Service Principal Credential Reset does not appear in Azure Portal App Registration GUI

[arindam0310018]

[Enter feedback here]

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: 7bef1f12-de16-93ed-1cb7-3f3d5d99d786
• Version Independent ID: 4e9329a6-50f8-ee2a-af63-f750d66ed574
• Content: az ad sp credential
• Content Source: latest/docs-ref-autogen/ad/sp/credential.yml
• Service: active-directory
• GitHub Login: @rloutlaw
• Microsoft Alias: routlaw

[arindam0310018]

Hello Team, I am Resetting Service Principal Using az cli and az devops.
The Reset works with the reference command - "az ad sp credential reset".

The new Secret gets stored in KV, however, when I browse to Azure Portal --> App Registration --> Required App Registration --> Certificates and Secrets, I cannot see the New Secret Generated. There is no new entry found.

All details can be found in my blog - https://dev.to/arindam0310018/reset-service-principal-secret-and-store-in-key-vault-using-az-devops-2h8o

Please let me know if this is bug or if my understanding is in correct.

Thank you

Arindam Mitra

[yonzhan]

@jiasli for awareness

[arindam0310018]

Hello Team,
Is there any update? Can you please let me know when time permits.

Many Thanks
Regards, Arindam Mitra

[jiasli]

The behavior of az ad sp credential was changed during Microsoft Graph migration to align with its underlying Microsoft Graph API and address #11458. This was documented at https://learn.microsoft.com/en-us/cli/azure/microsoft-graph-migration#az-ad-sp-credential

Azure Portal can only show app's credential, not service principal's. Use az ad app credential list to get the same behavior as Azure Portal.

We don't want to describe the behavior of Azure Portal since Azure Portal are subject to change, making Azure CLI's documents hard to maintain. Once Azure Portal changes its behavior, Azure CLI's document will be outdated.

Previous discussions:

• calling ad sp credential list returns empty #21195 (comment)
• Adding note about change in behaviour for az cli #23413 (comment)

[madforchili]

Hi @jiasli from #23374 "Fix is to change from az ad sp credential reset to az ad app credential reset"

can this apply to the AKS as well? this AKS MS doc https://learn.microsoft.com/en-us/azure/aks/update-credentials specifically saying use az ad sp credential reset
"SP_SECRET=$(az ad sp credential reset --id "$SP_ID" --query password -o tsv)"

Can you update this doc as well if we can use az ad app credential reset

[jiasli]

@madforchili, that depends on the business logic of AKS. +@FumingZhang to help take a look.

[FumingZhang]

Hey @madforchili, @jiasli, basically, the app credential reset command also applies to the AKS cluster.

This is actually related to the relationship between the app and the sp itself. For a single tenant app, the two reset commands are almost equivalent, while for a multi tenant app, the sp credential reset only takes effect for the corresponding tenant, while the app credential reset will take effect for all tenants.