az ad sp create-for-rbac: CI Credentials & Errors
Create a service principal with a scoped role for CI authentication.
az ad sp create-for-rbac creates an Azure AD service principal and assigns it an RBAC role, producing the client ID, secret, and tenant a pipeline uses to authenticate - though OIDC federation is now preferred.
What it does
The command registers an app/service principal and, with --role and --scopes, grants it a role at a specific scope. It outputs appId (client ID), password (client secret), and tenant. For keyless CI, you instead create the SP and add a federated credential, then authenticate via OIDC rather than the secret.
Common usage
# Create an SP scoped to one resource group (least privilege)
az ad sp create-for-rbac \
--name ci-deployer \
--role Contributor \
--scopes /subscriptions/SUB_ID/resourceGroups/my-rg
# Output: { "appId": "...", "password": "...", "tenant": "..." }
# Map these to AZURE_CLIENT_ID / AZURE_CLIENT_SECRET / AZURE_TENANT_IDCommon error in CI: over-broad scope / expired secret / insufficient AAD privileges
Teams create an SP with no --scopes (defaulting to the whole subscription as Contributor - far too broad), then later hit "AADSTS7000215: Invalid client secret" when the auto-generated secret expires, or creation itself fails with "Insufficient privileges to complete the operation" when the caller cannot create app registrations. Fix: always pass --role and a narrow --scopes (a resource group, not the subscription); track secret expiry and rotate, or move to OIDC federated credentials (az ad app federated-credential create) so there is no secret. App registration requires Application Administrator / appropriate AAD rights.
Key options
| Option | Purpose |
|---|---|
| --name | Display name for the SP |
| --role | RBAC role to assign (e.g. Contributor) |
| --scopes | Resource scope(s) for the role |
| --years | Secret validity period |
| (output) appId/password/tenant | Client ID / secret / tenant |