az ad sp

Manage Azure Active Directory service principals for automation authentication.

Commands

az ad sp create Create a service principal.
az ad sp create-for-rbac Create a service principal and configure its access to Azure resources.
az ad sp credential Manage a service principal's credentials.
az ad sp credential delete Delete a service principal's credential.
az ad sp credential list List a service principal's credentials.
az ad sp credential reset Reset a service principal credential.
az ad sp delete Delete a service principal and its role assignments.
az ad sp list List service principals.
az ad sp owner Manage service principal owners.
az ad sp owner list List service principal owners.
az ad sp show Get the details of a service principal.
az ad sp update Update a service principal.

az ad sp create

Create a service principal.

az ad sp create --id

Examples

Create a service principal. (autogenerated)

az ad sp create --id 00000000-0000-0000-0000-000000000000

Required Parameters

--id

Identifier uri, application id, or object id of the associated application.

az ad sp create-for-rbac

Create a service principal and configure its access to Azure resources.

az ad sp create-for-rbac [--cert]
[--create-cert]
[--keyvault]
[--name]
[--role]
[--scopes]
[--sdk-auth {false, true}]
[--skip-assignment {false, true}]
[--years]

Examples

Create with a default role assignment.

az ad sp create-for-rbac

Create using a custom name, and with a default assignment.

az ad sp create-for-rbac -n "MyApp"

Create without a default assignment.

az ad sp create-for-rbac --skip-assignment

Create with customized contributor assignments.

az ad sp create-for-rbac -n "MyApp" --role contributor \
    --scopes /subscriptions/{SubID}/resourceGroups/{ResourceGroup1} \
    /subscriptions/{SubID}/resourceGroups/{ResourceGroup2}

Create using a self-signed certificate.

az ad sp create-for-rbac --create-cert

Create using a self-signed certificate, and store it within KeyVault.

az ad sp create-for-rbac --keyvault MyVault --cert CertName --create-cert

Create using existing certificate in KeyVault.

az ad sp create-for-rbac --keyvault MyVault --cert CertName

Optional Parameters

--cert

Certificate to use for credentials.

--create-cert

Create a self-signed certificate to use for the credential.

--keyvault

Name or ID of a KeyVault to use for creating or retrieving certificates.

--name -n

A URI to use as the logic name. It doesn't need to exist. If not present, CLI will generate one.

--role

Role of the service principal.

default value: Contributor
--scopes

Space-separated list of scopes the service principal's role assignment applies to. Defaults to the root of the current subscription.

--sdk-auth

Output result in compatible with Azure SDK auth file.

accepted values: false, true
--skip-assignment

Skip creating the default assignment, which allows the service principal to access resources under the current subscription.

accepted values: false, true
--years

Number of years for which the credentials will be valid. Default: 1 year.

az ad sp delete

Delete a service principal and its role assignments.

az ad sp delete --id

Examples

Delete a service principal and its role assignments. (autogenerated)

az ad sp delete --id 00000000-0000-0000-0000-000000000000

Required Parameters

--id

Service principal name, or object id.

az ad sp list

List service principals.

az ad sp list [--all]
[--display-name]
[--filter]
[--show-mine]
[--spn]

Optional Parameters

--all

List all entities, expect long delay if under a big organization.

--display-name

Object's display name or its prefix.

--filter

OData filter.

--show-mine

List entities owned by the current user.

--spn

Service principal name.

az ad sp show

Get the details of a service principal.

az ad sp show --id

Examples

Get the details of a service principal. (autogenerated)

az ad sp show --id 00000000-0000-0000-0000-000000000000

Required Parameters

--id

Service principal name, or object id.

az ad sp update

Update a service principal.

az ad sp update --id
[--add]
[--force-string]
[--remove]
[--set]

Examples

update a service principal (autogenerated)

az ad sp update --id 00000000-0000-0000-0000-000000000000 --set groupMembershipClaims=All

Required Parameters

--id

Service principal name, or object id.

Optional Parameters

--add

Add an object to a list of objects by specifying a path and key value pairs. Example: --add property.listProperty <key=value, string or JSON string>.

--force-string

When using 'set' or 'add', preserve string literals instead of attempting to convert to JSON.

--remove

Remove a property or an element from a list. Example: --remove property.list OR --remove propertyToRemove.

--set

Update an object by specifying a property path and value to set. Example: --set property1.property2=.