Use an Azure service principal with certificate-based authentication

When creating a service principal, you choose the type of sign-in authentication it uses. There are two types of authentication available for Azure service principals: password-based authentication and certificate-based authentication.

We recommend using certificate-based authentication due to the security restrictions of password-based authentication. Certificate-based authentication enables you to adopt a phishing resistant authentication by using conditional access policies, which better protects Azure resources. To learn more about why certificate-based authentication is more secure, see Microsoft Entra certificate-based authentication.

This step in the tutorial explains how to use a service principal certificate to access an Azure resource.

Create a service principal containing a new certificate

To create a self-signed certificate for authentication, use the --create-cert parameter:

az ad sp create-for-rbac --name myServicePrincipalName \
                         --role roleName \
                         --scopes /subscriptions/mySubscriptionID/resourceGroups/myResourceGroupName \
                         --create-cert

Console output:

{
  "appId": "myServicePrincipalID",
  "displayName": "myServicePrincipalName",
  "fileWithCertAndPrivateKey": "certFilePath\certFileName.pem",
  "password": null,
  "tenant": "myOrganizationTenantID"
}

Unless you store the certificate in Key Vault, the output includes the fileWithCertAndPrivateKey key. This key's value tells you where the generated certificate is stored. Copy the certificate to a secure location. The certificate contains the private key and the public certificate that can be used in az login. If you lose access to a certificate's private key, reset the service principal credentials.

The contents of a PEM file can be viewed with a text editor. Here's a PEM file example:

-----BEGIN PRIVATE KEY-----
MIIEvQ...
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIICoT...
-----END CERTIFICATE-----

Create a service principal using an existing certificate

Create a service principal with an existing certificate by using the --cert parameter. Any tool that uses this service principal must have access to the certificate's private key. Certificates should be in an ASCII format such as PEM, CER, or DER. Pass the certificate as a string, or use the @path format to load the certificate from a file. When uploading a certificate, only the public certificate is needed. For optimal security, do not include the private key. The -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines are optional.

# create a service principal with the certificate as a string
az ad sp create-for-rbac --name myServicePrincipalName \
                         --role roleName \
                         --scopes /subscriptions/mySubscriptionID/resourceGroups/myResourceGroupName \
                         --cert "MIICoT..."

# or provide -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines
az ad sp create-for-rbac --name myServicePrincipalName \
                         --role roleName \
                         --scopes /subscriptions/mySubscriptionID/resourceGroups/myResourceGroupName \
                         --cert "-----BEGIN CERTIFICATE-----
MIICoT...
-----END CERTIFICATE-----"
# create a service principal with the certificate file location
az ad sp create-for-rbac --name myServicePrincipalName \
                         --role roleName \
                         --scopes /subscriptions/mySubscriptionID/resourceGroups/myResourceGroupName \
                         --cert @/path/to/cert.pem

Here's a PEM file example for uploading:

-----BEGIN CERTIFICATE-----
MIICoT...
-----END CERTIFICATE-----

Work with Azure Key Vault

The --keyvault parameter can be added to create or retrieve certificates in Azure Key Vault. When you use the --keyvault parameter, the --cert parameter is also required. In this example, the --cert value is the name of the certificate.

# Create a service principal storing the certificate in Azure Key Vault
az ad sp create-for-rbac --name myServicePrincipalName \
                         --role roleName \
                         --scopes /subscriptions/mySubscriptionID/resourceGroups/myResourceGroupName \
                         --create-cert \
                         --cert myCertificateName \
                         --keyvault myVaultName
# Create a service principal using an existing certificate in Azure Key Vault
az ad sp create-for-rbac --name myServicePrincipalName \
                         --role roleName \
                         --scopes /subscriptions/mySubscriptionID/resourceGroups/myResourceGroupName \
                         --cert myCertificateName \
                         --keyvault myVaultName

Retrieve a certificate from Azure Key Vault

For a certificate stored in Azure Key Vault, retrieve the certificate with its private key with az keyvault secret show and convert it to a PEM file. In Azure Key Vault, the name of the certificate's secret is the same as the certificate name.

az keyvault secret download --file /path/to/cert.pfx \
                            --vault-name VaultName \
                            --name CertName \
                            --encoding base64
openssl pkcs12 -in cert.pfx -passin pass: -passout pass: -out cert.pem -nodes

Convert an existing PKCS12 file

If you already have a PKCS#12 file, you can convert it to PEM format using OpenSSL. If you have a password, change the passin argument.

openssl pkcs12 -in fileName.p12 -clcerts -nodes -out fileName.pem -passin pass: -passout pass:

Append a certificate to a service principal

Use the --append parameter in az ad sp credential reset to append a certificate to an existing service principal. By default, this command clears all passwords and keys so use carefully.

az ad sp credential reset --id myServicePrincipalID \
                          --append \
                          --cert @/path/to/cert.pem

Console output:

Certificate expires yyyy-mm-dd hh:mm:ss+00:00. Adjusting key credential end date to match.
The output includes credentials that you must protect. Be sure that you do not include these credentials in your code or check the credentials into your source control. For more information, see https://aka.ms/azadsp-cli
{
  "appId": "myServicePrincipalID",
  "password": null,
  "tenant": "myOrganizationTenantID"
}

Sign in with a service principal using a certificate

To sign in with a certificate, the certificate must be available locally as a PEM or DER file in ASCII format. PKCS#12 files (.p12/.pfx) don't work. When you use a PEM file, the PRIVATE KEY and CERTIFICATE must be appended together within the file. You don't need to prefix the path with an @ like you do with other az commands.

az login --service-principal --username APP_ID --certificate /path/to/cert.pem --tenant TENANT_ID

Next Steps

Now that you've learned how to work with service principals using a certificate, proceed to the next step to learn how to retrieve an existing service principal.