Entra ID app registration errors with PasswordCredential.__init__() got an unexpected keyword argument ''start_date''

[Anthirian]

SUMMARY

The collection fails to create an Entra ID app registration.

ISSUE TYPE

• Bug Report

COMPONENT NAME

azure.azcollection.azure_rm_adapplication

ANSIBLE VERSION

ansible [core 2.16.1]
  config file = /home/anthirian/ansible.cfg
  configured module search path = ['/home/anthirian/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /opt/virtualenvs/ansible/lib/python3.10/site-packages/ansible
  ansible collection location = /home/anthirian/collections:/home/anthirian/.ansible/collections:/usr/share/ansible/collections
  executable location = /opt/virtualenvs/ansible/bin/ansible
  python version = 3.10.13 (main, Aug 29 2023, 13:29:07) [GCC] (/opt/virtualenvs/ansible/bin/python)
  jinja version = 3.1.2
  libyaml = True

COLLECTION VERSION

# /home/anthirian/collections/ansible_collections
Collection         Version
------------------ -------
azure.azcollection 2.0.0

# /opt/virtualenvs/ansible/lib/python3.10/site-packages/ansible_collections
Collection         Version
------------------ -------
azure.azcollection 1.19.0

CONFIGURATION

CALLBACKS_ENABLED(/home/anthirian/ansible.cfg) = ['profile_roles', 'timer', 'mail', 'pushover']
COLLECTIONS_PATHS(/home/anthirian/ansible.cfg) = ['/home/anthirian/collections', '/home/anthirian/.ansible/collections', '/usr/share/ansible/collections']
CONFIG_FILE() = /home/anthirian/ansible.cfg
DEFAULT_LOAD_CALLBACK_PLUGINS(/home/anthirian/ansible.cfg) = True
DEFAULT_LOG_PATH(/home/anthirian/ansible.cfg) = /home/anthirian/ansible.log
DEFAULT_STDOUT_CALLBACK(/home/anthirian/ansible.cfg) = yaml
DEFAULT_TIMEOUT(/home/anthirian/ansible.cfg) = 60
EDITOR(env: EDITOR) = vim
HOST_KEY_CHECKING(/home/anthirian/ansible.cfg) = False
PAGER(env: PAGER) = less

OS / ENVIRONMENT

$ uname -a
Linux mg-geert 6.6.3-1-default #1 SMP PREEMPT_DYNAMIC Wed Nov 29 05:06:07 UTC 2023 (d766c57) x86_64 x86_64 x86_64 GNU/Linux

$ cat /etc/os-release
NAME="openSUSE Tumbleweed"
# VERSION="20231204"
ID="opensuse-tumbleweed"
ID_LIKE="opensuse suse"
VERSION_ID="20231204"
PRETTY_NAME="openSUSE Tumbleweed"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:opensuse:tumbleweed:20231204"
BUG_REPORT_URL="https://bugzilla.opensuse.org"
SUPPORT_URL="https://bugs.opensuse.org"
HOME_URL="https://www.opensuse.org"
DOCUMENTATION_URL="https://en.opensuse.org/Portal:Tumbleweed"
LOGO="distributor-logo-Tumbleweed"

STEPS TO REPRODUCE

- name: Create new Entra ID App Registration
  delegate_to: localhost
  azure.azcollection.azure_rm_adapplication:
    tenant: "{{ tenant_id }}"
    display_name: "{{ application_name }}"
    state: present
    reply_urls: "{{ callback_url }}"
    available_to_other_tenants: true
    credential_description: Ansible
    password: "{{ client_secret }}"
    required_resource_accesses:
      # https://learn.microsoft.com/en-us/graph/migrate-azure-ad-graph-configure-permissions?tabs=http%2Cupdatepermissions-azureadgraph-msgraph-powershell
      - resource_app_id: 00000003-0000-0000-c000-000000000000  # Microsoft.Graph
        resource_access:
          - id: 570282fd-fa5c-430d-a7fd-fc8dc98a9dca  # Mail.Read
            type: Scope
          - id: 818c620a-27a9-40bd-a6a5-d96f7d610b4b  # MailboxSettings.ReadWrite
            type: Scope
          - id: dfabfca6-ee36-4db2-8208-7a28381419b3  # Notes.Read.All
            type: Scope
          - id: e1fe6dd8-ba31-4d61-89e7-88639da4683d  # User.Read
            type: Scope
          - id: b340eb25-3456-403f-be2f-af7a0d370277  # User.ReadBasic.All
            type: Scope
          - id: e383f46e-2787-4529-855e-0e479a3ffac0  # Mail.Send
            type: Scope
          - id: ff74d97f-43af-4b68-9f2a-b77ee6968c5d  # Contacts.Read
            type: Scope
          - id: 863451e7-0667-486c-a5d6-d135439485f0  # Files.ReadWrite.All
            type: Scope
  register: new_app_registration_result
  failed_when: >
    (new_app_registration_result is failed) and
    ("Another object with the same value for property identifierUris already exists." not in new_app_registration_result.msg)

EXPECTED RESULTS

New Entra ID app registration success.

ACTUAL RESULTS

TASK [Create new Entra ID App Registration] ************************************************************************************************************************
fatal: [remote_host -> localhost]: FAILED! => changed=false
  failed_when_result: true
  msg: 'Error creating application, display_name: Test App - PasswordCredential.__init__() got an unexpected keyword argument ''start_date'''

[Fred-sun]

@Anthirian I made a fix to pass the wrong parameter in #1369, you can try to solve the problem you encountered! Thank you!

[Anthirian]

Thanks for the quick response. That seems to have fixed it, but now I'm getting another type of error.

fatal: [remote-host -> localhost]: FAILED! => changed=false
  failed_when_result: true
  msg: |-
    Error creating application, display_name: Legit App -
            APIError
            Code: 400
            message: None
            error: MainError(additional_data={}, code='Request_BadRequest', details=None, inner_error=InnerError(additional_data={'date': DateTime(2023, 12, 11, 18, 48, 50, tzinfo=Timezone('UTC'))}, client_request_id='b855d1cd-b21a-4dec-a894-00525f1cdf67', date=None, odata_type=None, request_id='c3894ddd-bd21-4e96-a28e-ec2853fdc1e1'), message='New password credentials must be generated using service actions.', target=None)

This seems to be related: https://stackoverflow.com/questions/64369597/microsoft-graph-exception-new-password-credentials-must-be-generated-using-serv

[Anthirian]

When I remove the password: field from the module's arguments, the deployment succeeds:

changed: [remote-host -> localhost] => changed=true
  app_id: <GUID>
  app_roles: []
  available_to_other_tenants: AzureADandPersonalMicrosoftAccount
  display_name: Test App
  failed_when_result: false
  homepage: null
  identifier_uris: []
  oauth2_allow_implicit_flow: false
  object_id: <GUID>
  optional_claims: null
  reply_urls:
  - https://my.domain.com/login/authorized

However, at this point I don't have the actual secret that I need to log in with my new app registration. I tried fetching this with the azure.azcollection.azure_rm_adapplication_info module based on the object_id field returned above, but that does not contain any password fields. How would I get it?

[Fred-sun]

@Anthirian At the end of the creation, you can get the creation information by registering 'new_app_registration_result'.

[Anthirian]

Are you sure about that? I'm already doing that:

register: new_app_registration_result

However in the logs I don't see any password field when I print the contents of this variable, even when I run the playbook with the -v flag for extra verbosity. That's why I tried to fetch it manually with the info module afterwards. Could you show me an example?

[Anthirian]

Edit: creating a new issue for this.