Update Service Principal (Display Name, Tags, PasswordState Entries)
Go to Automation: (Add Job Template URL here)
Description
Updates an existing Entra ID Application (App Registration) and related Service Principal by:
1. Optionally renaming the display name (App Registration & Service Principal) if AppDisplayName differs from current.
2. Updating tags via a PowerShell Graph call (script body truncated in source file – expected similar to creation logic).
3. Adjusting existing PasswordState entries (secret and certificate) to reflect the new display name.
Credentials
PasswordState stored Service Principal credentials: - Production: Sys_Azure_AppRegs_PR - Onderwijs: Sys_Azure_OND_Admin
Inputs
| Variable | Description |
|---|---|
AppDisplayName |
Desired new display name. |
app_id |
Application (client) ID (used for deterministic lookup). |
environment |
Environment label (informational / possibly for tags). |
onderwijs |
'yes' to target onderwijs tenant. |
showAppToUsers |
'no' will likely add HideApp tag (depending on script). |
domein |
Domain tag value. |
entiteit |
Entiteit tag value. |
MDAPPGUID |
Metadata tag value. |
MDInstanceGUID |
Metadata tag value. |
additionalTags |
Comma-separated additional tags. |
Behavior Detail
- Fetches current App Registration via either
AppDisplayNameorapp_idlookup logic. - Only enters update block when the existing display name differs from target.
- Updates PasswordState entries for both secret (title = new
AppDisplayName) and certificate (title =Certificaat <AppDisplayName>). - Fails (non-fatal due to
ignore_errors: True) if neither a secret nor certificate PasswordState entry exists to rename.
Outputs
| Output | Description |
|---|---|
updated_appreg |
Result of application update task (when run). |
updated_sp |
Result of service principal update task (when run). |
tag_result |
Output from tag update PowerShell script (currently empty script placeholder). |
Dependencies / Modules
| Component | Purpose |
|---|---|
azure.azcollection.azure_rm_adapplication_info |
Lookup App Registration. |
azure.azcollection.azure_rm_adapplication |
Update display name. |
azure.azcollection.azure_rm_adserviceprincipal_info |
Lookup Service Principal. |
azure.azcollection.azure_rm_adserviceprincipal |
Update SP display name. |
d09.passwordstate.passwordstate_password_fact |
Retrieve existing PasswordState entries. |
d09.passwordstate.passwordstate_password |
Update PasswordState titles. |
ansible.windows.win_powershell |
Tag manipulation (script currently blank – needs implementation). |
Example Invocation
app_id: 11111111-2222-3333-4444-555555555555
AppDisplayName: Sys_Azure_MyRenamedAPI_PR
onderwijs: 'no'
showAppToUsers: 'no'
entiteit: Stadsbeheer
domein: Integraties
additionalTags: CostCenter:12345,OwnerTeam:Integration
Notes
- The tag update PowerShell task is empty: implement similar logic from
new_serviceprincipal_tasks.ymlfor consistency. - PasswordState update for certificate uses condition referencing
pws_app_secretvariable in thewhenclause—this appears to be a copy/paste issue (should referencepws_app_cert). Consider correcting in playbook. - Idempotent rename: tasks run only when the existing name differs.