az ad sp
Manage Microsoft Entra service principals.
Commands
| Name | Description | Type | Status |
|---|---|---|---|
| az ad sp create |
Create a service principal. |
Core | GA |
| az ad sp create-for-rbac |
Create a service principal and configure its access to Azure resources. |
Core | GA |
| az ad sp credential |
Manage a service principal's password or certificate credentials. |
Core | GA |
| az ad sp credential delete |
Delete a service principal's password or certificate credentials. |
Core | GA |
| az ad sp credential list |
List a service principal's password or certificate credential metadata. (The content of the password or certificate credential is not retrievable.). |
Core | GA |
| az ad sp credential reset |
Reset a service principal's password or certificate credentials. |
Core | GA |
| az ad sp delete |
Delete a service principal. |
Core | GA |
| az ad sp list |
List service principals. |
Core | GA |
| az ad sp owner |
Manage service principal owners. |
Core | GA |
| az ad sp owner list |
List service principal owners. |
Core | GA |
| az ad sp show |
Get the details of a service principal. |
Core | GA |
| az ad sp update |
Update a service principal. |
Core | GA |
az ad sp create
Create a service principal.
az ad sp create --idExamples
Create a service principal. (autogenerated)
az ad sp create --id 00000000-0000-0000-0000-000000000000Required Parameters
Identifier uri, application id, or object id of the associated application.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az ad sp create-for-rbac
Create a service principal and configure its access to Azure resources.
The output includes credentials that you must protect. Be sure that you do not include these credentials in your code or check the credentials into your source control. As an alternative, consider using managed identities if available to avoid the need to use credentials.
By default, this command does not assign any role to the service principal. You may use --role and --scopes to assign a specific role and narrow the scope to a resource or resource group. You may also use az role assignment create to create role assignments for this service principal later. See steps to add a role assignment for more information.
az ad sp create-for-rbac [--cert]
[--create-cert]
[--display-name]
[--json-auth {false, true}]
[--keyvault]
[--role]
[--scopes]
[--skip-assignment {false, true}]
[--years]Examples
Create without role assignment.
az ad sp create-for-rbacCreate using a custom display name.
az ad sp create-for-rbac -n MyAppCreate with a Contributor role assignments on specified scopes. To retrieve current subscription ID, run `az account show --query id --output tsv`.
az ad sp create-for-rbac -n MyApp --role Contributor --scopes /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/resourceGroup1 /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/resourceGroup2Create using a self-signed certificate.
az ad sp create-for-rbac --create-certCreate using a self-signed certificate, and store it within KeyVault.
az ad sp create-for-rbac --keyvault MyVault --cert CertName --create-certCreate using existing certificate in KeyVault.
az ad sp create-for-rbac --keyvault MyVault --cert CertNameOptional Parameters
Certificate to use for credentials. When used with --keyvault,, indicates the name of the cert to use or create. Otherwise, supply a PEM or DER formatted public certificate string. Use @{path} to load from a file. Do not include private key info.
Create a self-signed certificate to use for the credential. Only the current OS user has read/write permission to this certificate. Use with --keyvault to create the certificate in Key Vault. Otherwise, a certificate will be created locally.
Display name of the service principal. If not present, default to azure-cli-%Y-%m-%d-%H-%M-%S where the suffix is the time of creation.
Option '--sdk-auth' has been deprecated and will be removed in a future release.
Output service principal credential along with cloud endpoints in JSON format.
Name or ID of a KeyVault to use for creating or retrieving certificates.
Role of the service principal.
Space-separated list of scopes the service principal's role assignment applies to. e.g., subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM.
Option '--skip-assignment' has been deprecated and will be removed in a future release.
No-op.
Number of years for which the credentials will be valid. Default: 1 year.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az ad sp delete
Delete a service principal.
az ad sp delete --idExamples
Delete a service principal.
az ad sp delete --id 00000000-0000-0000-0000-000000000000Required Parameters
Service principal name, or object id.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az ad sp list
List service principals.
For low latency, by default, only the first 100 will be returned unless you provide filter arguments or use "--all".
az ad sp list [--all]
[--display-name]
[--filter]
[--show-mine]
[--spn]Optional Parameters
List all entities, expect long delay if under a big organization.
Object's display name or its prefix.
OData filter, e.g. --filter "displayname eq 'test' and servicePrincipalType eq 'Application'".
List entities owned by the current user.
Service principal name.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az ad sp show
Get the details of a service principal.
az ad sp show --idExamples
Get the details of a service principal with appId.
az ad sp show --id 00000000-0000-0000-0000-000000000000Get the details of a service principal with id.
az ad sp show --id 00000000-0000-0000-0000-000000000000Get the details of a service principal with identifier URI.
az ad sp show --id api://myappRequired Parameters
Service principal name, or object id.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az ad sp update
Update a service principal.
az ad sp update --id
[--add]
[--force-string]
[--remove]
[--set]Examples
update a service principal (autogenerated)
az ad sp update --id 00000000-0000-0000-0000-000000000000 --set groupMembershipClaims=AllRequired Parameters
Service principal name, or object id.
Optional Parameters
Add an object to a list of objects by specifying a path and key value pairs. Example: --add property.listProperty <key=value, string or JSON string>.
When using 'set' or 'add', preserve string literals instead of attempting to convert to JSON.
Remove a property or an element from a list. Example: --remove property.list <indexToRemove> OR --remove propertyToRemove.
Update an object by specifying a property path and value to set. Example: --set property1.property2=<value>.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
Azure CLI