azure ad key-credential

testuser7 271 Reputation points


As we know, we can add one or more passwordCredentials and keyCredentials in the application-object that we have registered in our Azure AD tenant.

My understanding is when the Service-principal object is created off of this application-object (once admin or user does the consent) , the SAME passwordCredentials and keyCredentials are added into the SP object

Above statement is TRUE even if this SP object is created in different tenant (assuming this was a multi-tenant app)
Meaning ,the SAME passwordCredentials and keyCredentials will accompany the SP created in consumer-tenant.

If I am correct then my question is,
what is the use-case to directly add passwordCredentials and keyCredentials into the Service-principal object ??
I personally feel that passwordCredentials and keyCredentials should be READ-ONLY property into the Service-principal object.

In which scenario it is necessary and will such credentials show up in the application-object ?


Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,611 questions
{count} votes

1 answer

Sort by: Most helpful
  1. AmanpreetSingh-MSFT 56,506 Reputation points

    Hi @testuser7 • Thank you for reaching out.

    The passwordCredentials and keyCredentials added to the application-object are not added to the corresponding servicePrincipal object. When users or administrators in the consumer tenants consent a Multi-tenant application, the servicePrincipal object gets created in their tenant without any passwordCredentials and keyCredentials, even when these credentials are set on the application object within the provider's tenant.

    As an administrator of the consumer tenant, if you make the below graph call or run the equivalent PowerShell cmdlet to fetch the servicePrincipal details, you will only see an empty array for these attributes, regardless of whether the application object is configured with these credentials or not.

    You will only see the password and key credentials on a servicePrincipal if those are explicitly set on the SP object using the addPassword method, as mentioned below:

    Content-type: application/json  
      "passwordCredential": {  
        "displayName": "Password friendly name"  

    Credentials are usually added to an SP object when there is no corresponding application object present in the same tenant and a token needs to be acquired in the context of the service principal using client_credentials flow. As this flow requires a certificate/secret to be passed in the request body for token acquisition, credentials must be added to the service principal.


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.