Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

az ad sp credential list does not show the same as the Azure portal #23717

Closed
yrro opened this issue Aug 30, 2022 · 12 comments
Closed

az ad sp credential list does not show the same as the Azure portal #23717

yrro opened this issue Aug 30, 2022 · 12 comments
Assignees
@jiasli
Labels
Auto-Assign Auto assign by bot Azure CLI Team The command of the issue is owned by Azure CLI team customer-reported Issues that are reported by GitHub users external to the Azure organization. Documentation Graph az ad needs-team-attention This issue needs attention from Azure service team or SDK team Service Attention This issue is responsible by Azure service team.
Milestone
Backlog

Comments

@yrro
Copy link

yrro commented Aug 30, 2022

This is autogenerated. Please review and update as needed.

Describe the bug

Command Name
az ad sp credential list --id ID

Errors:
The output shows me the credential reset with az ad sp credential reset --id ID. But in the Azure portal, looking at the app registration's secrets, there is a different secret displayed with a different (shorter) expiry date.

To Reproduce:

Steps to reproduce the behavior. Note that argument values have been redacted, as they may contain sensitive information.

  • Create an app registration
  • Create a secret in the Azure portal. Max lifetime is 2 years 🤦
  • az ad sp credential list --id ID outputs nothing. The secret created in the Azure portal cannot be seen in the CLI
  • az ad sp credential reset --id ID --years 100
  • Look at the app registration's secrets in the Azure portal. The newly created secret is not there - the old one is still present
  • az ad sp credential list --id ID will show the new 100 year secret.

Expected Behavior

Environment Summary

Linux-5.18.0-3-amd64-x86_64-with-glibc2.34, Debian GNU/Linux 11 (bullseye)
Python 3.10.5
Installer: DEB

azure-cli 2.39.0

Extensions:
azure-firewall 0.13.0
ip-group 0.1.2
support 1.0.3

Dependencies:
msal 1.18.0b1
azure-mgmt-resource 21.1.0b1

Additional Context
@ghost ghost added customer-reported Issues that are reported by GitHub users external to the Azure organization. Auto-Assign Auto assign by bot Graph az ad labels Aug 30, 2022
@ghost ghost assigned jiasli Aug 30, 2022
@ghost ghost added this to the Backlog milestone Aug 30, 2022
@yonzhan yonzhan added Azure CLI Team The command of the issue is owned by Azure CLI team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that labels Aug 30, 2022
@yonzhan
Copy link
Collaborator

yonzhan commented Aug 30, 2022

@jiasli for awareness

@yrro
Copy link
Author

yrro commented Aug 31, 2022
edited
Loading

I've done a bit more experimentation. Created a brand new app registration and reset its secret with az ad app credential reset. After a few minutes (and a web page refresh) the new credential appears in the Azure portal.

So I think it's simply that the docs are wrong: az ad sp ... commands are not equivalent to az ad app ... commands; they operate on the enterprise application, as opposed to the app registration.

To be precise, this page says:

The credential update will be applied on the Application object the service principal is associated with. In other words, you can accomplish the same thing using "az ad app credential".

The same text is visible in the output of az ad sp credential --help.

So it appears that enterprise applications/service principals have their own set of secrets, that are not visible anywhere in the Azure portal. A fun place to stash away backdoor credentials!

@RakeshMohanMSFT RakeshMohanMSFT self-assigned this Sep 2, 2022
@RakeshMohanMSFT
Copy link
Contributor

@yrro Thank you for reaching out, we will look into it.

@RakeshMohanMSFT
Copy link
Contributor

@yrro Thank you for reaching out to us. As you pointed out they are used for different purposes. az ad app credential list uses application api for ad graph and az ad sp credential list uses the application api.

We will get the document updated to use better words to avoid confusion.

@RakeshMohanMSFT RakeshMohanMSFT added the needs-author-feedback More information is needed from author to address the issue. label Sep 6, 2022
@yonzhan yonzhan added feature-request and removed question The issue doesn't require a change to the product in order to be resolved. Most issues start as that labels Sep 6, 2022
@ghost ghost added the no-recent-activity There has been no recent activity on this issue. label Sep 13, 2022
@ghost
Copy link

ghost commented Sep 13, 2022

Hi, we're sending this friendly reminder because we haven't heard back from you in a while. We need more information about this issue to help address it. Please be sure to give us your input within the next 7 days. If we don't hear back from you within 14 days of this comment the issue will be automatically closed. Thank you!

@yrro
Copy link
Author

yrro commented Sep 13, 2022

I don't think there's any feedback required from me?

@ghost ghost added needs-team-attention This issue needs attention from Azure service team or SDK team and removed needs-author-feedback More information is needed from author to address the issue. no-recent-activity There has been no recent activity on this issue. labels Sep 13, 2022
@RakeshMohanMSFT
Copy link
Contributor

@yrro No we do not need it. Thank you. I will close this thread, if you have no further questions.

@RakeshMohanMSFT RakeshMohanMSFT added needs-author-feedback More information is needed from author to address the issue. and removed needs-team-attention This issue needs attention from Azure service team or SDK team labels Sep 14, 2022
@yrro
Copy link
Author

yrro commented Sep 14, 2022

Is there a link to the issue # for the doc update?

@ghost ghost added needs-team-attention This issue needs attention from Azure service team or SDK team and removed needs-author-feedback More information is needed from author to address the issue. labels Sep 14, 2022
@RakeshMohanMSFT
Copy link
Contributor

@yrro No yet. We will get it updated soon.

@yonzhan yonzhan added the CXP Attention This issue is handled by CXP team. label Sep 19, 2022
@ghost
Copy link

ghost commented Sep 19, 2022

Thank you for your feedback. This has been routed to the support team for assistance.

@RakeshMohanMSFT RakeshMohanMSFT added Service Attention This issue is responsible by Azure service team. and removed CXP Attention This issue is handled by CXP team. labels Oct 10, 2022
@RakeshMohanMSFT RakeshMohanMSFT removed their assignment Oct 10, 2022
@yrro
Copy link
Author

yrro commented Jun 14, 2023

https://learn.microsoft.com/en-us/cli/azure/ad/sp/credential?view=azure-cli-latest no longer has text similar to 'The credential update will be applied on the Application object the service principal is associated with. In other words, you can accomplish the same thing using "az ad app credential".' so I am closing this issue.

@yrro yrro closed this as completed Jun 14, 2023
@jiasli
Copy link
Member

jiasli commented Jun 26, 2023

Duplicate of #23566

@jiasli jiasli marked this as a duplicate of #23566 Jun 26, 2023
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@jiasli jiasli

Labels
Auto-Assign Auto assign by bot Azure CLI Team The command of the issue is owned by Azure CLI team customer-reported Issues that are reported by GitHub users external to the Azure organization. Documentation Graph az ad needs-team-attention This issue needs attention from Azure service team or SDK team Service Attention This issue is responsible by Azure service team.
Projects
None yet
Milestone
Backlog
Development

No branches or pull requests
4 participants
@yrro @jiasli @RakeshMohanMSFT @yonzhan