Why Does Azure Graph API Reject Application Creation Request with Both Key and Password Credentials?

I'm trying to create an Azure application with both password credentials and key credentials using the Graph API. However, when I attempt to include both credentials in the request body, the API returns a 400 Bad Request error. The error message indicates that the "body should not contain KeyId."

Here is the request body I am using when including both credentials:

{
  "displayName": "abcd",
  "keyCredentials": [
    {
      "KeyCredentials info"
    }
  ],
  "passwordCredentials": [
    {
      "passwordCredentials info"
    }
  ]
}

The request fails with a 400 error, but when I create the application with only key credentials, the request is successfully processed and returns a 200 status. I can then update the key credentials for the application as expected.

Here’s the request body for creating the application with only key credentials:

{
  "displayName": "abcd",
  "keyCredentials": [
    {
      "KeyCredentials info"
    }
  ]
}

Can anyone explain why this happens? Is there a specific reason why the Graph API rejects the request when both key and password credentials are included?

Response which I got:

Endpoint: POST https://graph.microsoft.com/v1.0/applications/ Sample of the Request Body looks like:

{
    "displayname":"sample",
    "keyCredentials": [
        {
            "customKeyIdentifier": "=",
            "displayName": "",
            "endDateTime": "",
            "key": "",
            "keyId": ",
            "startDateTime": "",
            "type": "",
            "usage": ""
        }
    ],
    "passwordCredentials": [
        {
            "customKeyIdentifier": "",
            "displayName": "",
            "endDateTime": "",
            "keyId": "",
            "secretText": "",
            "startDateTime": ""
        }
    ]
}

error: "message": "The property KeyId is not supported for Create Application flow.

The error message you might getting because of you are passing keyId in request while creating the application by adding keyCredentials and passwordCredentials.

Agree with @user2250152 , You do not need to specify the keyId manually when adding keyCredential in Microsoft Graph API.

NOTE: keyId is a unique identifier(GUID) for the key credential, Microsoft Graph automatically generates the keyId, better to omit keyId in your request.

POST https://graph.microsoft.com/v1.0/applications

{
    "displayname":"YOUR-DISPLAY-NAME",
    "keyCredentials": [
        {
            "customKeyIdentifier": "",
            "displayName": "test-Certificate",
            
            "key": "<public-key>",
          
            "type": "AsymmetricX509Cert",
            "usage": "Verify"
            
        }
    ],
    "passwordCredentials": [
        {
            "displayName": "test-secret",
            "endDateTime": "2026-02-24T23:59:59Z",
            "startDateTime": "2025-02-24T00:00:00Z"
        }
    ]
}

Also, you need to specify the correct startDatetime or endDatetime when you created the certificate or else omit in body request it will passed automatically.

Response:

Also, I've verified it from portal:

Certificate:

Client Secret:

Reference: keyId: unique Identifier