': 'Thu, 11 Apr 2024 20:22:34 GMT' cli.azure.cli.core.util: 'Content-Type': 'application/json' cli.azure.cli.core.util: 'Transfer-Encoding': 'chunked' cli.azure.cli.core.util: 'Connection': 'keep-alive' cli.azure.cli.core.util: 'Cache-Control': 'no-cache' cli.azure.cli.core.util: 'Content-Encoding': 'gzip' cli.azure.cli.core.util: 'Vary': 'Accept-Encoding' cli.azure.cli.core.util: 'Strict-Transport-Security': 'max-age=31536000' cli.azure.cli.core.util: 'request-id': 'c8b6928d-7386-4c93-b2d2-2cd4c094937b' cli.azure.cli.core.util: 'client-request-id': 'c8b6928d-7386-4c93-b2d2-2cd4c094937b' cli.azure.cli.core.util: 'x-ms-ags-diagnostic': '{"ServerInfo":{"DataCenter":"South Central US","Slice":"E","Ring":"5","ScaleUnit":"002","RoleInstance":"SN1PEPF0000632E"}}' cli.azure.cli.core.util: 'x-ms-resource-unit': '1' cli.azure.cli.core.util: 'X-Cache': 'CONFIG_NOCACHE' cli.azure.cli.core.util: Response content: cli.azure.cli.core.util: {"error":{"code":"CannotUpdateLockedServicePrincipalProperty","message":"Property passwordCredentials is invalid.","details":[{"code":"GenericError","message":"Property passwordCredentials is invalid.","target":"passwordCredentials"}],"innerError":{"date":"2024-04-11T20:22:34","request-id":"c8b6928d-7386-4c93-b2d2-2cd4c094937b","client-request-id":"c8b6928d-7386-4c93-b2d2-2cd4c094937b"}}} cli.azure.cli.core.azclierror: Traceback (most recent call last): File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/role/_msgrpah/_graph_client.py", line 52, in _send File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/util.py", line 1007, in send_raw_request azure.cli.core.azclierror.HTTPError: Bad Request({"error":{"code":"CannotUpdateLockedServicePrincipalProperty","message":"Property passwordCredentials is invalid.","details":[{"code":"GenericError","message":"Property passwordCredentials is invalid.","target":"passwordCredentials"}],"innerError":{"date":"2024-04-11T20:22:34","request-id":"c8b6928d-7386-4c93-b2d2-2cd4c094937b","client-request-id":"c8b6928d-7386-4c93-b2d2-2cd4c094937b"}}})

The above exception was the direct cause of the following exception:

Traceback (most recent call last): File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 701, in _run_job File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 334, in call File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/command_operation.py", line 121, in handler File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/role/custom.py", line 1112, in reset_service_principal_credential File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/role/custom.py", line 1729, in _reset_credential File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/role/_msgrpah/_graph_client.py", line 204, in service_principal_add_password File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/role/_msgrpah/_graph_client.py", line 55, in _send azure.cli.command_modules.role._msgrpah._graph_client.GraphError: Property passwordCredentials is invalid.

During handling of the above exception, another exception occurred:

Traceback (most recent call last): File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\knack/cli.py", line 233, in invoke File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 664, in execute File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 731, in _run_jobs_serially File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 723, in _run_job File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/role/commands.py", line 50, in graph_err_handler knack.util.CLIError: Property passwordCredentials is invalid.

cli.azure.cli.core.azclierror: Property passwordCredentials is invalid. az_command_data_logger: Property passwordCredentials is invalid. cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x047A4848>] az_command_data_logger: exit code: 1 cli.main: Command ran in 3.651 seconds (init: 0.903, invoke: 2.748) telemetry.main: Begin splitting cli events and extra events, total events: 1 telemetry.client: Accumulated 0 events. Flush the clients. telemetry.main: Finish splitting cli events and extra events, cli events: 1 telemetry.save: Save telemetry record of length 3701 in cache telemetry.main: Begin creating telemetry upload process. telemetry.process: Creating upload process: "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\Lib\site-packages\azure\cli\telemetry__init__.pyc C:\Users\mmelndezlujn.azure" telemetry.process: Return from creating process telemetry.main: Finish creating telemetry upload process.

Expected behavior

Adding a service principal password

Environment Summary

azure-cli 2.59.0

core 2.59.0 telemetry 1.1.0

Extensions: azure-devops 1.0.0 bastion 0.3.0 containerapp 0.3.50 log-analytics 0.2.2

Dependencies: msal 1.27.0 azure-mgmt-resource 23.1.0b2

Python location 'C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe' Extensions directory 'C:\Users\mmelndezlujn.azure\cliextensions'

Python (Windows) 3.11.8 (tags/v3.11.8:db85d51, Feb 6 2024, 21:52:07) [MSC v.1937 32 bit (Intel)]

Additional context

No response

[yonzhan]

Thank you for opening this issue, we will look into it.

[rohank07]

Any updates on this. Encountering the same issue.

[henrickster]

@yonzhan Any updates on this? The issue keeps happening, it happened to me in the very same way as described by others above.

[jiasli]

From the debug log, you can see the error happens on

POST https://graph.microsoft.com/v1.0/servicePrincipals/<id>/addPassword

REST API call and the error code is CannotUpdateLockedServicePrincipalProperty.

A quick search leads me to https://learn.microsoft.com/en-us/answers/questions/1822526/when-calling-ms-graph-via-api-trying-to-add-new-se

solved by removing the lock property in the SPN using Powershell.

This error seems to be caused by servicePrincipalLockConfiguration:

• https://learn.microsoft.com/en-us/graph/api/resources/serviceprincipallockconfiguration?view=graph-rest-1.0
• https://learn.microsoft.com/en-us/graph/tutorial-applications-basics?tabs=http#lock-sensitive-properties-for-service-principals

If you have configured this servicePrincipalLockConfiguration, then it is by design that adding password is not allowed.

If this is unexpected, please disable servicePrincipalLockConfiguration.

[jiasli]

You may reset servicePrincipalLockConfiguration property with Azure CLI command:

az rest --method PATCH --url https://graph.microsoft.com/v1.0/applications/<object_id> --body '{"servicePrincipalLockConfiguration": null}'

You may also configure it in Azure Portal: Microsoft Entra ID -> App registrations -> YOUR APP -> Manage -> Authentication -> App instance property lock: