Potential Race Condition between creating app and adding secret or granting permissions

[danielmusselwhite]

az feedback auto-generates most of the information requested below, as of CLI version 2.0.62

Related commands
az ad app create

az ad app credential reset

az ad sp create

az ad app permission grant

Describe the bug

There appears to be a race condition e.g. in the time between creating an app and then creating a secret for it or granting permissions to it, Resulting in flaky behaviour where usually the granting of permissions or secret creation will succeed but occasionally it will give errors such as:

• ERROR: Resource '' does not exist or one of its queried reference-property objects are not present.
• OR
• ERROR: Resource 'xxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxxxx' does not exist or one of its queried reference-property objects are not present.

To Reproduce
Powershell script that shows this behaviour where roughly 25% of the runs fail.

#region "required parameters"
$PermissionAppName = "app"
$PermissionClientSecretName  = "appsecret"
$tenantName = "tenantname"
#endregion

#region "race condition"
$PermissionClientInfo = (az ad app create --display-name $PermissionAppName --sign-in-audience AzureADMyOrg --only-show-errors) | ConvertFrom-Json
$PermissionClientID = $PermissionClientInfo.appId
$PermissionClientSecretDuration = 1
$PermissionClientSecret = (az ad app credential reset --id $PermissionClientID --append --display-name $PermissionClientSecretName --years $PermissionClientSecretDuration --query password --output tsv --only-show-errors)
#endregion

Write-Color "green" "Client ID for $PermissionAppName`: $PermissionClientID"
Write-Color "green" "Please take a moment to make a note of and protect the following client secret; as you will not be able to access it again."
Write-Color "green" "Client secret for $PermissionAppName`: $PermissionClientSecret"

Expected behavior

Secret value should be written to console, happens most of the time.

But some of the time, secret value will be empty due to suspected race condition, and will output to the console the errors listed above.

Environment summary

az version = 2.34
OS = Windows 10 (build 19044)
Shell type = Windows PowerShell
PS Version = 5.1.19041.1682

[yonzhan]

@jiasli for awareness

[tianchen-zhang]

The race condition also happens when calling az ad app permission admin-consent. The command would terminate without the admin consent being truly granted (I would say this happens ~90% of the time).

For granting delegated permissions with admin consent, I can use az ad app permission grant which is fairly stable, but I have not yet found a stable and reliable way to grant application permissions with admin consent via Azure cli.

Environment summary
az version = 2.37.0
OS = macOS 12.4
Shell type = PowerShell, zsh

[jiasli]

This is a known issue of Microsoft Graph service. We are internally working with Microsoft Graph team on it.