Graph API addPassword - Secret not shown in porta

Question

I have an azure function that regenerates various App Registration secrets on Azure AD using the Graph API.

The call I make is relatively simple:

POST https://graph.microsoft.com/v1.0/servicePrincipals(appId='{someAppId}')/addPassword
{
  "passwordCredential": {
    "displayName": "Password friendly name"    
  }
}

The Response I get is an OK 200:

{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#microsoft.graph.passwordCredential",
    "customKeyIdentifier": null,
    "displayName": "Password friendly name",
    "endDateTime": "2026-01-30T10:16:31.9513536Z",
    "hint": "XCE",
    "keyId": "{redacted}",
    "secretText": "{redacted}",
    "startDateTime": "2024-01-30T10:16:31.9513536Z"
}

And I am able to use the newly generated secret, i.e. it is fully functional, BUT, I am not seeing the secret appear on the secrets list on the Azure Portal.

This appears to be a known issue , but I can't find the answer anywhere.

UPDATE:

If you wish to achieve the same programmatically in C#, try something like this:

 var applications = await GetAppRegistrationsAsync(log, filterCriteria, graphServiceClient);
 
 foreach (var application in applications)
 {
     var requestBody = new AddPasswordPostRequestBody
     {
         PasswordCredential = new PasswordCredential
         {
             DisplayName = "Secret Name",
             //StartDateTime = DateTimeOffset.UtcNow,
             //EndDateTime = DateTimeOffset.UtcNow.AddYears(1) // Set expiration as needed
         }
     };

     var resultApp = await graphServiceClient.Applications[$"{application.Id}"].AddPassword.PostAsync(requestBody);
 }
       

 private static async Task<IEnumerable<Application>> GetAppRegistrationsAsync(ILogger log, string filterCriteria,  GraphServiceClient graphServiceClient)
 {
     try
     {
         var applications = await graphServiceClient
             .Applications
             .GetAsync(requestConfiguration =>
             {
                 requestConfiguration.QueryParameters.Filter = filterCriteria;
             });

         // var servicePrincipals = await _graphServiceClient.ServicePrincipals.GetAsync( x => x.QueryParameters.Filter );
         return applications is { Value: { } } ? applications.Value : Enumerable.Empty<Application>();
     }
     catch (Exception e)
     {
         Console.WriteLine(e);
         throw;
     }
 }

Answer 1

Note that: You are creating service principal secrets whereas Azure Portal shows application secrets by default. Refer this SO Thread by AlfredoRevilla-MSFT.

But you can use Service Principal secrets created but visually not visible in Portal.

If you want to be visible in Portal in Azure AD application -> Certificates & secrets tab , then create it by using application query like below:

POST https://graph.microsoft.com/v1.0/applications/ObjectIDofApp/addPassword

{
"passwordCredential": {
"displayName": "test"
}
}

Now the secret is visible in the Azure Portal:

Reference:

Service Principal Credential Reset does not appear in Azure Portal App Registration GUI · Issue #23566 · Azure/azure-cli · GitHub by jiasli