az ad sp

Manage Azure Active Directory service principals for automation authentication.

Commands

az ad sp create Create a service principal.
az ad sp create-for-rbac Create a service principal and configure its access to Azure resources.
az ad sp delete Delete a service principal and its role assignments.
az ad sp list List service principals.
az ad sp reset-credentials Reset a service principal credential.
az ad sp show Get the details of a service principal.

az ad sp create

Create a service principal.

az ad sp create --id

Required Parameters

--id

Identifier uri, application id, or object id of the associated application.

az ad sp create-for-rbac

Create a service principal and configure its access to Azure resources.

az ad sp create-for-rbac [--cert]
[--create-cert]
[--keyvault]
[--name]
[--password]
[--role]
[--scopes]
[--sdk-auth]
[--skip-assignment]
[--years]

Examples

Create with a default role assignment.

az ad sp create-for-rbac

Create using a custom name, and with a default assignment.

az ad sp create-for-rbac -n "MyApp"

Create without a default assignment.

az ad sp create-for-rbac --skip-assignment

Create with customized contributor assignments.

az ad sp create-for-rbac -n "MyApp" --role contributor     --scopes /subscriptions/{SubID}/resourceGroups/{MyRG1}     /subscriptions/{SubID}/resourceGroups/{MyRG2}

Create using a self-signed certificte.

az ad sp create-for-rbac --create-cert

Create using a self-signed certificate, and store it within KeyVault.

az ad sp create-for-rbac --keyvault MyVault --cert CertName --create-cert

Create using existing certificate in KeyVault.

az ad sp create-for-rbac --keyvault MyVault --cert CertName

Optional Parameters

--cert

Certificate to use for credentials.

--create-cert

Create a self-signed certificate to use for the credential.

--keyvault

Name or ID of a KeyVault to use for creating or retrieving certificates.

--name -n

Name or app URI to associate the RBAC with. If not present, a name will be generated.

--password -p

The password used to log in.

--role

Role of the service principal.

default value: Contributor
--scopes

Space-separated list of scopes the service principal's role assignment applies to. Defaults to the root of the current subscription.

--sdk-auth

Output result in compatible with Azure SDK auth file.

--skip-assignment

Do not create default assignment.

--years

Number of years for which the credentials will be valid. Default: 1 year.

az ad sp delete

Delete a service principal and its role assignments.

az ad sp delete --id

Required Parameters

--id

Service principal name, or object id.

az ad sp list

List service principals.

az ad sp list [--display-name]
[--filter]
[--spn]

Optional Parameters

--display-name

Object's display name or its prefix.

--filter

OData filter.

--spn

Service principal name.

az ad sp reset-credentials

Reset a service principal credential.

Use upon expiration of the service principal's credentials, or in the event that login credentials are lost.

az ad sp reset-credentials --name
[--append]
[--cert]
[--create-cert]
[--keyvault]
[--password]
[--years]

Required Parameters

--name -n

Name or app URI for the credential.

Optional Parameters

--append

Append the new credential instead of overwriting.

--cert

Certificate to use for credentials.

--create-cert

Create a self-signed certificate to use for the credential.

--keyvault

Name or ID of a KeyVault to use for creating or retrieving certificates.

--password -p

The password used to log in.

--years

Number of years for which the credentials will be valid. Default: 1 year.

az ad sp show

Get the details of a service principal.

az ad sp show --id

Required Parameters

--id

Service principal name, or object id.