Graph API is removing certificates from my Enterprise Application in AzureAD

Question

When I call graphAPI from my Powershell script it first removes all keyCredentials(certificates) from the Enterprise Application Service Principal in Azure AD, then uploads my custom certificate. How can I retain the certificates that are currently installed on the application and ALSO upload my new certificate in an inactive state?

Here is the body.

{
    "keyCredentials": [
        {
            "customKeyIdentifier":
            "endDateTime": 
            "keyId": 
            "startDateTime":
            "type": "X509CertAndPassword",
            "usage": "Sign",
            "key":
            "displayName": 
        },
        {
            "customKeyIdentifier": 
            "endDateTime": 
            "keyId": 
            "startDateTime": 
            "type": "AsymmetricX509Cert",
            "usage": "Verify",
            "key": 
            "displayName": 
        }
    ],
    "passwordCredentials": [
        {
            "customKeyIdentifier": 
            "keyId": 
            "endDateTime": 
            "startDateTime": 
            "secretText": 
        }
    ]
}'

Each key has a value I just am removing them for privacy.

Here is the call to graphAPI

$response = Invoke-RestMethod -Method Patch -Uri "https://graph.microsoft.com/v1.0/servicePrincipals/{AppID}" -Headers $global:Header -Body $certBody

All of the information is correct because it uploads the custom certificate correctly. I just want it to leave the other certs alone.

Answer 1

Use addKey instead of the Update method to add additional keyCredentials:

POST /servicePrincipals/{id}/addKey versus PATCH /servicePrincipals/{id}

But be aware that:

ServicePrincipals that don't have any existing valid certificates (ie: no certificates have been added yet, or all certificates have expired), won't be able to use this service action. Update servicePrincipal can be used to perform an update instead.