When calling MS Graph via API - trying to add new secret to SPN in Entra, getting "message": "Property passwordCredentials is invalid.", via logic app

Question

Hey,

I'm trying to call MS Graph using logic app in Azure to add secret to SPN.

the call is POST /servicePrincipals(appId='{appId}')/addPassword via that link - https://learn.microsoft.com/en-us/graph/api/serviceprincipal-addpassword?view=graph-rest-1.0&tabs=http

The response body i get is -

{ "error": { "code": "CannotUpdateLockedServicePrincipalProperty", "message": "Property passwordCredentials is invalid.", "details": [ { "code": "GenericError", "message": "Property passwordCredentials is invalid.", "target": "passwordCredentials", "blockedWord": "", "prefix": "", "suffix": "" } ], "innerError": { "date": "2024-07-17T17:11:33", "request-id": "12d45b33-88**80b5-a934e0074cfe", "client-request-id": "12d45888888***74cfe" } } }

using that request body for Example (tried a lot more)

{ "passwordCredential": { "displayName": "NewSecretName", "startDateTime": "2024-07-16T00:00:00Z", "endDateTime": "2025-07-10T00:00:00Z" } }

Thanks,

Answer 1

When calling the Microsoft Graph API to add a new secret to a Service Principal Name (SPN) in Entra and encountering the error "Property passwordCredentials is invalid," it typically means there’s an issue with the structure or content of the API request. Ensure that the passwordCredentials property is correctly formatted according to the Microsoft Graph API documentation. Verify that you're including all required fields, such as startDate, endDate, and secretText. Additionally, check that your API request adheres to the expected schema and that the service principal has the appropriate permissions to update credentials.

Answer 2

solved by removing the lock property in the SPN using Powershell.