New-AzADAppCredential certificate does not show in portal

Description

When attempting to create a new certificate-based credential for an existing service principal, the certificate is created, but does not show in the portal (App registrations > {app_name} > certificates & secrets), whereas, using the same technique to create the certificate but generating a new service principal, the certificate shows up.

Steps to reproduce

As per your docs:

• https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-authenticate-service-principal-powershell#create-service-principal-with-self-signed-certificate
• https://docs.microsoft.com/en-us/powershell/module/az.resources/new-azadappcredential?view=azps-3.8.0 (Example 3, where you get an existing application)

# Create self-signed cert:
$oCert = New-SelfSignedCertificate `
  -CertStoreLocation "cert:\CurrentUser\My" `
  -Subject "CN=Test2020" `
  -KeySpec KeyExchange

$KeyValue = [System.Convert]::ToBase64String($oCert.GetRawCertData())

# Get AD APP
$MyApp = Get-AzADApplication -DisplayName "Test2020"

#Create and assign credential
$MyApp | New-AzADAppCredential -CertValue $KeyValue -StartDate $oCert.NotBefore -EndDate $oCert.NotAfter

# Check portal - not showing.
# Check with PowerShell

Get-AzADAppCredential -ApplicationObject $oAADApp

#Output
StartDate           EndDate             KeyId                                Type
---------           -------             -----                                ----
06/05/2020 22:45:11 06/05/2021 23:05:11 46a3d10d-a65d-266a-55d5-0ddae26a6a3a AsymmetricX509Cert

Environment data

Name                           Value
----                           -----
PSVersion                      5.1.18362.752
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.18362.752
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

Module versions

ModuleType Version    Name                                ExportedCommands
---------- -------    ----                                ----------------
Script     1.13.0     Az.Resources                        {Add-AzADGroupMember, Export-AzResourceGroup, Get-AzADAppCredential, Get-AzADApplication...}

Debug output

Happy to share privately with MS.

Error output

No errors produced.

Discussed in https://github.com/MicrosoftDocs/azure-docs/issues/41433

[dingmeng-xue]

@arcotek-ltd , could you use credential correctly in PowerShell?

Hi @dingmeng-xue,

Thank you for your reply, however, I don't understand what you mean by "could you use credential correctly in PowerShell?" Can you elaborate, please?

Are you saying I am not using the cmdlet correctly? If so, what am I doing wrong?

I see you've added the keyvault tag. Why?

I also see you've added the More Info tag. What additional information do you require?

Many thanks

[dingmeng-xue]

Hi @arcotek-ltd , label was not correct. I removed it and wait further information.

According to your description, my understanding is you created AppCredential and can see it via PowerShell cmdlets. But Azure Portal didn't show it. I hope to check if you can use that app credential. Azure PowerShell is just client tool. We have no approach to access service code. So more information will help to narrow down the issue.

[dingmeng-xue]

Hi @arcotek-ltd , is there any update?

[dingmeng-xue]

@arcotek-ltd , I'm closing this issue now. Please contact us if you meet issue again.

[vijaygos]

This needs to be re-opened. AD App credentials are not reflected on the portal when created from Powershell. This is very easily reproducible.

[dingmeng-xue]

@vijaygos , Could you check if Get-AzADAppCredential can return correct information? If yes, please raise the issue to Azure Portal. If Get-AzAdAppCredential cannot return result, please share the debug message after setting $DebugPreference="Continue".