`az ad app credential reset` overwrites credentials if executed twice after each other from GitHub Actions workflow

[ronaldbosma]

Describe the bug

I've deployed an app registration and Key Vault. I want to generate both a certificate and client secret on the app registration. I'm using az ad app credential reset for this. When I execute both commands after each other from my local machine (Windows 11 in PowerShell prompt), this works fine. When I deploy the same commands from a GitHub Actions workflow, in most cases, only the last credential is created.

Here's the shortened version of the script I'm running

$clientAppId = "<Application (client) ID>"
$keyVaultName = "<Key Vault Name>"

# Create certificate in Key Vault and add to app registration
az ad app credential reset --id $clientAppId --create-cert --keyvault $keyVaultName --cert "client-certificate" --display-name "Client Certificate" --append --output none

# Create secret on app registration
$existingSecret = az ad app credential reset --id $clientAppId --display-name "Client Secret" --query "password" --append --output tsv

As you can see, both commands have the --append flag.

I think it's in part due to the eventual consistent nature of Entra ID, so I'm not sure if this is an issue caused by the Azure CLI or if I need to report the issue somewhere else.

When I execute the commands locally both the certificate and secret are created. I can see the following 'Update application – Certificates and secrets management' activities in the Entra ID Audit Log.

First, this entry that shows the creation of the certificate:

And then an entry showing the addition of the secret. Note that the certificate is shown in the old value column.

When I execute the commands from a GitHub Actions workflow, the first audit log entry is the same when a certificate is created:

However, this is the second entry.

As you can see the old value is still empty. The certificate is missing. Maybe due to eventual consistency? Because the old value is empty, the secret is stored but the certificate is not stored on the app registration. It is however created in the Key Vault.

Note that it doesn't always happen when I executed my script in a GitHub Actions workflow, but more than 50% of the time it does.

Related command

az ad app credential reset

Errors

Issue script & Debug output

You can find a pipeline run here.

Command in pipeline with --debug param:

  $clientAppId = "df4364d3-7ee2-42f8-ad12-73d5932782d9"
  $keyVaultName = "kvoauthbackendsdcluolm"
  
  # Create certificate in Key Vault and add to app registration
  az ad app credential reset --id $clientAppId --create-cert --keyvault $keyVaultName --cert "client-certificate" --display-name "Client Certificate" --append --output none --debug
  
  # Create secret on app registration
  $existingSecret = az ad app credential reset --id $clientAppId --display-name "Client Secret" --query "password" --append --output tsv --debug

Debug output

DEBUG: cli.knack.cli: Command arguments: ['ad', 'app', 'credential', 'reset', '--id', 'df4364d3-7ee2-42f8-ad12-73d5932782d9', '--create-cert', '--keyvault', 'kvoauthbackendsdcluolm', '--cert', 'client-certificate', '--display-name', 'Client Certificate', '--append', '--output', 'none', '--debug']
DEBUG: cli.knack.cli: __init__ debug log:
Cannot enable color.
DEBUG: cli.knack.cli: Event: Cli.PreExecute []
DEBUG: cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x7f6497b79120>, <function OutputProducer.on_global_arguments at 0x7f64978f0d60>, <function CLIQuery.on_global_arguments at 0x7f649791ee80>]
DEBUG: cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
DEBUG: cli.azure.cli.core: Modules found from index for 'ad': ['azure.cli.command_modules.role']
DEBUG: cli.azure.cli.core: Loading command modules:
DEBUG: cli.azure.cli.core: Name                  Load Time    Groups  Commands
DEBUG: cli.azure.cli.core: role                      0.004        17        62
DEBUG: cli.azure.cli.core: Total (1)                 0.004        17        62
DEBUG: cli.azure.cli.core: These extensions are not installed and will be skipped: ['azext_ai_examples', 'azext_next']
DEBUG: cli.azure.cli.core: Loading extensions:
DEBUG: cli.azure.cli.core: Name                  Load Time    Groups  Commands  Directory
DEBUG: cli.azure.cli.core: Total (0)                 0.000         0         0  
DEBUG: cli.azure.cli.core: Loaded 17 groups, 62 commands.
DEBUG: cli.azure.cli.core: Found a match in the command table.
DEBUG: cli.azure.cli.core: Raw command  : ad app credential reset
DEBUG: cli.azure.cli.core: Command table: ad app credential reset
DEBUG: cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x7f6496ad3560>]
DEBUG: cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to '/home/runner/.azure/commands/2025-11-26.17-14-47.ad_app_credential_reset.2090.log'.
INFO: az_command_data_logger: command args: ad app credential reset --id {} --create-cert --keyvault {} --cert {} --display-name {} --append --output {} --debug
DEBUG: cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument.<locals>.add_subscription_parameter at 0x7f6496b2c860>]
DEBUG: cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
DEBUG: cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument.<locals>.add_ids_arguments at 0x7f6496b2eb60>, <function register_cache_arguments.<locals>.add_cache_arguments at 0x7f6496b2ed40>, <function register_upcoming_breaking_change_info.<locals>.update_breaking_change_info at 0x7f6496b2ede0>]
DEBUG: cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
DEBUG: cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
DEBUG: cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x7f64978f0e00>, <function CLIQuery.handle_query_parameter at 0x7f649791ef20>, <function register_ids_argument.<locals>.parse_ids_arguments at 0x7f6496b2ec00>]
DEBUG: cli.azure.cli.core.util: Retrieving token for resource https://graph.microsoft.com/
DEBUG: cli.azure.cli.core.auth.persistence: build_persistence: location='/home/runner/.azure/service_principal_entries.json', encrypt=False
DEBUG: cli.azure.cli.core.auth.persistence: build_persistence: location='/home/runner/.azure/msal_token_cache.json', encrypt=False
DEBUG: cli.azure.cli.core.auth.binary_cache: load: /home/runner/.azure/msal_http_cache.bin
DEBUG: urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
DEBUG: msal.authority: Initializing with Entra authority: https://login.microsoftonline.com/***
DEBUG: msal.authority: openid_config("https://login.microsoftonline.com/***/v2.0/.well-known/openid-configuration") = {'token_endpoint': 'https://login.microsoftonline.com/***/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic', 'self_signed_tls_client_auth'], 'jwks_uri': 'https://login.microsoftonline.com/***/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/***/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/***/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/***/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/***/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/***/kerberos', 'mtls_endpoint_aliases': {'token_endpoint': 'https://mtlsauth.microsoft.com/***/oauth2/v2.0/token'}, 'tls_client_certificate_bound_access_tokens': True, 'tenant_region_scope': 'EU', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
DEBUG: msal.application: Broker enabled? None
DEBUG: msal.application: Region to be used: None
DEBUG: cli.azure.cli.core.auth.msal_credentials: ServicePrincipalCredential.acquire_token: scopes=['https://graph.microsoft.com//.default'], kwargs={}
DEBUG: msal.telemetry: Generate or reuse correlation_id: a61c93c3-00e3-4d27-b2d4-f2f2b1d723ed
DEBUG: msal.telemetry: Generate or reuse correlation_id: 04b2af8f-08e2-4a54-a197-5c09c20b9fda
INFO: cli.azure.cli.core.util: Request URL: 'https://graph.microsoft.com/v1.0/applications/adb0d754-5560-49a4-b3bf-2a81578ba26f'
INFO: cli.azure.cli.core.util: Request method: 'GET'
INFO: cli.azure.cli.core.util: Request headers:
INFO: cli.azure.cli.core.util:     'User-Agent': 'python/3.13.9 (Linux-6.11.0-1018-azure-x86_64-with-glibc2.39) AZURECLI/2.79.0 (DEB)'
INFO: cli.azure.cli.core.util:     'Accept-Encoding': 'gzip, deflate'
INFO: cli.azure.cli.core.util:     'Accept': '*/*'
INFO: cli.azure.cli.core.util:     'Connection': 'keep-alive'
INFO: cli.azure.cli.core.util:     'x-ms-client-request-id': 'fa4391ea-c137-4af7-949d-a41727a75595'
INFO: cli.azure.cli.core.util:     'CommandName': 'ad app credential reset'
INFO: cli.azure.cli.core.util:     'ParameterSetName': '--id --display-name --query --append --output --debug'
INFO: cli.azure.cli.core.util:     'Authorization': '***'
INFO: cli.azure.cli.core.util: Request body:
INFO: cli.azure.cli.core.util: None
DEBUG: urllib3.connectionpool: Starting new HTTPS connection (1): graph.microsoft.com:443
DEBUG: urllib3.connectionpool: https://graph.microsoft.com:443 "GET /v1.0/applications/adb0d754-5560-49a4-b3bf-2a81578ba26f HTTP/1.1" 200 None
INFO: cli.azure.cli.core.util: Response status: 200
INFO: cli.azure.cli.core.util: Response headers:
INFO: cli.azure.cli.core.util:     'Cache-Control': 'no-cache'
INFO: cli.azure.cli.core.util:     'Transfer-Encoding': 'chunked'
INFO: cli.azure.cli.core.util:     'Content-Type': 'application/json;odata.metadata=minimal;odata.streaming=true;IEEE754Compatible=false;charset=utf-8'
INFO: cli.azure.cli.core.util:     'Content-Encoding': 'gzip'
INFO: cli.azure.cli.core.util:     'Vary': 'Accept-Encoding'
INFO: cli.azure.cli.core.util:     'Strict-Transport-Security': 'max-age=31536000'
INFO: cli.azure.cli.core.util:     'request-id': '2177d38d-f271-4a11-b748-6c48201763b6'
INFO: cli.azure.cli.core.util:     'client-request-id': '2177d38d-f271-4a11-b748-6c48201763b6'
INFO: cli.azure.cli.core.util:     'x-ms-ags-diagnostic': '{"ServerInfo":{"DataCenter":"North Central US","Slice":"E","Ring":"4","ScaleUnit":"002","RoleInstance":"CH01EPF00004D89"}}'
INFO: cli.azure.cli.core.util:     'x-ms-resource-unit': '1'
INFO: cli.azure.cli.core.util:     'OData-Version': '4.0'
INFO: cli.azure.cli.core.util:     'Date': 'Wed, 26 Nov 2025 17:14:56 GMT'
INFO: cli.azure.cli.core.util: Response content:
INFO: cli.azure.cli.core.util: {"@odata.context":"https://graph.microsoft.com/v1.0/$metadata#applications/$entity","id":"adb0d754-5560-49a4-b3bf-2a81578ba26f","deletedDateTime":null,"appId":"df4364d3-7ee2-42f8-ad12-73d5932782d9","applicationTemplateId":null,"disabledByMicrosoftStatus":null,"createdDateTime":"2025-11-26T16:35:32Z","displayName":"appreg-oauthbackend-sdc-clientwithcertificate-luolm","description":null,"groupMembershipClaims":null,"identifierUris":[],"isDeviceOnlyAuthSupported":null,"isFallbackPublicClient":null,"nativeAuthenticationApisEnabled":null,"notes":null,"publisherDomain":"***.onmicrosoft.com","serviceManagementReference":null,"signInAudience":"AzureADMyOrg","tags":["HideApp","SecurityControl: Ignore","azd-template: ronaldbosma/call-apim-backend-with-oauth","azd-env-name: oauthbackend","azd-env-id: azd-oauthbackend-sdc-luolm"],"tokenEncryptionKeyId":null,"uniqueName":"appreg-oauthbackend-sdc-clientwithcertificate-luolm","samlMetadataUrl":null,"defaultRedirectUri":null,"certification":null,"optionalClaims":null,"servicePrincipalLockConfiguration":null,"requestSignatureVerification":null,"addIns":[],"api":{"acceptMappedClaims":null,"knownClientApplications":[],"requestedAccessTokenVersion":null,"oauth2PermissionScopes":[],"preAuthorizedApplications":[]},"appRoles":[],"info":{"logoUrl":null,"marketingUrl":null,"privacyStatementUrl":null,"supportUrl":null,"termsOfServiceUrl":null},"keyCredentials":[],"parentalControlSettings":{"countriesBlockedForMinors":[],"legalAgeGroupRule":"Allow"},"passwordCredentials":[],"publicClient":{"redirectUris":[]},"requiredResourceAccess":[],"verifiedPublisher":{"displayName":null,"verifiedPublisherId":null,"addedDateTime":null},"web":{"homePageUrl":null,"logoutUrl":null,"redirectUris":[],"implicitGrantSettings":{"enableAccessTokenIssuance":false,"enableIdTokenIssuance":false},"redirectUriSettings":[]},"spa":{"redirectUris":[]}}
DEBUG: cli.azure.cli.core.util: Retrieving token for resource https://graph.microsoft.com/
DEBUG: urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
DEBUG: msal.authority: Initializing with Entra authority: https://login.microsoftonline.com/***
DEBUG: msal.authority: openid_config("https://login.microsoftonline.com/***/v2.0/.well-known/openid-configuration") = {'token_endpoint': 'https://login.microsoftonline.com/***/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic', 'self_signed_tls_client_auth'], 'jwks_uri': 'https://login.microsoftonline.com/***/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/***/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/***/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/***/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/***/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/***/kerberos', 'mtls_endpoint_aliases': {'token_endpoint': 'https://mtlsauth.microsoft.com/***/oauth2/v2.0/token'}, 'tls_client_certificate_bound_access_tokens': True, 'tenant_region_scope': 'EU', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
DEBUG: msal.application: Broker enabled? None
DEBUG: msal.application: Region to be used: None
DEBUG: cli.azure.cli.core.auth.msal_credentials: ServicePrincipalCredential.acquire_token: scopes=['https://graph.microsoft.com//.default'], kwargs={}
DEBUG: msal.application: Cache hit an AT
DEBUG: msal.telemetry: Generate or reuse correlation_id: 8fb0e282-83a0-4af4-b88e-3fd99734f8c1
INFO: cli.azure.cli.core.util: Request URL: 'https://graph.microsoft.com/v1.0/applications/adb0d754-5560-49a4-b3bf-2a81578ba26f/addPassword'
INFO: cli.azure.cli.core.util: Request method: 'POST'
INFO: cli.azure.cli.core.util: Request headers:
INFO: cli.azure.cli.core.util:     'User-Agent': 'python/3.13.9 (Linux-6.11.0-1018-azure-x86_64-with-glibc2.39) AZURECLI/2.79.0 (DEB)'
INFO: cli.azure.cli.core.util:     'Accept-Encoding': 'gzip, deflate'
INFO: cli.azure.cli.core.util:     'Accept': '*/*'
INFO: cli.azure.cli.core.util:     'Connection': 'keep-alive'
INFO: cli.azure.cli.core.util:     'x-ms-client-request-id': 'a589b8b0-b551-4cf2-b627-4034076f9c13'
INFO: cli.azure.cli.core.util:     'Content-Type': 'application/json'
INFO: cli.azure.cli.core.util:     'CommandName': 'ad app credential reset'
INFO: cli.azure.cli.core.util:     'ParameterSetName': '--id --display-name --query --append --output --debug'
INFO: cli.azure.cli.core.util:     'Authorization': '***'
INFO: cli.azure.cli.core.util:     'Content-Length': '136'
INFO: cli.azure.cli.core.util: Request body:
INFO: cli.azure.cli.core.util: {"passwordCredential": {"displayName": "Client Secret", "endDateTime": "2026-11-26T17:14:57Z", "startDateTime": "2025-11-26T17:14:57Z"}}
DEBUG: urllib3.connectionpool: Starting new HTTPS connection (1): graph.microsoft.com:443
DEBUG: urllib3.connectionpool: https://graph.microsoft.com:443 "POST /v1.0/applications/adb0d754-5560-49a4-b3bf-2a81578ba26f/addPassword HTTP/1.1" 200 None
INFO: cli.azure.cli.core.util: Response status: 200
INFO: cli.azure.cli.core.util: Response headers:
INFO: cli.azure.cli.core.util:     'Cache-Control': 'no-cache'
INFO: cli.azure.cli.core.util:     'Transfer-Encoding': 'chunked'
INFO: cli.azure.cli.core.util:     'Content-Type': 'application/json;odata.metadata=minimal;odata.streaming=true;IEEE754Compatible=false;charset=utf-8'
INFO: cli.azure.cli.core.util:     'Content-Encoding': 'gzip'
INFO: cli.azure.cli.core.util:     'Location': 'https://graph.microsoft.com'
INFO: cli.azure.cli.core.util:     'Vary': 'Accept-Encoding'
INFO: cli.azure.cli.core.util:     'Strict-Transport-Security': 'max-age=31536000'
INFO: cli.azure.cli.core.util:     'request-id': '9c6d1241-4c80-481c-b9e3-dc46416dea8f'
INFO: cli.azure.cli.core.util:     'client-request-id': '9c6d1241-4c80-481c-b9e3-dc46416dea8f'
INFO: cli.azure.cli.core.util:     'x-ms-ags-diagnostic': '{"ServerInfo":{"DataCenter":"North Central US","Slice":"E","Ring":"4","ScaleUnit":"000","RoleInstance":"CH01EPF00007334"}}'
INFO: cli.azure.cli.core.util:     'x-ms-resource-unit': '1'
INFO: cli.azure.cli.core.util:     'OData-Version': '4.0'
INFO: cli.azure.cli.core.util:     'Date': 'Wed, 26 Nov 2025 17:14:57 GMT'
INFO: cli.azure.cli.core.util: Response content:
INFO: cli.azure.cli.core.util: {"@odata.context":"https://graph.microsoft.com/v1.0/$metadata#microsoft.graph.passwordCredential","customKeyIdentifier":null,"displayName":"Client Secret","endDateTime":"2026-11-26T17:14:57Z","hint":"eol","keyId":"09ce2ba9-6843-45bb-a80d-1a940139f581","secretText":"***","startDateTime":"2025-11-26T17:14:57Z"}
WARNING: cli.azure.cli.command_modules.role.custom: The output includes credentials that you must protect. Be sure that you do not include these credentials in your code or check the credentials into your source control. For more information, see https://aka.ms/azadsp-cli
DEBUG: urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
DEBUG: msal.authority: Initializing with Entra authority: https://login.microsoftonline.com/***
DEBUG: msal.authority: openid_config("https://login.microsoftonline.com/***/v2.0/.well-known/openid-configuration") = {'token_endpoint': 'https://login.microsoftonline.com/***/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic', 'self_signed_tls_client_auth'], 'jwks_uri': 'https://login.microsoftonline.com/***/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/***/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/***/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/***/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/***/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/***/kerberos', 'mtls_endpoint_aliases': {'token_endpoint': 'https://mtlsauth.microsoft.com/***/oauth2/v2.0/token'}, 'tls_client_certificate_bound_access_tokens': True, 'tenant_region_scope': 'EU', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
DEBUG: msal.application: Broker enabled? None
DEBUG: msal.application: Region to be used: None
DEBUG: cli.knack.cli: Event: CommandInvoker.OnTransformResult [<function _resource_group_transform at 0x7f98bb9200e0>, <function _x509_from_base64_to_hex_transform at 0x7f98bb920180>]
DEBUG: cli.knack.cli: Event: CommandInvoker.OnFilterResult [<function CLIQuery.handle_query_parameter.<locals>.filter_output at 0x7f98bb562700>]
DEBUG: cli.knack.cli: Event: Cli.SuccessfulExecute []
DEBUG: cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x7f98bb8c7740>]
INFO: az_command_data_logger: exit code: 0
INFO: cli.__main__: Command ran in 0.982 seconds (init: 0.127, invoke: 0.855)
INFO: telemetry.main: Begin splitting cli events and extra events, total events: 1
INFO: telemetry.client: Accumulated 0 events. Flush the clients.
INFO: telemetry.main: Finish splitting cli events and extra events, cli events: 1
INFO: telemetry.save: Save telemetry record of length 3909 in cache file under /home/runner/.azure/telemetry/20251126171457605
INFO: telemetry.main: Begin creating telemetry upload process.
INFO: telemetry.process: Creating upload process: "/opt/az/bin/python3 /opt/az/lib/python3.13/site-packages/azure/cli/telemetry/__init__.py /home/runner/.azure /home/runner/.azure/telemetry/20251126171457605"
INFO: telemetry.process: Return from creating process 2136
INFO: telemetry.main: Finish creating telemetry upload process.

Expected behavior

I would expect that the certificate is not overwritten by the creation of the secret.

I can understand that doing a get on the app registration's credentials might not return the certificate immediately because Entra ID is eventual consistent. But I wouldn't expect this behaviour when doing a mutation on the app registration.

Environment Summary

az --version output in GitHub Actions workflow

azure-cli 2.79.0 *

core 2.79.0 *
telemetry 1.1.0

Extensions:
azure-devops 1.0.2

Dependencies:
msal 1.34.0b1
azure-mgmt-resource 23.3.0

Python location '/opt/az/bin/python3'
Config directory '/home/runner/.azure'
Extensions directory '/opt/az/azcliextensions'

Python (Linux) 3.13.9 (main, Oct 28 2025, 09:10:00) [GCC 13.3.0]

az --version output on my local machine

azure-cli 2.78.0 *

core 2.78.0 *
telemetry 1.1.0

Extensions:
containerapp 1.0.0b3
interactive 1.0.0b1

Dependencies:
msal 1.34.0b1
azure-mgmt-resource 23.3.0

Python location 'C:\Program Files\Microsoft SDKs\Azure\CLI2\python.exe'
Config directory 'C:\Users\ronaldb.azure'
Extensions directory 'C:\Users\ronaldb.azure\cliextensions'

Python (Windows) 3.13.7 (tags/v3.13.7:bcee1c3, Aug 14 2025, 14:15:11) [MSC v.1944 64 bit (AMD64)]

Additional context

Repro steps:

1. Create an app registration in Entra ID, copy the 'Application (client) ID'
2. Create a Key Vault
3. Setup a GitHub repository with federated credentials in Azure. See Use the Azure Login action with OpenID Connect
4. Grant the managed identity/service principal with federated credentials enough permissions:
   • to add secrets and certificates to the Key Vault (e.g. role Key Vault Administrator)
   • to update your app registration (I think Application Administrator or Cloud Application Administrator is enough)
5. Create a GitHub actions workflow in your repository like this (or see sample below).
6. Set the $clientAppId variable to your 'Application (client) ID'
7. Set the $keyVaultName variable to your Key Vault

GitHub Actions workflow sample:

name: azure-dev

on:
  workflow_dispatch:

defaults:
  run:
    shell: pwsh # Use PowerShell Core for all scripts (the azd hooks are written in PowerShell)

jobs:
  test:
    name: Test
    runs-on: ubuntu-latest
    permissions:
      id-token: write # Required to fetch an OIDC token for Azure authentication
      contents: read  # Required to checkout code if needed

    steps:
    - name: Print Azure CLI version
      run: |
        az --version
        
    - name: Azure CLI Login
      uses: azure/login@v2
      with:
        client-id: ${{ secrets.AZURE_CLIENT_ID }}
        tenant-id: ${{ secrets.AZURE_TENANT_ID }}
        subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}

    - name: Generate secret and certificate for app registration
      run: |
        $clientAppId = "df4364d3-7ee2-42f8-ad12-73d5932782d9"
        $keyVaultName = "kvoauthbackendsdcluolm"

        # Create certificate in Key Vault and add to app registration
        az ad app credential reset --id $clientAppId --create-cert --keyvault $keyVaultName --cert "client-certificate" --display-name "Client Certificate" --append --output none --debug

        # Create secret on app registration
        $existingSecret = az ad app credential reset --id $clientAppId --display-name "Client Secret" --query "password" --append --output tsv --debug

[azure-client-tools-bot-prd]

Hi @ronaldbosma,

2.79.0 is not the latest Azure CLI(2.80.0).

If you haven't already attempted to do so, please upgrade to the latest Azure CLI version by following https://learn.microsoft.com/en-us/cli/azure/update-azure-cli.

[yonzhan]

Thank you for opening this issue, we will look into it.

[ReaNAiveD]

Hi @ronaldbosma , Thanks for bringing this up! I wasn’t able to reproduce it on my local machine, and since Cloud Application Administrator is a privileged role, I’d like to confirm a few details about how the issue appears first.

Do you think adding a short delay between the two command executions might help reduce the occurrence of this problem?
Looking forward to your thoughts and appreciate your help in clarifying this!

[ronaldbosma]

Hi @ReaNAiveD

Adding a short delay will reduce the number of times it occurs. I actually added a 'verify certificate exists' step in between the az ad app credential reset commands that used az ad app credential list with a retry mechanism to check if the certificate was registered on the app registration. But even with this check, there were times when the certificate was overwritten.

I've executed the commands locally again with the --debug parameter and I'm seeing an interesting difference that might support my theory that this is due to eventual consistency. There are several lines in the logging from my workflow, like the one below, where the data center is 'North Central US'.

INFO: cli.azure.cli.core.util:     'x-ms-ags-diagnostic': '{"ServerInfo":{"DataCenter":"North Central US","Slice":"E","Ring":"4","ScaleUnit":"002","RoleInstance":"CH01EPF00004D89"}}'

In my local logs, the data center is 'West Europe'

INFO: cli.azure.cli.core.util:     'x-ms-ags-diagnostic': '{"ServerInfo":{"DataCenter":"West Europe","Slice":"E","Ring":"5","ScaleUnit":"006","RoleInstance":"AM1PEPF00079856"}}'

And I think that's also where my Entra ID instance is located. I grabbed this from my Entra ID's properties page:

Assuming that it's caused by eventual consistency. If we're talking in CQRS terms. I would expect that the read model (e.g. North Central US) is eventual consistent and that reads (e.g. az ad app credential list) might not see the certificate immediately.

I would assume though, that adding a certificate or secret with az ad app credential reset is performed on the write model (e.g. West Europe) and shouldn't have issues with eventual consistency. Unless the Azure CLI or some underlying piece of code is first retrieving the app registration (from the read model), adding the certificate/secret to the KeyDescription field and than performing a PUT on the app registration. But if that's indeed the case, I would expect a concurrency error when trying to add the secret.