`az ad sp credential delete` does not delete SAML signing cert

[tagur87]

This is autogenerated. Please review and update as needed.

Describe the bug

When running az ad sp credential delete --cert --id xxxx --key-id xxxx to delete an inactive SAML signing certificate, the command succeeds, but there are no changes in the API or the GUI.

Command Name
az ad sp credential delete

Errors:

None

To Reproduce:

Steps to reproduce the behavior. Note that argument values have been redacted, as they may contain sensitive information.

• Put any pre-requisite steps here...
• Create SAML application and add two SAML signing certificates
• az ad sp credential list --id abcd1234
• See signing certificates in list
• az ad sp credential delete --id abcd1234 --key-id {} --cert <<--- key id of the inactive cert in the previous list
• az ad sp credential list --id abcd1234
• see that cert is still there

Expected Behavior

Expect the inactive certificate with the key-id sent through the delete command should be removed.

Environment Summary

Linux-5.10.16.3-microsoft-standard-WSL2-x86_64-with-glibc2.35, Ubuntu 20.04.5 LTS
Python 3.10.8
Installer: HOMEBREW

azure-cli 2.42.0

Additional Context

[yonzhan]

@jiasli for awareness

[jiasli]

Azure CLI currently has no support for SAML-based AAD apps (#7579), so this use case is not supported either.

---

Even so, I did some investigation and can provide some further information.

az ad sp credential delete command calls the Update servicePrincipal Microsoft Graph API to delete certificate credential from the keyCredentials property of the service principal object. It raises an error if the key_id doesn't exist in keyCredentials:

azure-cli/src/azure-cli/azure/cli/command_modules/role/custom.py

Lines 1777 to 1790 in 00fe3e5

	def _delete_credential(graph_object, remove_password_func, patch_function, key_id, cert=False):
	if cert:
	key_creds = graph_object['keyCredentials']
	to_delete = next((x for x in key_creds if x['keyId'] == key_id), None)
	if to_delete:
	key_creds.remove(to_delete)
	body = {
	'keyCredentials': key_creds
	}
	patch_function(graph_object[ID], body)
	else:
	raise CLIError("No key credential found with keyId as '{}' in graph object '{}'.".format(
	key_id, graph_object[ID]))

You may run az ad sp credential delete with --debug to verify how it works and which APIs are invoked.

Therefore, it is very likely to be a Microsoft Graph API issue:

1. The SAML signing certificate can be retrieved under the keyCredentials property of the service principal object.
2. But it cannot be removed by first removing it from the keyCredentials property then calling Update servicePrincipal API.

I would suggest contacting Microsoft Graph support for further investigation.