Credential objects missing CustomKeyIdentifier property, causes issues

[nonik0]

Hi,

I've determined that the PSADPasswordCredential and PSADKeyCredential objects defined in the object data model are missing the "CustomKeyIdentifier" property. This issue will typically not be seen if creating the objects and credentials exclusively through Azure PowerShell as the CustomKeyIdentifer property will never be populated. However, this missing property can cause issues when managing credentials on an application or service principal where one of the existing credentials in the object has a non-null value for this property. The typical error message looks like:
New-AzureRmADAppCredential : Update to existing credential with KeyId 'xxx' is not allowed.

Repro Steps:

1. Create an application and add a credential via Azure Portal (credentials created via portal will have the CustomKeyIdentifer populated by default)
2. Try to add a new credential of the same type to the application using Azure PowerShell

[cormacpayne]

@darshanhs90 Hey Haridarshan, would you happen to know why the above scenario is disallowed? I am able to reproduce the above exception, but am unsure why the server would return a BadRequest.

[cormacpayne]

@darshanhs90 gentle ping

[darshanhs90]

• @RBACAsk

[cormacpayne]

@RBACAsk ping on the question above 😀

[cormacpayne]

Another repro of this issue can be found here: #6784

[tonybendis]

Remove-AzureRmADAppCredential throws the same error when trying to remove key credential from an app that has multiple credentials.
I've added the credentials using New-AzureADApplicationKeyCredential, since New-AzureRmADAppCredential breaks when adding the 2nd credential (this bug).

[y325A]

Does anyone have any workarounds other than the AzureAD module or a fix estimate? This has disappointingly broken my automated certificate renewal script.

[KamilTomczakSii]

I see no Chance to deploy dynamics365 on-prem without this step?
We tried with

New-AzureRmADSpCredential -ObjectId CertValue -EndDate "04.09.2019 10:24:08" -StartDate "04.09.2018 10:04:08" and the same result:
Update to existing credential with KeyId is not allowed.

[alex-moffitt]

@y325A Did you ever find a work around? I am in the same boat as you.

[darshanhs90]

@alex-moffitt The newer powershell release should have the fix for this issue.Since @grlin fixed the issue some time back

[alex-moffitt]

@darshanhs90 or @grlin I might be doing it wrong then. I am on 6.13.1
When I do the following I get the not allowed error.

$cert = Get-AzureKeyVaultSecret -VaultName 'AAA' -Name 'BBB'

New-AzureRmADAppCredential -ApplicationId XXXX -CertValue $cert.SecretValueText

[grlin]

@alex-moffitt The fix is in the new Az 1.0 release.

[Vivihung]

@grlin For AzureRM PowerShell users, which module/library should we update to get the fix?
I'm still blocked by this issue. when calling New-AzureRmADAppCredential

[grlin]

Any version of Az after 1.0 should include the fix. AzureRM is no longer being updated.

[Vivihung]

@grlin Thanks. I didn't realize Az is actually a package.
Looks like this one:
https://www.powershellgallery.com/packages/Az/1.4.0

[masisley]

@grlin I'm attempting to use this new api, but I'm failing with a new error. It appears that we fail to retrieve the application from graph and receive a 404. I can open a new issue if you'd like:

PS C:\Users\masisley> Get-AzureADServicePrincipal -ObjectId 31e7eee0-2015-490c-9581-776b4eca9c36

ObjectId                             AppId                                DisplayName
31e7eee0-2015-490c-9581-776b4eca9c36 00000003-0000-0ff1-ce00-000000000000 Office 365 SharePoint Online

PS C:\Users\masisley> New-AzureADApplicationKeyCredential -ObjectId '31e7eee0-2015-490c-9581-776b4eca9c36' -CustomKeyIdentifier ([System.Convert]::ToBase64String($cert.GetCertHash())) -Type AsymmetricX509Cert -Usage Verify -Value ([System.Convert]::ToBase64String($cert.GetRawCertData())) -StartDate $cert.NotBefore -EndDate $cert.NotAfter
New-AzureADApplicationKeyCredential : Error occurred while executing GetApplication
Code: Request_ResourceNotFound
Message: Resource '31e7eee0-2015-490c-9581-776b4eca9c36' does not exist or one of its queried reference-property
objects are not present.
RequestId: fe385086-1a3b-44f2-84b6-59acd279f926
DateTimeStamp: Tue, 05 Mar 2019 22:58:23 GMT
HttpStatusCode: NotFound
HttpStatusDescription: Not Found
HttpResponseStatus: Completed
At line:1 char:1
+ New-AzureADApplicationKeyCredential -ObjectId '31e7eee0-2015-490c-958 ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [New-AzureADApplicationKeyCredential], ApiException
    + FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD.Graph.PowerShell.Cus
   tom.NewAzureADApplicationKeyCredential

[grlin]

Hi @masisley I think this is a separate issue.