az ad app credential

Manage an application's password or certificate credentials.

Commands

az ad app credential delete

Delete an application's password or certificate credentials.

az ad app credential list

List an application's password or certificate credential metadata. (The content of the password or certificate credential is not retrievable.).

az ad app credential reset

Reset an application's password or certificate credentials.

az ad app credential delete

Delete an application's password or certificate credentials.

az ad app credential delete --id
                            --key-id
                            [--cert]

Examples

Delete an application's password credentials

az ad app credential delete --id 00000000-0000-0000-0000-000000000000 --key-id xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

Delete an application's certificate credentials

az ad app credential delete --id 00000000-0000-0000-0000-000000000000 --key-id xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx --cert

Required Parameters

--id

Identifier uri, application id, or object id.

--key-id

Credential key id.

Optional Parameters

--cert

Operate on certificate credentials.

az ad app credential list

List an application's password or certificate credential metadata. (The content of the password or certificate credential is not retrievable.).

az ad app credential list --id
                          [--cert]

Examples

List an application's password credentials

az ad app credential list --id 00000000-0000-0000-0000-000000000000

List an application's certificate credentials

az ad app credential list --id 00000000-0000-0000-0000-000000000000 --cert

Required Parameters

--id

Identifier uri, application id, or object id.

Optional Parameters

--cert

Operate on certificate credentials.

az ad app credential reset

Reset an application's password or certificate credentials.

By default, this command clears all passwords and keys, and let graph service generate a password credential.

The output includes credentials that you must protect. Be sure that you do not include these credentials in your code or check the credentials into your source control. As an alternative, consider using managed identities if available to avoid the need to use credentials.

az ad app credential reset --id
                           [--append]
                           [--cert]
                           [--create-cert]
                           [--display-name]
                           [--end-date]
                           [--keyvault]
                           [--years]

Examples

Reset an application's credential with a password

az ad app credential reset --id 00000000-0000-0000-0000-000000000000

Reset an application's credential with a new self-signed certificate

az ad app credential reset --id 00000000-0000-0000-0000-000000000000 --create-cert

Append a certificate to the application with the certificate string.

az ad app credential reset --id 00000000-0000-0000-0000-000000000000 --cert "MIICoT..." --append

Append a certificate to the application with the certificate file.

az ad app credential reset --id 00000000-0000-0000-0000-000000000000 --cert "@~/cert.pem" --append
cert.pem contains the following content
-----BEGIN CERTIFICATE-----  <<< this line is optional
MIICoT...
-----END CERTIFICATE-----    <<< this line is optional

Required Parameters

--id

Identifier uri, application id, or object id.

Optional Parameters

--append

Append the new credential instead of overwriting.

--cert

Certificate to use for credentials. When used with --keyvault,, indicates the name of the cert to use or create. Otherwise, supply a PEM or DER formatted public certificate string. Use @{path} to load from a file. Do not include private key info.

--create-cert

Create a self-signed certificate to use for the credential. Only the current OS user has read/write permission to this certificate. Use with --keyvault to create the certificate in Key Vault. Otherwise, a certificate will be created locally.

--display-name

Friendly name for the credential.

--end-date

Finer grain of expiry time if '--years' is insufficient, e.g. '2020-12-31T11:59:59+00:00' or '2299-12-31'.

--keyvault

Name or ID of a KeyVault to use for creating or retrieving certificates.

--years

Number of years for which the credentials will be valid. Default: 1 year.