BestHub
Sign in
Cloud Computing 7 min read

How to Create and Use an Azure Service Principal for Non‑Interactive CLI Login

This guide explains how to create an Azure Service Principal with the Azure CLI, extract its credentials using jq, and log in to Azure non‑interactively via the CLI, covering required parameters, role selection, and verification commands.

DevOps Coach
DevOps Coach
DevOps Coach
How to Create and Use an Azure Service Principal for Non‑Interactive CLI Login

Background

In Azure DevOps pipelines, command‑line tools must authenticate to Azure without user interaction. Using a Service Principal (SP) enables programmatic, non‑interactive login.

Prerequisites

Install the Azure CLI and define the subscription ID and resource‑group name as environment variables ${SUBSCRIPTION} and ${RESOURCE_GROUP}.

Create a Service Principal

Run the following Azure CLI command to create an SP with the Contributor role scoped to a specific resource group:

az ad sp create-for-rbac \
  --name azure-sp-4-devops \
  --role Contributor \
  --scopes /subscriptions/${SUBSCRIPTION}/resourceGroups/${RESOURCE_GROUP}

Parameter details: --name: a meaningful identifier for the SP. --role: the role to assign (use the least‑privilege role, e.g., Contributor, not Owner). --scopes: the scope of the SP; you can use the subscription level ( /subscriptions/${SUBSCRIPTION}) if the SP must operate across resource groups.

The command returns JSON similar to:

{
  "appId": "3930xxxx-xxxx-xxxx-xxxx-xxxxd0e2xxxx",
  "displayName": "azure-sp-4-devops",
  "password": "eKxxxxxxxxxxxxxxxxxxxxxxxxxxxxX",
  "tenant": "21d7xx-xxxxxx-xxxxxxx-xxxxxxx-xxxxxx55"
}

Extract Credentials

Store the JSON output and extract the fields with jq to avoid manual copy‑paste:

SERVICE_PRINCIPAL_JSON=$(az ad sp create-for-rbac \
  --name aks-getting-started-sp \
  --role Contributor \
  --scopes /subscriptions/${SUBSCRIPTION} -o json)
SERVICE_PRINCIPAL=$(echo $SERVICE_PRINCIPAL_JSON | jq -r '.appId')
SERVICE_PRINCIPAL_SECRET=$(echo $SERVICE_PRINCIPAL_JSON | jq -r '.password')
TENANT_ID=$(echo $SERVICE_PRINCIPAL_JSON | jq -r '.tenant')

Login Non‑Interactively

Use the extracted values to log in to Azure:

az login \
  --service-principal \
  --tenant $TENANT_ID \
  --username $SERVICE_PRINCIPAL \
  --password $SERVICE_PRINCIPAL_SECRET \
  --output table

If the credentials are correct, Azure prints a table with the current account, subscription, and tenant information.

Verify Login

Confirm the active account with: az account show The output displays the logged‑in account’s name, tenant ID, subscription ID, and state.

References

https://docs.microsoft.com/en-us/cli/azure/ad/sp?view=azure-cli-latest#az-ad-sp-create-for-rbac

https://docs.microsoft.com/en-us/cli/azure/reference-index?view=azure-cli-latest#az-login

https://docs.microsoft.com/en-us/cli/azure/reference-index?view=azure-cli-latest#az-account-show

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

CLIcloud computingDevOpsAzureService Principal
DevOps Coach
Written by

DevOps Coach

Master DevOps precisely and progressively.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment