az ad sp

Manage Azure Active Directory service principals for automation authentication.

Commands

az ad sp create	Create a service principal.
az ad sp create-for-rbac	Create a service principal and configure its access to Azure resources.
az ad sp credential	Manage a service principal's password or certificate credentials.
az ad sp credential delete	Delete a service principal's password or certificate credentials.
az ad sp credential list	List a service principal's password or certificate credential metadata. (The content of the password or certificate credential is not retrievable.).
az ad sp credential reset	Reset a service principal's password or certificate credentials.
az ad sp delete	Delete a service principal and its role assignments.
az ad sp list	List service principals.
az ad sp owner	Manage service principal owners.
az ad sp owner list	List service principal owners.
az ad sp show	Get the details of a service principal.
az ad sp update	Update a service principal.

az ad sp create

Create a service principal.

az ad sp create --id

Examples

Create a service principal. (autogenerated)

az ad sp create --id 00000000-0000-0000-0000-000000000000

Required Parameters

--id

Identifier uri, application id, or object id of the associated application.

Global Parameters

--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az ad sp create-for-rbac

Create a service principal and configure its access to Azure resources.

The output includes credentials that you must protect. Be sure that you do not include these credentials in your code or check the credentials into your source control. As an alternative, consider using managed identities if available to avoid the need to use credentials.

By default, this command does not assign any role to the service principal. You may use --role and --scopes to assign a specific role and narrow the scope to a resource or resource group. You may also use az role assignment create to create role assignments for this service principal later. See steps to add a role assignment for more information.

az ad sp create-for-rbac [--cert]
                         [--create-cert]
                         [--display-name]
                         [--keyvault]
                         [--role]
                         [--scopes]
                         [--sdk-auth {false, true}]
                         [--years]

Examples

Create without role assignment.

az ad sp create-for-rbac

Create using a custom display name.

az ad sp create-for-rbac -n MyApp

Create with a Contributor role assignments on specified scopes. To retrieve current subscription ID, run `az account show --query id --output tsv`.

az ad sp create-for-rbac -n MyApp --role Contributor --scopes /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/resourceGroup1 /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/resourceGroup2

Create using a self-signed certificate.

az ad sp create-for-rbac --create-cert

Create using a self-signed certificate, and store it within KeyVault.

az ad sp create-for-rbac --keyvault MyVault --cert CertName --create-cert

Create using existing certificate in KeyVault.

az ad sp create-for-rbac --keyvault MyVault --cert CertName

Optional Parameters

--cert

Certificate to use for credentials. When used with --keyvault,, indicates the name of the cert to use or create. Otherwise, supply a PEM or DER formatted public certificate string. Use @{path} to load from a file. Do not include private key info.

--create-cert

Create a self-signed certificate to use for the credential. Only the current OS user has read/write permission to this certificate. Use with --keyvault to create the certificate in Key Vault. Otherwise, a certificate will be created locally.

default value: False

--display-name --name -n

Display name of the service principal. If not present, default to azure-cli-%Y-%m-%d-%H-%M-%S where the suffix is the time of creation.

--keyvault

Name or ID of a KeyVault to use for creating or retrieving certificates.

--role

Role of the service principal.

--scopes

Space-separated list of scopes the service principal's role assignment applies to. e.g., subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM.

--sdk-auth

Output result in compatible with Azure SDK auth file.

accepted values: false, true

--years

Number of years for which the credentials will be valid. Default: 1 year.

Global Parameters

--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az ad sp delete

Delete a service principal and its role assignments.

az ad sp delete --id

Examples

Delete a service principal and its role assignments. (autogenerated)

az ad sp delete --id 00000000-0000-0000-0000-000000000000

Required Parameters

--id

Service principal name, or object id.

Global Parameters

--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az ad sp list

List service principals.

For low latency, by default, only the first 100 will be returned unless you provide filter arguments or use "--all".

az ad sp list [--all]
              [--display-name]
              [--filter]
              [--show-mine]
              [--spn]

Optional Parameters

--all

List all entities, expect long delay if under a big organization.

--display-name

Object's display name or its prefix.

--filter

OData filter, e.g. --filter "displayname eq 'test' and servicePrincipalType eq 'Application'".

--show-mine

List entities owned by the current user.

--spn

Service principal name.

Global Parameters

--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az ad sp show

Get the details of a service principal.

az ad sp show --id

Examples

Get the details of a service principal with appId.

az ad sp show --id 00000000-0000-0000-0000-000000000000

Get the details of a service principal with id.

az ad sp show --id 00000000-0000-0000-0000-000000000000

Get the details of a service principal with identifier URI.

az ad sp show --id api://myapp

Required Parameters

--id

Service principal name, or object id.

Global Parameters

--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az ad sp update

Update a service principal.

az ad sp update --id
                [--add]
                [--force-string]
                [--remove]
                [--set]

Examples

update a service principal (autogenerated)

az ad sp update --id 00000000-0000-0000-0000-000000000000 --set groupMembershipClaims=All

Required Parameters

--id

Service principal name, or object id.

Optional Parameters

--add

Add an object to a list of objects by specifying a path and key value pairs. Example: --add property.listProperty <key=value, string or JSON string>.

default value: []

--force-string

When using 'set' or 'add', preserve string literals instead of attempting to convert to JSON.

default value: False

--remove

Remove a property or an element from a list. Example: --remove property.list OR --remove propertyToRemove.

default value: []

--set

Update an object by specifying a property path and value to set. Example: --set property1.property2=.

default value: []

Global Parameters

--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.