az ad sp

Manage Azure Active Directory service principals for automation authentication.

Commands

az ad sp create

Create a service principal.

az ad sp create-for-rbac

Create a service principal and configure its access to Azure resources.

az ad sp credential

Manage a service principal's credentials.

az ad sp credential delete

Delete a service principal's credential.

az ad sp credential list

List a service principal's credentials.

az ad sp credential reset

Reset a service principal credential.

az ad sp delete

Delete a service principal and its role assignments.

az ad sp list

List service principals.

az ad sp owner

Manage service principal owners.

az ad sp owner list

List service principal owners.

az ad sp show

Get the details of a service principal.

az ad sp update

Update a service principal.

az ad sp create

Create a service principal.

az ad sp create --id

Examples

Create a service principal. (autogenerated)

az ad sp create --id 00000000-0000-0000-0000-000000000000

Required Parameters

--id

Identifier uri, application id, or object id of the associated application.

az ad sp create-for-rbac

Create a service principal and configure its access to Azure resources.

The output includes credentials that you must protect. Be sure that you do not include these credentials in your code or check the credentials into your source control. As an alternative, consider using managed identities if available to avoid the need to use credentials.

By default, this command does not assign any role to the service principal. You may use --role and --scopes to assign a specific role and narrow the scope to a resource or resource group. You may also use az role assignment create to create role assignments for this service principal later. See steps to add a role assignment for more information.

az ad sp create-for-rbac [--cert]
                         [--create-cert]
                         [--keyvault]
                         [--name]
                         [--role]
                         [--scopes]
                         [--sdk-auth {false, true}]
                         [--skip-assignment {false, true}]
                         [--years]

Examples

Create without role assignment.

az ad sp create-for-rbac

Create using a custom display name.

az ad sp create-for-rbac -n "MyApp"

Create with a Contributor role assignments on specified scope.

az ad sp create-for-rbac -n "MyApp" --role Contributor --scopes /subscriptions/{SubID}/resourceGroups/{ResourceGroup1} /subscriptions/{SubID}/resourceGroups/{ResourceGroup2}

Create using a self-signed certificate.

az ad sp create-for-rbac --create-cert

Create using a self-signed certificate, and store it within KeyVault.

az ad sp create-for-rbac --keyvault MyVault --cert CertName --create-cert

Create using existing certificate in KeyVault.

az ad sp create-for-rbac --keyvault MyVault --cert CertName

Optional Parameters

--cert

Certificate to use for credentials.

--create-cert

Create a self-signed certificate to use for the credential. Only the current OS user has read/write permission to this certificate.

--keyvault

Name or ID of a KeyVault to use for creating or retrieving certificates.

--name -n

Display name of the service principal. If not present, default to azure-cli-%Y-%m-%d-%H-%M-%S where the suffix is the time of creation.

--role

Role of the service principal.

--scopes

Space-separated list of scopes the service principal's role assignment applies to. Defaults to the root of the current subscription. e.g., /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM.

--sdk-auth

Output result in compatible with Azure SDK auth file.

accepted values: false, true
--skip-assignment

No-op.

accepted values: false, true
--years

Number of years for which the credentials will be valid. Default: 1 year.

az ad sp delete

Delete a service principal and its role assignments.

az ad sp delete --id

Examples

Delete a service principal and its role assignments. (autogenerated)

az ad sp delete --id 00000000-0000-0000-0000-000000000000

Required Parameters

--id

Service principal name, or object id.

az ad sp list

List service principals.

For low latency, by default, only the first 100 will be returned unless you provide filter arguments or use "--all".

az ad sp list [--all]
              [--display-name]
              [--filter]
              [--query-examples]
              [--show-mine]
              [--spn]

Optional Parameters

--all

List all entities, expect long delay if under a big organization.

--display-name

Object's display name or its prefix.

--filter

OData filter, e.g. --filter "displayname eq 'test' and servicePrincipalType eq 'Application'".

--query-examples

Recommend JMESPath string for you. You can copy one of the query and paste it after --query parameter within double quotation marks to see the results. You can add one or more positional keywords so that we can give suggestions based on these key words.

--show-mine

List entities owned by the current user.

--spn

Service principal name.

az ad sp show

Get the details of a service principal.

az ad sp show --id
              [--query-examples]

Examples

Get the details of a service principal. (autogenerated)

az ad sp show --id 00000000-0000-0000-0000-000000000000

Required Parameters

--id

Service principal name, or object id.

Optional Parameters

--query-examples

Recommend JMESPath string for you. You can copy one of the query and paste it after --query parameter within double quotation marks to see the results. You can add one or more positional keywords so that we can give suggestions based on these key words.

az ad sp update

Update a service principal.

az ad sp update --id
                [--add]
                [--force-string]
                [--remove]
                [--set]

Examples

update a service principal (autogenerated)

az ad sp update --id 00000000-0000-0000-0000-000000000000 --set groupMembershipClaims=All

Required Parameters

--id

Service principal name, or object id.

Optional Parameters

--add

Add an object to a list of objects by specifying a path and key value pairs. Example: --add property.listProperty <key=value, string or JSON string>.

--force-string

When using 'set' or 'add', preserve string literals instead of attempting to convert to JSON.

--remove

Remove a property or an element from a list. Example: --remove property.list OR --remove propertyToRemove.

--set

Update an object by specifying a property path and value to set. Example: --set property1.property2=.