AAD service principals - az ad sp

Manage Azure Active Directory service principals for automation authentication.

Commands

az ad sp create Create a service principal.
az ad sp create-for-rbac Create a service principal and configure its access to Azure resources.
az ad sp delete Delete a service principal and its role assignments.
az ad sp list List service principals, with optional filtering.
az ad sp reset-credentials Reset service principal credentials.
az ad sp show Get a service principal.

az ad sp create

Create a service principal.

az ad sp create --id

Required Parameters

--id

Identifier uri, application id, or object id of the associated application.

az ad sp create-for-rbac

Create a service principal and configure its access to Azure resources.

az ad sp create-for-rbac [--cert]
[--create-cert]
[--keyvault]
[--name]
[--password]
[--role]
[--scopes]
[--sdk-auth]
[--skip-assignment]
[--years]

Examples

Create with a default role assignment.

az ad sp create-for-rbac

Create using a custom name, and with a default assignment.

az ad sp create-for-rbac -n "http://MyApp"

Create without a default assignment.

az ad sp create-for-rbac --skip-assignment

Create with customized assignments

az ad sp create-for-rbac -n "http://MyApp" --role contributor --scopes /subscriptions/11111111-2222-3333-4444-555555555555/resourceGroups/MyResourceGroup /subscriptions/11111111-2222-3333-4444-666666666666/resourceGroups/MyAnotherResourceGroup

Create using self-signed certificte

az ad sp create-for-rbac --create-cert

Create self-signed certificate within KeyVault

az ad sp create-for-rbac --keyvault  --cert  --create-cert

Create using existing certificate in KeyVault

az ad sp create-for-rbac --keyvault  --cert 

Login with a service principal.

az login --service-principal -u  -p  --tenant 

Login with self-signed certificate

az login --service-principal -u  -p  --tenant 

Reset credentials on expiration.

az ad sp reset-credentials --name 

Create extra role assignments in future.

az role assignment create --assignee  --role Contributor

Revoke the service principal when done with it.

az ad app delete --id 

Optional Parameters

--cert

Certificate to use for credentials in lieu of password.

When using --keyvault, indicates the name of the cert to use or create. Otherwise, supply a PEM or DER formatted public certificate string. Use @ to load from a file. Do not include private key info.

--create-cert

Create a self-signed certificate to use for the credential.

Use with --keyvault to create the certificate in Key Vault. Otherwise, a certificate will be created locally.

--keyvault

Name or ID of a KeyVault to use for creating or retrieving certificates.

--name -n

Display name or an app ID URI. Command will generate one if missing.

--password -p

The password used to login. If missing, command will generate one.

--role

Role the service principal has in regard to resources.

default value: Contributor
--scopes

Space-separated list of scopes the service principal's role assignment applies to. Defaults to the root of the current subscription.

--sdk-auth

Output result in compatible with Azure SDK auth file.

--skip-assignment

Do not create default assignment.

--years

Number of years for which the credentials will be valid. Default: 1 year.

az ad sp delete

Delete a service principal and its role assignments.

az ad sp delete --id

Required Parameters

--id

Service principal name, or object id.

az ad sp list

List service principals, with optional filtering.

az ad sp list [--display-name]
[--filter]
[--spn]

Optional Parameters

--display-name

Object's display name or its prefix.

--filter

OData filter.

--spn

Service principal name.

az ad sp reset-credentials

Use upon expiration of the existing credentials or in the even that you forget them.

az ad sp reset-credentials --name
[--cert]
[--create-cert]
[--keyvault]
[--password]
[--years]

Required Parameters

--name -n

Display name or an app ID URI.

Optional Parameters

--cert

Certificate to use for credentials in lieu of password.

When using --keyvault, indicates the name of the cert to use or create. Otherwise, supply a PEM or DER formatted public certificate string. Use @ to load from a file. Do not include private key info.

--create-cert

Create a self-signed certificate to use for the credential.

Use with --keyvault to create the certificate in Key Vault. Otherwise, a certificate will be created locally.

--keyvault

Name or ID of a KeyVault to use for creating or retrieving certificates.

--password -p

The password used to login. If missing, command will generate one.

--years

Number of years for which the credentials will be valid. Default: 1 year.

az ad sp show

Get a service principal.

az ad sp show --id

Required Parameters

--id

Service principal name, or object id.