az ad sp credential
Manage a service principal's password or certificate credentials.
Commands
| Name | Description | Type | Status | 
|---|---|---|---|
| az ad sp credential delete | Delete a service principal's password or certificate credentials. | Core | GA | 
| az ad sp credential list | List a service principal's password or certificate credential metadata. (The content of the password or certificate credential is not retrievable.). | Core | GA | 
| az ad sp credential reset | Reset a service principal's password or certificate credentials. | Core | GA | 
az ad sp credential delete
Delete a service principal's password or certificate credentials.
az ad sp credential delete --id
                           --key-id
                           [--cert]Examples
Delete a service principal's password credential
az ad sp credential delete --id 00000000-0000-0000-0000-000000000000 --key-id xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxDelete a service principal's certificate credential
az ad sp credential delete --id 00000000-0000-0000-0000-000000000000 --key-id xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx --certRequired Parameters
Service principal name, or object id.
Credential key id.
Optional Parameters
The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.
Operate on certificate credentials.
| Property | Value | 
|---|---|
| Default value: | False | 
Global Parameters
Increase logging verbosity to show all debug logs.
| Property | Value | 
|---|---|
| Default value: | False | 
Show this help message and exit.
Only show errors, suppressing warnings.
| Property | Value | 
|---|---|
| Default value: | False | 
Output format.
| Property | Value | 
|---|---|
| Default value: | json | 
| Accepted values: | json, jsonc, none, table, tsv, yaml, yamlc | 
JMESPath query string. See http://jmespath.org/ for more information and examples.
Increase logging verbosity. Use --debug for full debug logs.
| Property | Value | 
|---|---|
| Default value: | False | 
az ad sp credential list
List a service principal's password or certificate credential metadata. (The content of the password or certificate credential is not retrievable.).
az ad sp credential list --id
                         [--cert]Examples
List a service principal's password credentials
az ad sp credential list --id 00000000-0000-0000-0000-000000000000List a service principal's certificate credentials
az ad sp credential list --id 00000000-0000-0000-0000-000000000000 --certRequired Parameters
Service principal name, or object id.
Optional Parameters
The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.
Operate on certificate credentials.
| Property | Value | 
|---|---|
| Default value: | False | 
Global Parameters
Increase logging verbosity to show all debug logs.
| Property | Value | 
|---|---|
| Default value: | False | 
Show this help message and exit.
Only show errors, suppressing warnings.
| Property | Value | 
|---|---|
| Default value: | False | 
Output format.
| Property | Value | 
|---|---|
| Default value: | json | 
| Accepted values: | json, jsonc, none, table, tsv, yaml, yamlc | 
JMESPath query string. See http://jmespath.org/ for more information and examples.
Increase logging verbosity. Use --debug for full debug logs.
| Property | Value | 
|---|---|
| Default value: | False | 
az ad sp credential reset
Reset a service principal's password or certificate credentials.
By default, this command clears all passwords and keys, and let graph service generate a password credential.
The output includes credentials that you must protect. Be sure that you do not include these credentials in your code or check the credentials into your source control. As an alternative, consider using managed identities if available to avoid the need to use credentials.
az ad sp credential reset --id
                          [--append]
                          [--cert]
                          [--create-cert]
                          [--display-name]
                          [--end-date]
                          [--keyvault]
                          [--years]Examples
Reset a service principal's credential with a password
az ad sp credential reset --id 00000000-0000-0000-0000-000000000000Reset a service principal's credential with a new self-signed certificate
az ad sp credential reset --id 00000000-0000-0000-0000-000000000000 --create-certAppend a certificate to the service principal with the certificate string.
az ad sp credential reset --id 00000000-0000-0000-0000-000000000000 --cert "MIICoT..." --appendAppend a certificate to the service principal with the certificate file.
az ad sp credential reset --id 00000000-0000-0000-0000-000000000000 --cert "@~/cert.pem" --append
`cert.pem` contains the following content
-----BEGIN CERTIFICATE-----  <<< this line is optional
MIICoT...
-----END CERTIFICATE-----    <<< this line is optionalRequired Parameters
Service principal name, or object id.
Optional Parameters
The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.
Append the new credential instead of overwriting.
| Property | Value | 
|---|---|
| Parameter group: | Credential Arguments | 
| Default value: | False | 
Certificate to use for credentials. When used with --keyvault,, indicates the name of the cert to use or create. Otherwise, supply a PEM or DER formatted public certificate string. Use @{path} to load from a file. Do not include the private key.
| Property | Value | 
|---|---|
| Parameter group: | keyCredential Arguments | 
Create a self-signed certificate to use for the credential. Only the current OS user has read/write permission to this certificate. Use with --keyvault to create the certificate in Key Vault. Otherwise, a certificate will be created locally.
| Property | Value | 
|---|---|
| Parameter group: | keyCredential Arguments | 
| Default value: | False | 
Friendly name for the credential.
| Property | Value | 
|---|---|
| Parameter group: | Credential Arguments | 
Finer grain of expiry time if '--years' is insufficient, e.g. '2020-12-31T11:59:59+00:00' or '2299-12-31'.
| Property | Value | 
|---|---|
| Parameter group: | Credential Arguments | 
Name or ID of a KeyVault to use for creating or retrieving certificates.
| Property | Value | 
|---|---|
| Parameter group: | keyCredential Arguments | 
Number of years for which the credentials will be valid. Default: 1 year.
| Property | Value | 
|---|---|
| Parameter group: | Credential Arguments | 
Global Parameters
Increase logging verbosity to show all debug logs.
| Property | Value | 
|---|---|
| Default value: | False | 
Show this help message and exit.
Only show errors, suppressing warnings.
| Property | Value | 
|---|---|
| Default value: | False | 
Output format.
| Property | Value | 
|---|---|
| Default value: | json | 
| Accepted values: | json, jsonc, none, table, tsv, yaml, yamlc | 
JMESPath query string. See http://jmespath.org/ for more information and examples.
Increase logging verbosity. Use --debug for full debug logs.
| Property | Value | 
|---|---|
| Default value: | False |