az ad sp
Manage Microsoft Entra service principals.
Commands
| Name | Description | Type | Status | 
|---|---|---|---|
| az ad sp create | Create a service principal. | Core | GA | 
| az ad sp create-for-rbac | Create an application and its associated service principal, optionally configure the service principal's RBAC role assignments. | Core | GA | 
| az ad sp credential | Manage a service principal's password or certificate credentials. | Core | GA | 
| az ad sp credential delete | Delete a service principal's password or certificate credentials. | Core | GA | 
| az ad sp credential list | List a service principal's password or certificate credential metadata. (The content of the password or certificate credential is not retrievable.). | Core | GA | 
| az ad sp credential reset | Reset a service principal's password or certificate credentials. | Core | GA | 
| az ad sp delete | Delete a service principal. | Core | GA | 
| az ad sp list | List service principals. | Core | GA | 
| az ad sp owner | Manage service principal owners. | Core | GA | 
| az ad sp owner list | List service principal owners. | Core | GA | 
| az ad sp show | Get the details of a service principal. | Core | GA | 
| az ad sp update | Update a service principal. | Core | GA | 
az ad sp create
Create a service principal.
az ad sp create --idExamples
Create a service principal. (autogenerated)
az ad sp create --id 00000000-0000-0000-0000-000000000000Required Parameters
Identifier uri, application id, or object id of the associated application.
Global Parameters
Increase logging verbosity to show all debug logs.
| Property | Value | 
|---|---|
| Default value: | False | 
Show this help message and exit.
Only show errors, suppressing warnings.
| Property | Value | 
|---|---|
| Default value: | False | 
Output format.
| Property | Value | 
|---|---|
| Default value: | json | 
| Accepted values: | json, jsonc, none, table, tsv, yaml, yamlc | 
JMESPath query string. See http://jmespath.org/ for more information and examples.
Increase logging verbosity. Use --debug for full debug logs.
| Property | Value | 
|---|---|
| Default value: | False | 
az ad sp create-for-rbac
Create an application and its associated service principal, optionally configure the service principal's RBAC role assignments.
The output includes credentials that you must protect. Be sure that you do not include these credentials in your code or check the credentials into your source control. As an alternative, consider using managed identities if available to avoid the need to use credentials.
By default, this command does not assign any role to the service principal. You may use --role and --scopes to assign a specific role and narrow the scope to a resource or resource group. You may also use az role assignment create to create role assignments for this service principal later. See steps to add a role assignment for more information.
az ad sp create-for-rbac [--cert]
                         [--create-cert]
                         [--create-password {false, true}]
                         [--display-name --name]
                         [--json-auth --sdk-auth {false, true}]
                         [--keyvault]
                         [--role]
                         [--scopes]
                         [--service-management-reference]
                         [--years]Examples
Create without role assignment.
az ad sp create-for-rbacCreate using a custom display name.
az ad sp create-for-rbac -n MyAppCreate with a Contributor role assignments on specified scopes. To retrieve current subscription ID, run `az account show --query id --output tsv`.
az ad sp create-for-rbac -n MyApp --role Contributor --scopes /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/resourceGroup1 /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/resourceGroup2Do not create password credential.
az ad sp create-for-rbac --create-password falseCreate using a self-signed certificate.
az ad sp create-for-rbac --create-certCreate using an existing certificate string.
az ad sp create-for-rbac --cert "MIICoT..."Create using an existing certificate file.
az ad sp create-for-rbac --cert "@~/cert.pem"
`cert.pem` contains the following content
-----BEGIN CERTIFICATE-----  <<< this line is optional
MIICoT...
-----END CERTIFICATE-----    <<< this line is optionalCreate using a self-signed certificate, and store it within Azure Key Vault.
az ad sp create-for-rbac --keyvault MyVault --cert CertName --create-certCreate using existing certificate in Azure Key Vault.
az ad sp create-for-rbac --keyvault MyVault --cert CertNameOptional Parameters
The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.
Certificate to use for credentials. When used with --keyvault,, indicates the name of the cert to use or create. Otherwise, supply a PEM or DER formatted public certificate string. Use @{path} to load from a file. Do not include the private key.
| Property | Value | 
|---|---|
| Parameter group: | keyCredential Arguments | 
Create a self-signed certificate to use for the credential. Only the current OS user has read/write permission to this certificate. Use with --keyvault to create the certificate in Key Vault. Otherwise, a certificate will be created locally.
| Property | Value | 
|---|---|
| Parameter group: | keyCredential Arguments | 
| Default value: | False | 
Create a password credential (secret) on the the application. This is the default behavior. Set this argument to false to disable creating password credential.
| Property | Value | 
|---|---|
| Parameter group: | Credential Arguments | 
| Default value: | True | 
| Accepted values: | false, true | 
Display name of the service principal. If not present, default to azure-cli-%Y-%m-%d-%H-%M-%S where the suffix is the time of creation.
Option '--sdk-auth' has been deprecated and will be removed in a future release.
Output service principal credential along with cloud endpoints in JSON format.
| Property | Value | 
|---|---|
| Accepted values: | false, true | 
Name or ID of a KeyVault to use for creating or retrieving certificates.
| Property | Value | 
|---|---|
| Parameter group: | keyCredential Arguments | 
Role of the service principal.
Space-separated list of scopes the service principal's role assignment applies to. e.g., subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM.
Set the serviceManagementReference property of the created application. Reference application or service contact information from a Service or Asset Management database.
Number of years for which the credentials will be valid. Default: 1 year.
| Property | Value | 
|---|---|
| Parameter group: | Credential Arguments | 
Global Parameters
Increase logging verbosity to show all debug logs.
| Property | Value | 
|---|---|
| Default value: | False | 
Show this help message and exit.
Only show errors, suppressing warnings.
| Property | Value | 
|---|---|
| Default value: | False | 
Output format.
| Property | Value | 
|---|---|
| Default value: | json | 
| Accepted values: | json, jsonc, none, table, tsv, yaml, yamlc | 
JMESPath query string. See http://jmespath.org/ for more information and examples.
Increase logging verbosity. Use --debug for full debug logs.
| Property | Value | 
|---|---|
| Default value: | False | 
az ad sp delete
Delete a service principal.
az ad sp delete --idExamples
Delete a service principal.
az ad sp delete --id 00000000-0000-0000-0000-000000000000Required Parameters
Service principal name, or object id.
Global Parameters
Increase logging verbosity to show all debug logs.
| Property | Value | 
|---|---|
| Default value: | False | 
Show this help message and exit.
Only show errors, suppressing warnings.
| Property | Value | 
|---|---|
| Default value: | False | 
Output format.
| Property | Value | 
|---|---|
| Default value: | json | 
| Accepted values: | json, jsonc, none, table, tsv, yaml, yamlc | 
JMESPath query string. See http://jmespath.org/ for more information and examples.
Increase logging verbosity. Use --debug for full debug logs.
| Property | Value | 
|---|---|
| Default value: | False | 
az ad sp list
List service principals.
For low latency, by default, only the first 100 will be returned unless you provide filter arguments or use "--all".
az ad sp list [--all]
              [--display-name]
              [--filter]
              [--show-mine]
              [--spn]Optional Parameters
The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.
List all entities, expect long delay if under a big organization.
Object's display name or its prefix.
OData filter, e.g. --filter "displayname eq 'test' and servicePrincipalType eq 'Application'".
List entities owned by the current user.
Service principal name.
Global Parameters
Increase logging verbosity to show all debug logs.
| Property | Value | 
|---|---|
| Default value: | False | 
Show this help message and exit.
Only show errors, suppressing warnings.
| Property | Value | 
|---|---|
| Default value: | False | 
Output format.
| Property | Value | 
|---|---|
| Default value: | json | 
| Accepted values: | json, jsonc, none, table, tsv, yaml, yamlc | 
JMESPath query string. See http://jmespath.org/ for more information and examples.
Increase logging verbosity. Use --debug for full debug logs.
| Property | Value | 
|---|---|
| Default value: | False | 
az ad sp show
Get the details of a service principal.
az ad sp show --idExamples
Get the details of a service principal with appId.
az ad sp show --id 00000000-0000-0000-0000-000000000000Get the details of a service principal with id.
az ad sp show --id 00000000-0000-0000-0000-000000000000Get the details of a service principal with identifier URI.
az ad sp show --id api://myappRequired Parameters
Service principal name, or object id.
Global Parameters
Increase logging verbosity to show all debug logs.
| Property | Value | 
|---|---|
| Default value: | False | 
Show this help message and exit.
Only show errors, suppressing warnings.
| Property | Value | 
|---|---|
| Default value: | False | 
Output format.
| Property | Value | 
|---|---|
| Default value: | json | 
| Accepted values: | json, jsonc, none, table, tsv, yaml, yamlc | 
JMESPath query string. See http://jmespath.org/ for more information and examples.
Increase logging verbosity. Use --debug for full debug logs.
| Property | Value | 
|---|---|
| Default value: | False | 
az ad sp update
Update a service principal.
az ad sp update --id
                [--add]
                [--force-string]
                [--remove]
                [--set]Examples
update a service principal (autogenerated)
az ad sp update --id 00000000-0000-0000-0000-000000000000 --set groupMembershipClaims=AllRequired Parameters
Service principal name, or object id.
Optional Parameters
The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.
Add an object to a list of objects by specifying a path and key value pairs.  Example: --add property.listProperty <key=value, string or JSON string>.
| Property | Value | 
|---|---|
| Parameter group: | Generic Update Arguments | 
| Default value: | [] | 
When using 'set' or 'add', preserve string literals instead of attempting to convert to JSON.
| Property | Value | 
|---|---|
| Parameter group: | Generic Update Arguments | 
| Default value: | False | 
Remove a property or an element from a list.  Example: --remove property.list <indexToRemove> OR --remove propertyToRemove.
| Property | Value | 
|---|---|
| Parameter group: | Generic Update Arguments | 
| Default value: | [] | 
Update an object by specifying a property path and value to set.  Example: --set property1.property2=<value>.
| Property | Value | 
|---|---|
| Parameter group: | Generic Update Arguments | 
| Default value: | [] | 
Global Parameters
Increase logging verbosity to show all debug logs.
| Property | Value | 
|---|---|
| Default value: | False | 
Show this help message and exit.
Only show errors, suppressing warnings.
| Property | Value | 
|---|---|
| Default value: | False | 
Output format.
| Property | Value | 
|---|---|
| Default value: | json | 
| Accepted values: | json, jsonc, none, table, tsv, yaml, yamlc | 
JMESPath query string. See http://jmespath.org/ for more information and examples.
Increase logging verbosity. Use --debug for full debug logs.
| Property | Value | 
|---|---|
| Default value: | False |