az ad sp

Manage Azure Active Directory service principals for automation authentication.

Commands

az ad sp create

Create a service principal.

az ad sp create-for-rbac

Create a service principal and configure its access to Azure resources.

az ad sp credential

Manage a service principal's credentials.

az ad sp credential delete

Delete a service principal's credential.

az ad sp credential list

List a service principal's credentials.

az ad sp credential reset

Reset a service principal credential.

az ad sp delete

Delete a service principal and its role assignments.

az ad sp list

List service principals.

az ad sp owner

Manage service principal owners.

az ad sp owner list

List service principal owners.

az ad sp show

Get the details of a service principal.

az ad sp update

Update a service principal.

az ad sp create

Create a service principal.

az ad sp create --id

Examples

Create a service principal. (autogenerated)

az ad sp create --id 00000000-0000-0000-0000-000000000000

Required Parameters

--id

Identifier uri, application id, or object id of the associated application.

az ad sp create-for-rbac

Create a service principal and configure its access to Azure resources.

The output includes credentials that you must protect. Be sure that you do not include these credentials in your code or check the credentials into your source control. As an alternative, consider using managed identities if available to avoid the need to use credentials.

By default, this command assigns the 'Contributor' role to the service principal at the subscription scope. To reduce your risk of a compromised service principal, use --skip-assignment to avoid creating a role assignment, then assign a more specific role and narrow the scope to a resource or resource group. See steps to add a role assignment for more information.

WARNING: In a future release, this command will NOT create a 'Contributor' role assignment by default. If needed, use the --role argument to explicitly create a role assignment.

az ad sp create-for-rbac [--cert]
                         [--create-cert]
                         [--keyvault]
                         [--name]
                         [--role]
                         [--scopes]
                         [--sdk-auth {false, true}]
                         [--skip-assignment {false, true}]
                         [--years]

Examples

Create with a default role assignment.

az ad sp create-for-rbac

Create using a custom name, and with a default assignment.

az ad sp create-for-rbac -n "MyApp"

Create without a default assignment.

az ad sp create-for-rbac --skip-assignment

Create with a Contributor role assignments on specified scope.

az ad sp create-for-rbac -n "MyApp" --role Contributor --scopes /subscriptions/{SubID}/resourceGroups/{ResourceGroup1} /subscriptions/{SubID}/resourceGroups/{ResourceGroup2}

Create using a self-signed certificate.

az ad sp create-for-rbac --create-cert

Create using a self-signed certificate, and store it within KeyVault.

az ad sp create-for-rbac --keyvault MyVault --cert CertName --create-cert

Create using existing certificate in KeyVault.

az ad sp create-for-rbac --keyvault MyVault --cert CertName

Optional Parameters

--cert

Certificate to use for credentials.

--create-cert

Create a self-signed certificate to use for the credential. Only the current OS user has read/write permission to this certificate.

--keyvault

Name or ID of a KeyVault to use for creating or retrieving certificates.

--name -n

Display name of the service principal. If not present, default to azure-cli-%Y-%m-%d-%H-%M-%S where the suffix is the time of creation.

--role

Role of the service principal.

--scopes

Space-separated list of scopes the service principal's role assignment applies to. Defaults to the root of the current subscription. e.g., /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM.

--sdk-auth

Output result in compatible with Azure SDK auth file.

accepted values: false, true
--skip-assignment

Skip creating the default assignment, which allows the service principal to access resources under the current subscription. When specified, --scopes will be ignored. You may use az role assignment create to create role assignments for this service principal later.

accepted values: false, true
--years

Number of years for which the credentials will be valid. Default: 1 year.

az ad sp delete

Delete a service principal and its role assignments.

az ad sp delete --id

Examples

Delete a service principal and its role assignments. (autogenerated)

az ad sp delete --id 00000000-0000-0000-0000-000000000000

Required Parameters

--id

Service principal name, or object id.

az ad sp list

List service principals.

For low latency, by default, only the first 100 will be returned unless you provide filter arguments or use "--all".

az ad sp list [--all]
              [--display-name]
              [--filter]
              [--query-examples]
              [--show-mine]
              [--spn]

Optional Parameters

--all

List all entities, expect long delay if under a big organization.

--display-name

Object's display name or its prefix.

--filter

OData filter, e.g. --filter "displayname eq 'test' and servicePrincipalType eq 'Application'".

--query-examples

Recommend JMESPath string for you. You can copy one of the query and paste it after --query parameter within double quotation marks to see the results. You can add one or more positional keywords so that we can give suggestions based on these key words.

--show-mine

List entities owned by the current user.

--spn

Service principal name.

az ad sp show

Get the details of a service principal.

az ad sp show --id
              [--query-examples]

Examples

Get the details of a service principal. (autogenerated)

az ad sp show --id 00000000-0000-0000-0000-000000000000

Required Parameters

--id

Service principal name, or object id.

Optional Parameters

--query-examples

Recommend JMESPath string for you. You can copy one of the query and paste it after --query parameter within double quotation marks to see the results. You can add one or more positional keywords so that we can give suggestions based on these key words.

az ad sp update

Update a service principal.

az ad sp update --id
                [--add]
                [--force-string]
                [--remove]
                [--set]

Examples

update a service principal (autogenerated)

az ad sp update --id 00000000-0000-0000-0000-000000000000 --set groupMembershipClaims=All

Required Parameters

--id

Service principal name, or object id.

Optional Parameters

--add

Add an object to a list of objects by specifying a path and key value pairs. Example: --add property.listProperty <key=value, string or JSON string>.

--force-string

When using 'set' or 'add', preserve string literals instead of attempting to convert to JSON.

--remove

Remove a property or an element from a list. Example: --remove property.list OR --remove propertyToRemove.

--set

Update an object by specifying a property path and value to set. Example: --set property1.property2=.