az ad sp credential
Manage a service principal's password or certificate credentials.
Commands
| Name | Description | Type | Status |
|---|---|---|---|
| az ad sp credential delete |
Delete a service principal's password or certificate credentials. |
Core | GA |
| az ad sp credential list |
List a service principal's password or certificate credential metadata. (The content of the password or certificate credential is not retrievable.). |
Core | GA |
| az ad sp credential reset |
Reset a service principal's password or certificate credentials. |
Core | GA |
az ad sp credential delete
Delete a service principal's password or certificate credentials.
az ad sp credential delete --id
--key-id
[--cert]Examples
Delete a service principal's password credential
az ad sp credential delete --id 00000000-0000-0000-0000-000000000000 --key-id xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxDelete a service principal's certificate credential
az ad sp credential delete --id 00000000-0000-0000-0000-000000000000 --key-id xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx --certRequired Parameters
Service principal name, or object id.
Credential key id.
Optional Parameters
Operate on certificate credentials.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az ad sp credential list
List a service principal's password or certificate credential metadata. (The content of the password or certificate credential is not retrievable.).
az ad sp credential list --id
[--cert]Examples
List a service principal's password credentials
az ad sp credential list --id 00000000-0000-0000-0000-000000000000List a service principal's certificate credentials
az ad sp credential list --id 00000000-0000-0000-0000-000000000000 --certRequired Parameters
Service principal name, or object id.
Optional Parameters
Operate on certificate credentials.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az ad sp credential reset
Reset a service principal's password or certificate credentials.
By default, this command clears all passwords and keys, and let graph service generate a password credential.
The output includes credentials that you must protect. Be sure that you do not include these credentials in your code or check the credentials into your source control. As an alternative, consider using managed identities if available to avoid the need to use credentials.
az ad sp credential reset --id
[--append]
[--cert]
[--create-cert]
[--display-name]
[--end-date]
[--keyvault]
[--years]Examples
Reset a service principal's credential with a password
az ad sp credential reset --id 00000000-0000-0000-0000-000000000000Reset a service principal's credential with a new self-signed certificate
az ad sp credential reset --id 00000000-0000-0000-0000-000000000000 --create-certAppend a certificate to the service principal with the certificate string.
az ad sp credential reset --id 00000000-0000-0000-0000-000000000000 --cert "MIICoT..." --appendAppend a certificate to the service principal with the certificate file.
az ad sp credential reset --id 00000000-0000-0000-0000-000000000000 --cert "@~/cert.pem" --append
`cert.pem` contains the following content
-----BEGIN CERTIFICATE----- <<< this line is optional
MIICoT...
-----END CERTIFICATE----- <<< this line is optionalRequired Parameters
Service principal name, or object id.
Optional Parameters
Append the new credential instead of overwriting.
Certificate to use for credentials. When used with --keyvault,, indicates the name of the cert to use or create. Otherwise, supply a PEM or DER formatted public certificate string. Use @{path} to load from a file. Do not include private key info.
Create a self-signed certificate to use for the credential. Only the current OS user has read/write permission to this certificate. Use with --keyvault to create the certificate in Key Vault. Otherwise, a certificate will be created locally.
Friendly name for the credential.
Finer grain of expiry time if '--years' is insufficient, e.g. '2020-12-31T11:59:59+00:00' or '2299-12-31'.
Name or ID of a KeyVault to use for creating or retrieving certificates.
Number of years for which the credentials will be valid. Default: 1 year.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for