Create azure service principal using azure cli commands


Before starting to this post please go through Azure Service Principal and Azure Resource Manager which I had written before. In yesterday’s post, I explained how to create azure service principal or app registration using azure portal user interface step by step. This post is written to explain same steps using Azure CLI commands to provision resource group and service principal creation. I would only cover first six steps from my previous post.


1. Azure Account with Subscription
2. Your role should be Administrator


Before starting hands on, I’d recommend you to follow azure naming conventions. I’m currently in process to write separate post on azure resources naming conventions, so be patient. At this moment, I’d advise you to go through Azure naming conventions defined by Microsoft.

In this post I’m following below naming conventions for azure resource creation.

Azure Resource Naming Convention Example
Azure Resource Manager rg-<application name>-<environment>-<short location> rg-csharpdocs-d-eus
Service Principal sp-<application name>-<environment>-<short location> sp-csharpdocs-d-eus

Get Started:

Before starting to this exercise, I’d recommend you to create notepad with below details

1. Navigate to
2. Sign in with your credentials
3. Navigate to Azure shell in browsers new tab using
4. Create Azure resource group

# Create azure resource group 
az group create --name 'rg-csharpdocs-d-eus' \
                --location 'eastus' \
                --subscription 'Free Trial' \
                --tags "Environment=Deleopment" "Purpose=Demonstration" "Type=Learning" \
                --output table \

5. Verify newly created resource group

4. Now, Register application(Create Service Principal) with Azure Active Directory. The below Azure CLI command will create service principal and secret both.

It is always good to restrict service principal permission to only allow access to the minimal set of resources. Set the –role to reader instead of contributor if you only need read access. Also you can use the –scope argument to limit the scope to only allow management of a single resource group.

In following CLI Command, I am restricting service principal to contribute(read/write) permission to one azure resource group only and the expiration of service principal would be 1 year from date of creation. If you remove –years parameters then it would never expire

# Create service principal with roles, subscription, resource group
az ad sp create-for-rbac --name 'sp-csharpdocs-d-eus' \
                         --role contributor \
                         --scopes /subscriptions/{subscriptionid}/resourceGroups/rg-csharpdocs-d-eus \
                         --years 1 --output table \

5. Verify newly created service principal. Note details in notepad.

6. Note secret of newly created. This would be one time visible. Note details in notepad and keep for future reference. If you forget secret then you have to regenerate it.

7. Done!! You have successfully created service principal for your application.


The Azure CLI or Azure Powershell enables you to automate azure infrastructure provisioning using Infrastructure as a Code in Azure DevOps. Azure CLI commands enables to create azure resource without any hard work, Isn’t it ??

In my next articles, I will explain how to use Infrastructure as a Code in Azure DevOps to automate azure resource provisioning. In order to provision resource from Azure DevOps you need to create Azure resource manager service connection in Azure DevOps. Hence we will use all information noted in notepad to create it.

Leave a Reply