`az aro create` fails in Microsoft tenant: Credential lifetime exceeds the max value allowed as per assigned policy '538f1913-366a-440a-95a0-e195cb55b282'

[jiasli]

Describe the bug

az aro create provides an empty dict {} as the body when calling application: addPassword REST API (#22549):

azure-cli/src/azure-cli/azure/cli/command_modules/aro/_aad.py

Lines 55 to 57 in 8e7c613

	def add_password(self, obj_id):
	cred = self.client.application_add_password(obj_id, {})
	return cred["secretText"]

According to https://learn.microsoft.com/en-us/graph/api/application-addpassword,

endDateTime
The date and time at which the password expires represented using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Optional. The default value is "startDateTime + 2 years".

This triggers policy 538f1913-366a-440a-95a0-e195cb55b282 in Microsoft tenant 72f988bf-86f1-41af-91ab-2d7cd011db47 and causes an error.

Related command

az aro create

Errors

ERROR: The command failed with an unexpected error. Here is the traceback:
ERROR: Credential lifetime exceeds the max value allowed as per assigned policy '538f1913-366a-440a-95a0-e195cb55b282'.
Traceback (most recent call last):
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/role/_msgrpah/_graph_client.py", line 52, in _send
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/util.py", line 1010, in send_raw_request
azure.cli.core.azclierror.HTTPError: Bad Request({"error":{"code":"CredentialInvalidLifetimeAsPerAppPolicy","message":"Credential lifetime exceeds the max value allowed as per assigned policy '538f1913-366a-440a-95a0-e195cb55b282'.","details":[{"code":"InvalidKeyEndDate","message":"Credential lifetime exceeds the max value allowed as per assigned policy '538f1913-366a-440a-95a0-e195cb55b282'.","target":"EndDate"}],"innerError":{"date":"2024-03-05T04:13:31","request-id":"d07b15e7-19ea-4d7c-b94f-d4926b208f04","client-request-id":"d07b15e7-19ea-4d7c-b94f-d4926b208f04"}}})

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\knack/cli.py", line 233, in invoke
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 663, in execute
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 726, in _run_jobs_serially
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 697, in _run_job
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 333, in __call__
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/command_operation.py", line 121, in handler
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/aro/custom.py", line 79, in aro_create
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/aro/_aad.py", line 27, in create_application
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/aro/_aad.py", line 56, in add_password
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/role/_msgrpah/_graph_client.py", line 131, in application_add_password
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/role/_msgrpah/_graph_client.py", line 55, in _send
azure.cli.command_modules.role._msgrpah._graph_client.GraphError: Credential lifetime exceeds the max value allowed as per assigned policy '538f1913-366a-440a-95a0-e195cb55b282'.

Issue script & Debug output

N/A

Expected behavior

The command should success.

Environment Summary

azure-cli                         2.58.0

core                              2.58.0
telemetry                          1.1.0

Dependencies:
msal                              1.26.0
azure-mgmt-resource             23.1.0b2

Python location 'D:\tool\azure-cli\python.exe'
Extensions directory 'C:\Users\jiasli\.azure\cliextensions'

Python (Windows) 3.11.7 (tags/v3.11.7:fa7a6f2, Dec  4 2023, 19:24:49) [MSC v.1937 64 bit (AMD64)]

Additional context

IcM 479021709

[jiasli]

I can also repro directly with az rest:

> az rest --method POST --url https://graph.microsoft.com/v1.0/applications/xxx/addPassword --body "{}" --verbose
Request URL: 'https://graph.microsoft.com/v1.0/applications/xxx/addPassword'
Request method: 'POST'
Request headers:
    'User-Agent': 'python/3.11.7 (Windows-10-10.0.22631-SP0) AZURECLI/2.57.0 (MSI)'
    'Accept-Encoding': 'gzip, deflate'
    'Accept': '*/*'
    'Connection': 'keep-alive'
    'x-ms-client-request-id': 'caf5eba3-541f-47ea-9227-d78a53d97c17'
    'Content-Type': 'application/json'
    'CommandName': 'rest'
    'ParameterSetName': '--method --url --body --verbose'
    'Authorization': 'Bearer eyJ0eXAiOiJKV...'
    'Content-Length': '2'
Request body:
{}
Response status: 400
Response headers:
    'Cache-Control': 'no-cache'
    'Transfer-Encoding': 'chunked'
    'Content-Type': 'application/json'
    'Content-Encoding': 'gzip'
    'Vary': 'Accept-Encoding'
    'Strict-Transport-Security': 'max-age=31536000'
    'request-id': 'f46197ee-4089-4c5f-9754-ea95bedcbc1b'
    'client-request-id': 'f46197ee-4089-4c5f-9754-ea95bedcbc1b'
    'x-ms-ags-diagnostic': '{"ServerInfo":{"DataCenter":"Southeast Asia","Slice":"E","Ring":"5","ScaleUnit":"001","RoleInstance":"SI2PEPF000058A3"}}'
    'x-ms-resource-unit': '1'
    'Date': 'Thu, 07 Mar 2024 02:11:32 GMT'
Response content:
{"error":{"code":"CredentialInvalidLifetimeAsPerAppPolicy","message":"Credential lifetime exceeds the max value allowed as per assigned policy '538f1913-366a-440a-95a0-e195cb55b282'.","details":[{"code":"InvalidKeyEndDate","message":"Credential lifetime exceeds the max value allowed as per assigned policy '538f1913-366a-440a-95a0-e195cb55b282'.","target":"EndDate"}],"innerError":{"date":"2024-03-07T02:11:32","request-id":"f46197ee-4089-4c5f-9754-ea95bedcbc1b","client-request-id":"f46197ee-4089-4c5f-9754-ea95bedcbc1b"}}}

Possible solutions

1. az aro create can use 1 year for the password like --years from az ad sp create-for-rbac
2. az aro create can expose --end-date like --end-date from az ad app create
3. Microsoft Graph API should change the default value of endDateTime to a one accepted by the policy

[chenyuwu-ms]

Same issue when running "Prepare Teams App Dependencies" function of Teams tool kit.

[nemanjarogic]

I encountered the same issue when trying to upload certificate (.cer file) to Azure portal and assign it to newly created app registration.

"Failed to add certificate. Error detail: Credential lifetime exceeds the max value allowed as per assigned policy '538f1913-366a-440a-95a0-e195cb55b282'."

Steps to reproduce:

1. Run in PowerShell

# Create certificate
$cert = New-SelfSignedCertificate -Subject "CN=AzDO-ServicePrincipal" `
    -CertStoreLocation "Cert:\CurrentUser\My" `
    -KeyExportPolicy Exportable `
    -KeySpec Signature `
    -KeyLength 2048 `
    -NotAfter (Get-Date).AddHours(2)

# Export public key (.cer) for Azure AD
Export-Certificate -Cert $cert -FilePath "C:\temp\AzDO-SP.cer"

2. Create app registration in Azure portal and try to upload a generated certificate