New-AzADAppCredential certificate does not show in portal

arcotek-ltd commented 4 years ago

Description

When attempting to create a new certificate-based credential for an existing service principal, the certificate is created, but does not show in the portal (App registrations > {app_name} > certificates & secrets), whereas, using the same technique to create the certificate but generating a new service principal, the certificate shows up.

Steps to reproduce

As per your docs:

https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-authenticate-service-principal-powershell#create-service-principal-with-self-signed-certificate
https://docs.microsoft.com/en-us/powershell/module/az.resources/new-azadappcredential?view=azps-3.8.0 (Example 3, where you get an existing application)

# Create self-signed cert:
$oCert = New-SelfSignedCertificate `
  -CertStoreLocation "cert:\CurrentUser\My" `
  -Subject "CN=Test2020" `
  -KeySpec KeyExchange

$KeyValue = [System.Convert]::ToBase64String($oCert.GetRawCertData())

# Get AD APP
$MyApp = Get-AzADApplication -DisplayName "Test2020"

#Create and assign credential
$MyApp | New-AzADAppCredential -CertValue $KeyValue -StartDate $oCert.NotBefore -EndDate $oCert.NotAfter

# Check portal - not showing.
# Check with PowerShell

Get-AzADAppCredential -ApplicationObject $oAADApp

#Output
StartDate           EndDate             KeyId                                Type
---------           -------             -----                                ----
06/05/2020 22:45:11 06/05/2021 23:05:11 46a3d10d-a65d-266a-55d5-0ddae26a6a3a AsymmetricX509Cert

Environment data

Name                           Value
----                           -----
PSVersion                      5.1.18362.752
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.18362.752
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

Module versions

ModuleType Version    Name                                ExportedCommands
---------- -------    ----                                ----------------
Script     1.13.0     Az.Resources                        {Add-AzADGroupMember, Export-AzResourceGroup, Get-AzADAppCredential, Get-AzADApplication...}

Debug output

Happy to share privately with MS.

Error output

No errors produced.

Discussed in https://github.com/MicrosoftDocs/azure-docs/issues/41433

dingmeng-xue commented 4 years ago

@arcotek-ltd , could you use credential correctly in PowerShell?

arcotek-ltd commented 4 years ago

Hi @dingmeng-xue,

Thank you for your reply, however, I don't understand what you mean by "could you use credential correctly in PowerShell?" Can you elaborate, please?

Are you saying I am not using the cmdlet correctly? If so, what am I doing wrong?

I see you've added the keyvault tag. Why?

I also see you've added the More Info tag. What additional information do you require?

Many thanks

dingmeng-xue commented 4 years ago

Hi @arcotek-ltd , label was not correct. I removed it and wait further information.

According to your description, my understanding is you created AppCredential and can see it via PowerShell cmdlets. But Azure Portal didn't show it. I hope to check if you can use that app credential. Azure PowerShell is just client tool. We have no approach to access service code. So more information will help to narrow down the issue.

dingmeng-xue commented 4 years ago

Hi @arcotek-ltd , is there any update?

dingmeng-xue commented 4 years ago

@arcotek-ltd , I'm closing this issue now. Please contact us if you meet issue again.

vijaygos commented 4 years ago

This needs to be re-opened. AD App credentials are not reflected on the portal when created from Powershell. This is very easily reproducible.

dingmeng-xue commented 4 years ago

@vijaygos , Could you check if Get-AzADAppCredential can return correct information? If yes, please raise the issue to Azure Portal. If Get-AzAdAppCredential cannot return result, please share the debug message after setting $DebugPreference="Continue".

fgheysels commented 1 year ago

2 years later, and I'm facing the same issue. I think either this cmdlet is broken, or the documentation is lacking some information.

When I use the New-AzAppCredential cmdlet, a new secret is created. When listing the secrets using Get-AzAppCredential, I can also see that the secret was added; however, I cannot find it back in the Azure Portal.

Searching the Internet shows a lot of tutorials / stackoverflow solutions where the creation of a new client-secret is done via the New-AzureADApplicationPasswordCredential but that cmdlet is part of AzureAD powershell, which is planned to be deprecated.

So please, #reopen this issue and guide us to the solution :)

nb2708 commented 1 year ago

Thought i'd chuck in a work around i was able to use which may help someone since the az module command is still having issues.

I used the azure cli command instead to replace old secrets with a new one (might not be helpful depending on what you are trying to do):

az ad app credential reset --id xxxxx

You can also add --append to the end to generate a new secret instead of replacing old ones.

sbugalski commented 8 months ago

Issue is still here: Function New-AzADSpCredential 6.13.0 Az.Resources

doggy8088 commented 6 months ago

Get-AzADAppCredential

@sbugalski The Get-AzADAppCredential cmdlet could return correct information. The New-AzADSpCredential and Get-AzADAppCredential are slightly different.

Azure / azure-powershell