New-AzureRmADAppCredential: Error 'Update to existing credential with KeyId is not allowed' when attempting to add secondary certificate credential

[etortec]

Description

Attempting to use New-AzureRmADAppCredential to add a certificate credential when a certificate credential already exists for the service principal fails with the error message 'Update to existing credential with KeyId 'f5fc14f5-72d8-4fbd-b1fb-9ee43aacd2d7' is not allowed.'.

Looking at the powershell debug output the command seems to attempt to use a HTTP PATCH to modify the existing credential, whereas I would have expected it to add a new credential.

Script/Steps for Reproduction

# Setup
$servicePrincipal = New-AzureRmADServicePrincipal -DisplayName TestApp
$cert1 = New-SelfSignedCertificate -Subject "CN=Cert1" -KeyUsage DigitalSignature -KeySpec Signature
$cert2 = New-SelfSignedCertificate -Subject "CN=Cert2" -KeyUsage DigitalSignature -KeySpec Signature
New-AzureRmADAppCredential -ApplicationId $servicePrincipal.ApplicationId -CertValue ([System.Convert]::ToBase64String($cert1.GetRawCertData())) -StartDate $cert1.NotBefore -EndDate $cert1.NotAfter

# This will fail
New-AzureRmADAppCredential -ApplicationId $servicePrincipal.ApplicationId -CertValue ([System.Convert]::ToBase64String($cert2.GetRawCertData())) -StartDate $cert2.NotBefore -EndDate $cert2.NotAfter

Module Version

Get-Module -Name AzureRM -ListAvailable

ModuleType Version    Name                                ExportedCommands
---------- -------    ----                                ----------------
Script     6.5.0      AzureRM
Script     5.7.0      AzureRM
Script     5.1.1      AzureRM
Script     5.0.1      AzureRM

Environment Data

$PSVersionTable

Name                           Value
----                           -----
PSVersion                      5.1.16299.492
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.16299.492
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

Debug Output

<...>
DEBUG: 07/26/2018 12:48:22: 1512ca98-8edb-4fee-8e93-1cfa5885a437 - AcquireTokenHandlerBase: === Token Acquisition finished successfully. An access token was retuned:
 Access Token Hash: LvU33cFGs5Nz0pLoqRsdcknBOvisxPqCxXZoOgOKbgc=
 Refresh Token Hash: [No Refresh Token]
 Expiration Time: 07/26/2018 13:18:32 +00:00
 User Hash: null

DEBUG: Microsoft.IdentityModel.Clients.ActiveDirectory Information: 2 :
DEBUG: 07/26/2018 12:48:22:  - TokenCache: Serializing token cache with 3 items.
DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
GET

Absolute Uri:
https://graph.windows.net/1a51fcca-582e-4462-a99f-559c8b91f6e4/applications?$filter=appId eq '31054256-9406-4511-94bf-7adc1fd720a8'&api-version=1.6

Headers:
x-ms-client-request-id        : 2b46b7b7-b8eb-430f-88a9-0c0a3e957aad
accept-language               : en-US

Body:


DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
OK

Headers:
Pragma                        : no-cache
ocp-aad-diagnostics-server-name: XPmBRyGrHFd7J5zP/wTgOz2nqqKpAE+0dnW4GQUoZ9Y=
request-id                    : bc9ca501-0913-44a3-a344-ae5c344aaf9e
client-request-id             : 4c315ce9-d395-49de-8711-8b3fbac97003
x-ms-dirapi-data-contract-version: 1.6
ocp-aad-session-key           : <snip>
X-Content-Type-Options        : nosniff
DataServiceVersion            : 3.0;
Strict-Transport-Security     : max-age=31536000; includeSubDomains
Access-Control-Allow-Origin   : *
Duration                      : 587101
Cache-Control                 : no-cache
Server                        : Microsoft-IIS/10.0
X-AspNet-Version              : 4.0.30319
X-Powered-By                  : ASP.NET,ASP.NET
Date                          : Thu, 26 Jul 2018 12:48:22 GMT

Body:
{
  "odata.metadata": "https://graph.windows.net/1a51fcca-582e-4462-a99f-559c8b91f6e4/$metadata#directoryObjects/Microsoft.DirectoryServices.Application",
  "value": [
    {
      "odata.type": "Microsoft.DirectoryServices.Application",
      "objectType": "Application",
      "objectId": "71651b10-c552-47bc-ab9e-df24c410949f",
      "deletionTimestamp": null,
      "acceptMappedClaims": null,
      "addIns": [],
      "appId": "31054256-9406-4511-94bf-7adc1fd720a8",
      "appRoles": [],
      "availableToOtherTenants": false,
      "displayName": "TestApp",
      "errorUrl": null,
      "groupMembershipClaims": null,
      "homepage": "http://TestApp",
      "identifierUris": [
        "http://TestApp"
      ],
      "informationalUrls": {
        "termsOfService": null,
        "support": null,
        "privacy": null,
        "marketing": null
      },
      "isDeviceOnlyAuthSupported": null,
      "keyCredentials": [
        {
          "customKeyIdentifier": "36CF4B6FE01CEEF13E1D3DEF3017CCCEFF6319E1",
          "endDate": "2019-07-26T12:58:19Z",
          "keyId": "f5fc14f5-72d8-4fbd-b1fb-9ee43aacd2d7",
          "startDate": "2018-07-26T12:38:19Z",
          "type": "AsymmetricX509Cert",
          "usage": "Verify",
          "value": null
        }
      ],
      "knownClientApplications": [],
      "logoutUrl": null,
      "logoUrl": null,
      "oauth2AllowIdTokenImplicitFlow": true,
      "oauth2AllowImplicitFlow": false,
      "oauth2AllowUrlPathMatching": false,
      "oauth2Permissions": [
        {
          "adminConsentDescription": "Allow the application to access TestApp on behalf of the signed-in user.",
          "adminConsentDisplayName": "Access TestApp",
          "id": "dfbaf0ed-dae1-4bdb-8262-b4131dfcff6c",
          "isEnabled": true,
          "type": "User",
          "userConsentDescription": "Allow the application to access TestApp on your behalf.",
          "userConsentDisplayName": "Access TestApp",
          "value": "user_impersonation"
        }
      ],
      "oauth2RequirePostResponse": false,
      "optionalClaims": null,
      "orgRestrictions": [],
      "parentalControlSettings": {
        "countriesBlockedForMinors": [],
        "legalAgeGroupRule": "Allow"
      },
      "passwordCredentials": [],
      "publicClient": null,
      "publisherDomain": "<snip>",
      "recordConsentConditions": null,
      "replyUrls": [],
      "requiredResourceAccess": [],
      "samlMetadataUrl": null,
      "signInAudience": "AzureADMyOrg",
      "tokenEncryptionKeyId": null
    }
  ]
}

DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
GET

Absolute Uri:
https://graph.windows.net/1a51fcca-582e-4462-a99f-559c8b91f6e4/applications/71651b10-c552-47bc-ab9e-df24c410949f/keyCredentials?api-version=1.6

Headers:
x-ms-client-request-id        : a30087cc-f090-4dec-b8d4-25b152a598d9
accept-language               : en-US

Body:


DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
OK

Headers:
Pragma                        : no-cache
ocp-aad-diagnostics-server-name: IA+f26hykHGFjqbb0zO6E7kkIcADwfInsfAi7FFANSA=
request-id                    : 8e62d866-dfcb-4205-9aa4-855e2b768fbf
client-request-id             : 28ac953e-0f88-49b1-9758-6a17ba4d0eda
x-ms-dirapi-data-contract-version: 1.6
ocp-aad-session-key           : <snip>
X-Content-Type-Options        : nosniff
DataServiceVersion            : 3.0;
Strict-Transport-Security     : max-age=31536000; includeSubDomains
Access-Control-Allow-Origin   : *
Duration                      : 564202
Cache-Control                 : no-cache
Server                        : Microsoft-IIS/10.0
X-AspNet-Version              : 4.0.30319
X-Powered-By                  : ASP.NET,ASP.NET
Date                          : Thu, 26 Jul 2018 12:48:22 GMT

Body:
{
  "odata.metadata": "https://graph.windows.net/1a51fcca-582e-4462-a99f-559c8b91f6e4/$metadata#Collection(Microsoft.DirectoryServices.KeyCredential)",
  "value": [
    {
      "customKeyIdentifier": "36CF4B6FE01CEEF13E1D3DEF3017CCCEFF6319E1",
      "endDate": "2019-07-26T12:58:19Z",
      "keyId": "f5fc14f5-72d8-4fbd-b1fb-9ee43aacd2d7",
      "startDate": "2018-07-26T12:38:19Z",
      "type": "AsymmetricX509Cert",
      "usage": "Verify",
      "value": null
    }
  ]
}

DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
PATCH

Absolute Uri:
https://graph.windows.net/1a51fcca-582e-4462-a99f-559c8b91f6e4/applications/71651b10-c552-47bc-ab9e-df24c410949f/keyCredentials?api-version=1.6

Headers:
x-ms-client-request-id        : 0f467ae8-6732-44ff-84c4-7ac54c83cd99
accept-language               : en-US

Body:
{
  "value": [
    {
      "startDate": "2018-07-26T12:38:19Z",
      "endDate": "2019-07-26T12:58:19Z",
      "keyId": "f5fc14f5-72d8-4fbd-b1fb-9ee43aacd2d7",
      "usage": "Verify",
      "type": "AsymmetricX509Cert"
    },
    {
      "startDate": "2018-07-26T12:38:19Z",
      "endDate": "2019-07-26T12:58:19Z",
      "value": "<snip>",
      "keyId": "67d3e36c-9d70-4e36-a73b-940be7d8473b",
      "usage": "Verify",
      "type": "AsymmetricX509Cert"
    }
  ]
}

DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
BadRequest

Headers:
ocp-aad-diagnostics-server-name: C9HzIAu8sf3ZdxROmT8HhmxgHchIgClb0lVlCryzFUI=
request-id                    : 30e646a9-2e5a-41a6-abb8-1b30d885f259
client-request-id             : 042600b0-36e3-41f7-8a7e-11587b638f6a
x-ms-dirapi-data-contract-version: 1.6
ocp-aad-session-key           : <snip>
Strict-Transport-Security     : max-age=31536000; includeSubDomains
Access-Control-Allow-Origin   : *
Duration                      : 4875774
Cache-Control                 : private
Server                        : Microsoft-IIS/10.0
X-AspNet-Version              : 4.0.30319
X-Powered-By                  : ASP.NET,ASP.NET
Date                          : Thu, 26 Jul 2018 12:48:22 GMT

Body:
{
  "odata.error": {
    "code": "Request_BadRequest",
    "message": {
      "lang": "en",
      "value": "Update to existing credential with KeyId 'f5fc14f5-72d8-4fbd-b1fb-9ee43aacd2d7' is not allowed."
    },
    "date": "2018-07-26T12:48:22",
    "requestId": "30e646a9-2e5a-41a6-abb8-1b30d885f259",
    "values": [
      {
        "item": "PropertyName",
        "value": "keyCredentials"
      },
      {
        "item": "PropertyErrorCode",
        "value": "KeyNotUpdatable"
      }
    ]
  }
}

DEBUG: Caught exception, type: Microsoft.Azure.Graph.RBAC.Version1_6.Models.GraphErrorException
New-AzureRmADAppCredential : Update to existing credential with KeyId 'f5fc14f5-72d8-4fbd-b1fb-9ee43aacd2d7' is not allowed.
At line:1 char:1
+ New-AzureRmADAppCredential -ApplicationId $servicePrincipal.Applicati ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [New-AzureRmADAppCredential], Exception
    + FullyQualifiedErrorId : Microsoft.Azure.Commands.ActiveDirectory.NewAzureADAppCredentialCommand

DEBUG: AzureQoSEvent: CommandName - New-AzureRmADAppCredential; IsSuccess - False; Duration - 00:00:01.0236114; Exception - System.Exception: Update to existing credential with KeyId 'f5fc14f5-72d8-4fbd-b1fb-9ee43aacd2d7' is not allowed.;
DEBUG: Finish sending metric.
DEBUG: 14:48:23 - NewAzureADAppCredentialCommand end processing.
DEBUG: 14:48:23 - NewAzureADAppCredentialCommand end processing.

[cormacpayne]

@etortec thanks for providing all of this information -- it appears that this is a duplicate of issue #6219, so I will close this in favor of the other since the appropriate parties have been looped in there.

[etortec]

Workaround: you can use New-AzureADApplicationKeyCredential to add multiple certificate credentials:

$application = Get-AzureADApplication | Where-Object { $_.AppId -eq $servicePrincipal.ApplicationId }
New-AzureADApplicationKeyCredential -ObjectId $application.ObjectId -CustomKeyIdentifier ([System.Convert]::ToBase64String($cert2.GetCertHash())) -Type AsymmetricX509Cert -Usage Verify -Value ([System.Convert]::ToBase64String($cert2.GetRawCertData())) -StartDate $cert2.NotBefore -EndDate $cert2.NotAfter