Hi @testuser7 • Thank you for reaching out.
The passwordCredentials and keyCredentials added to the application-object are not added to the corresponding servicePrincipal object. When users or administrators in the consumer tenants consent a Multi-tenant application, the servicePrincipal object gets created in their tenant without any passwordCredentials and keyCredentials, even when these credentials are set on the application object within the provider's tenant.
As an administrator of the consumer tenant, if you make the below graph call or run the equivalent PowerShell cmdlet to fetch the servicePrincipal details, you will only see an empty array for these attributes, regardless of whether the application object is configured with these credentials or not.
- GET https://graph.microsoft.com/v1.0/servicePrincipals/object_id_of_the_servicePrincipal?$select=PasswordCredentials,KeyCredentials
- Get-AzureADServicePrincipal -objectId object_id_of_the_servicePrincipal | fl KeyCredentials, PasswordCredentials
You will only see the password and key credentials on a servicePrincipal if those are explicitly set on the SP object using the addPassword
method, as mentioned below:
POST https://graph.microsoft.com/beta/servicePrincipals/{id}/addPassword
Content-type: application/json
{
"passwordCredential": {
"displayName": "Password friendly name"
}
}
Credentials are usually added to an SP object when there is no corresponding application object present in the same tenant and a token needs to be acquired in the context of the service principal using client_credentials flow. As this flow requires a certificate/secret to be passed in the request body for token acquisition, credentials must be added to the service principal.
-----------------------------------------------------------------------------------------------------------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.