From ae7cab637591365cf31d707c0e95945c1364da7b Mon Sep 17 00:00:00 2001 From: Qinkai Wu Date: Wed, 19 Nov 2025 14:48:55 +1100 Subject: [PATCH 1/7] Add warning about potential credential loss when using non-unique display names in `az ad sp create-for-rbac` --- src/azure-cli/azure/cli/command_modules/role/_help.py | 5 +++++ src/azure-cli/azure/cli/command_modules/role/custom.py | 5 +++++ 2 files changed, 10 insertions(+) diff --git a/src/azure-cli/azure/cli/command_modules/role/_help.py b/src/azure-cli/azure/cli/command_modules/role/_help.py index 2163325534a..c0ec94fe4c7 100644 --- a/src/azure-cli/azure/cli/command_modules/role/_help.py +++ b/src/azure-cli/azure/cli/command_modules/role/_help.py @@ -520,6 +520,11 @@ Create an application and its associated service principal, optionally configure the service principal's RBAC role assignments. long-summary: >- + **IMPORTANT**: The `az ad sp create-for-rbac` command can modify an existing application or service principal if + another object shares the same **display name**. Display names aren't unique and can change, which + could result in credential loss or incorrect RBAC assignments. Use a **unique object ID or app ID** instead. + + The output includes credentials that you must protect. Be sure that you do not include these credentials in your code or check the credentials into your source control. As an alternative, consider using [managed identities](https://aka.ms/azadsp-managed-identities) if available to avoid the need to use credentials. diff --git a/src/azure-cli/azure/cli/command_modules/role/custom.py b/src/azure-cli/azure/cli/command_modules/role/custom.py index a36dbaf2bf9..00a398dcc54 100644 --- a/src/azure-cli/azure/cli/command_modules/role/custom.py +++ b/src/azure-cli/azure/cli/command_modules/role/custom.py @@ -1145,6 +1145,11 @@ def create_service_principal_for_rbac( show_auth_in_json=None, skip_assignment=False, keyvault=None): import time + logger.warning("The `az ad sp create-for-rbac` command can modify an existing application or service principal " + "if another object shares the same **display name**. Display names aren't unique and can change, " + "which could result in credential loss or incorrect RBAC assignments. " + "Use a **unique object ID or app ID** instead.") + if role and not scopes or not role and scopes: raise ArgumentUsageError("Usage error: To create role assignments, specify both --role and --scopes.") From 1ef56fae9de06de05c63b265db55d509ced193e7 Mon Sep 17 00:00:00 2001 From: Qinkai Wu Date: Wed, 19 Nov 2025 15:22:31 +1100 Subject: [PATCH 2/7] Add warning about credential loss due to non-unique display names in `az ad sp create-for-rbac` --- src/azure-cli/azure/cli/command_modules/role/_help.py | 4 ++++ src/azure-cli/azure/cli/command_modules/role/custom.py | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/src/azure-cli/azure/cli/command_modules/role/_help.py b/src/azure-cli/azure/cli/command_modules/role/_help.py index c0ec94fe4c7..228b5ffd9b5 100644 --- a/src/azure-cli/azure/cli/command_modules/role/_help.py +++ b/src/azure-cli/azure/cli/command_modules/role/_help.py @@ -508,6 +508,10 @@ helps['ad sp create'] = """ type: command short-summary: Create a service principal. +long-summary: >- + **IMPORTANT**: The `az ad sp create` command can modify an existing application or service principal if + another object shares the same **display name**. Display names aren't unique and can change, which + could result in credential loss or incorrect RBAC assignments. Use a **unique object ID or app ID** instead. examples: - name: Create a service principal. (autogenerated) text: az ad sp create --id 00000000-0000-0000-0000-000000000000 diff --git a/src/azure-cli/azure/cli/command_modules/role/custom.py b/src/azure-cli/azure/cli/command_modules/role/custom.py index 00a398dcc54..097fb11ba47 100644 --- a/src/azure-cli/azure/cli/command_modules/role/custom.py +++ b/src/azure-cli/azure/cli/command_modules/role/custom.py @@ -1017,6 +1017,10 @@ def app_federated_credential_delete(client, app_identifier, federated_identity_c def create_service_principal(cmd, identifier): + logger.warning("The `az ad sp create` command can modify an existing application or service principal " + "if another object shares the same **display name**. Display names aren't unique and can change, " + "which could result in credential loss or incorrect RBAC assignments. " + "Use a **unique object ID or app ID** instead.") return _create_service_principal(cmd.cli_ctx, identifier) From 1df40d46b4542b56036830e50af98c29e7149f79 Mon Sep 17 00:00:00 2001 From: Qinkai Wu Date: Wed, 19 Nov 2025 15:23:27 +1100 Subject: [PATCH 3/7] Refine warning about credential loss in `az ad sp create` and `az ad sp create-for-rbac` commands for non-unique display names --- src/azure-cli/azure/cli/command_modules/role/custom.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/azure-cli/azure/cli/command_modules/role/custom.py b/src/azure-cli/azure/cli/command_modules/role/custom.py index 097fb11ba47..b919842fa2d 100644 --- a/src/azure-cli/azure/cli/command_modules/role/custom.py +++ b/src/azure-cli/azure/cli/command_modules/role/custom.py @@ -1018,9 +1018,9 @@ def app_federated_credential_delete(client, app_identifier, federated_identity_c def create_service_principal(cmd, identifier): logger.warning("The `az ad sp create` command can modify an existing application or service principal " - "if another object shares the same **display name**. Display names aren't unique and can change, " + "if another object shares the same display name. Display names aren't unique and can change, " "which could result in credential loss or incorrect RBAC assignments. " - "Use a **unique object ID or app ID** instead.") + "Use a unique object ID or app ID instead.") return _create_service_principal(cmd.cli_ctx, identifier) @@ -1150,9 +1150,9 @@ def create_service_principal_for_rbac( import time logger.warning("The `az ad sp create-for-rbac` command can modify an existing application or service principal " - "if another object shares the same **display name**. Display names aren't unique and can change, " + "if another object shares the same display name. Display names aren't unique and can change, " "which could result in credential loss or incorrect RBAC assignments. " - "Use a **unique object ID or app ID** instead.") + "Use a unique object ID or app ID instead.") if role and not scopes or not role and scopes: raise ArgumentUsageError("Usage error: To create role assignments, specify both --role and --scopes.") From f2504ecb91bf624379caccf05a956c7a5f23e300 Mon Sep 17 00:00:00 2001 From: Qinkai Wu Date: Mon, 24 Nov 2025 13:38:26 +1100 Subject: [PATCH 4/7] Modify warnings about credential loss due to non-unique display names in `az ad app create` and `az ad sp create-for-rbac` commands --- .../azure/cli/command_modules/role/_help.py | 15 ++++++++++----- .../azure/cli/command_modules/role/custom.py | 16 +++++++--------- 2 files changed, 17 insertions(+), 14 deletions(-) diff --git a/src/azure-cli/azure/cli/command_modules/role/_help.py b/src/azure-cli/azure/cli/command_modules/role/_help.py index 228b5ffd9b5..85824853c64 100644 --- a/src/azure-cli/azure/cli/command_modules/role/_help.py +++ b/src/azure-cli/azure/cli/command_modules/role/_help.py @@ -22,7 +22,14 @@ helps['ad app create'] = """ type: command short-summary: Create an application. -long-summary: For more detailed documentation, see https://learn.microsoft.com/graph/api/resources/application +long-summary: >- + **IMPORTANT**: The `az ad app create` command can modify an existing application or service principal if + another object shares the same **display name**. Display names aren't unique and can change, which + could result in credential loss or incorrect RBAC assignments. Use a **unique object ID or app ID** instead. + For more details, see https://go.microsoft.com/fwlink/?linkid=2342455. + + + For more detailed documentation, see https://learn.microsoft.com/graph/api/resources/application examples: - name: Create an application. text: | @@ -508,10 +515,7 @@ helps['ad sp create'] = """ type: command short-summary: Create a service principal. -long-summary: >- - **IMPORTANT**: The `az ad sp create` command can modify an existing application or service principal if - another object shares the same **display name**. Display names aren't unique and can change, which - could result in credential loss or incorrect RBAC assignments. Use a **unique object ID or app ID** instead. +long-summary: examples: - name: Create a service principal. (autogenerated) text: az ad sp create --id 00000000-0000-0000-0000-000000000000 @@ -527,6 +531,7 @@ **IMPORTANT**: The `az ad sp create-for-rbac` command can modify an existing application or service principal if another object shares the same **display name**. Display names aren't unique and can change, which could result in credential loss or incorrect RBAC assignments. Use a **unique object ID or app ID** instead. + For more details, see https://go.microsoft.com/fwlink/?linkid=2342455. The output includes credentials that you must protect. Be sure that you do not include these credentials diff --git a/src/azure-cli/azure/cli/command_modules/role/custom.py b/src/azure-cli/azure/cli/command_modules/role/custom.py index b919842fa2d..d0c672e8059 100644 --- a/src/azure-cli/azure/cli/command_modules/role/custom.py +++ b/src/azure-cli/azure/cli/command_modules/role/custom.py @@ -604,6 +604,13 @@ def create_application(cmd, client, display_name, identifier_uris=None, # JSON properties app_roles=None, optional_claims=None, required_resource_accesses=None): # pylint:disable=too-many-locals + + logger.warning(f"The `az {cmd.name}` command can modify an existing application or service principal " + "if another object shares the same display name. Display names aren't unique and can change, " + "which could result in credential loss or incorrect RBAC assignments. " + "Use a unique object ID or app ID instead. For more details, " + "see https://go.microsoft.com/fwlink/?linkid=2342455.") + graph_client = _graph_client_factory(cmd.cli_ctx) existing_apps = list_applications(cmd, client, display_name=display_name) @@ -1017,10 +1024,6 @@ def app_federated_credential_delete(client, app_identifier, federated_identity_c def create_service_principal(cmd, identifier): - logger.warning("The `az ad sp create` command can modify an existing application or service principal " - "if another object shares the same display name. Display names aren't unique and can change, " - "which could result in credential loss or incorrect RBAC assignments. " - "Use a unique object ID or app ID instead.") return _create_service_principal(cmd.cli_ctx, identifier) @@ -1149,11 +1152,6 @@ def create_service_principal_for_rbac( show_auth_in_json=None, skip_assignment=False, keyvault=None): import time - logger.warning("The `az ad sp create-for-rbac` command can modify an existing application or service principal " - "if another object shares the same display name. Display names aren't unique and can change, " - "which could result in credential loss or incorrect RBAC assignments. " - "Use a unique object ID or app ID instead.") - if role and not scopes or not role and scopes: raise ArgumentUsageError("Usage error: To create role assignments, specify both --role and --scopes.") From 4a21b0e354f92c045298f09a04ec16c045b8442e Mon Sep 17 00:00:00 2001 From: Qinkai Wu Date: Mon, 24 Nov 2025 14:00:33 +1100 Subject: [PATCH 5/7] Fix style --- src/azure-cli/azure/cli/command_modules/role/_help.py | 2 +- src/azure-cli/azure/cli/command_modules/role/custom.py | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/azure-cli/azure/cli/command_modules/role/_help.py b/src/azure-cli/azure/cli/command_modules/role/_help.py index 85824853c64..007f3f299f0 100644 --- a/src/azure-cli/azure/cli/command_modules/role/_help.py +++ b/src/azure-cli/azure/cli/command_modules/role/_help.py @@ -25,7 +25,7 @@ long-summary: >- **IMPORTANT**: The `az ad app create` command can modify an existing application or service principal if another object shares the same **display name**. Display names aren't unique and can change, which - could result in credential loss or incorrect RBAC assignments. Use a **unique object ID or app ID** instead. + could result in credential loss or incorrect RBAC assignments. Use a **unique object ID or app ID** instead. For more details, see https://go.microsoft.com/fwlink/?linkid=2342455. diff --git a/src/azure-cli/azure/cli/command_modules/role/custom.py b/src/azure-cli/azure/cli/command_modules/role/custom.py index d0c672e8059..5ef33974ee5 100644 --- a/src/azure-cli/azure/cli/command_modules/role/custom.py +++ b/src/azure-cli/azure/cli/command_modules/role/custom.py @@ -605,11 +605,11 @@ def create_application(cmd, client, display_name, identifier_uris=None, app_roles=None, optional_claims=None, required_resource_accesses=None): # pylint:disable=too-many-locals - logger.warning(f"The `az {cmd.name}` command can modify an existing application or service principal " + logger.warning("The `az %s` command can modify an existing application or service principal " "if another object shares the same display name. Display names aren't unique and can change, " "which could result in credential loss or incorrect RBAC assignments. " "Use a unique object ID or app ID instead. For more details, " - "see https://go.microsoft.com/fwlink/?linkid=2342455.") + "see https://go.microsoft.com/fwlink/?linkid=2342455.", cmd.name) graph_client = _graph_client_factory(cmd.cli_ctx) From 9ac13c82ae218889ca9c3f838c5cbbb781d97654 Mon Sep 17 00:00:00 2001 From: Qinkai Wu Date: Mon, 24 Nov 2025 14:32:53 +1100 Subject: [PATCH 6/7] Remove markdown style tokens. Make warning only appear when the command is overwriting an existing SP --- .../azure/cli/command_modules/role/_help.py | 12 ++++++------ .../azure/cli/command_modules/role/custom.py | 13 ++++++------- 2 files changed, 12 insertions(+), 13 deletions(-) diff --git a/src/azure-cli/azure/cli/command_modules/role/_help.py b/src/azure-cli/azure/cli/command_modules/role/_help.py index 007f3f299f0..91c446e50ae 100644 --- a/src/azure-cli/azure/cli/command_modules/role/_help.py +++ b/src/azure-cli/azure/cli/command_modules/role/_help.py @@ -23,9 +23,9 @@ type: command short-summary: Create an application. long-summary: >- - **IMPORTANT**: The `az ad app create` command can modify an existing application or service principal if - another object shares the same **display name**. Display names aren't unique and can change, which - could result in credential loss or incorrect RBAC assignments. Use a **unique object ID or app ID** instead. + IMPORTANT: The "az ad app create" command can modify an existing application or service principal if + another object shares the same display name. Display names aren't unique and can change, which + could result in credential loss or incorrect RBAC assignments. Use a unique object ID or app ID instead. For more details, see https://go.microsoft.com/fwlink/?linkid=2342455. @@ -528,9 +528,9 @@ Create an application and its associated service principal, optionally configure the service principal's RBAC role assignments. long-summary: >- - **IMPORTANT**: The `az ad sp create-for-rbac` command can modify an existing application or service principal if - another object shares the same **display name**. Display names aren't unique and can change, which - could result in credential loss or incorrect RBAC assignments. Use a **unique object ID or app ID** instead. + IMPORTANT: The "az ad sp create-for-rbac" command can modify an existing application or service principal if + another object shares the same display name. Display names aren't unique and can change, which + could result in credential loss or incorrect RBAC assignments. Use a unique object ID or app ID instead. For more details, see https://go.microsoft.com/fwlink/?linkid=2342455. diff --git a/src/azure-cli/azure/cli/command_modules/role/custom.py b/src/azure-cli/azure/cli/command_modules/role/custom.py index 5ef33974ee5..0091f074d65 100644 --- a/src/azure-cli/azure/cli/command_modules/role/custom.py +++ b/src/azure-cli/azure/cli/command_modules/role/custom.py @@ -604,13 +604,6 @@ def create_application(cmd, client, display_name, identifier_uris=None, # JSON properties app_roles=None, optional_claims=None, required_resource_accesses=None): # pylint:disable=too-many-locals - - logger.warning("The `az %s` command can modify an existing application or service principal " - "if another object shares the same display name. Display names aren't unique and can change, " - "which could result in credential loss or incorrect RBAC assignments. " - "Use a unique object ID or app ID instead. For more details, " - "see https://go.microsoft.com/fwlink/?linkid=2342455.", cmd.name) - graph_client = _graph_client_factory(cmd.cli_ctx) existing_apps = list_applications(cmd, client, display_name=display_name) @@ -622,6 +615,12 @@ def create_application(cmd, client, display_name, identifier_uris=None, raise CLIError("More than one application have the same display name '{}': (id) {}, please remove " 'them first.'.format(display_name, ', '.join([x[ID] for x in existing_apps]))) if len(existing_apps) == 1: + logger.warning("IMPORTANT: The \"az %s\" command can modify an existing application or service principal " + "if another object shares the same display name. " + "Display names aren't unique and can change, " + "which could result in credential loss or incorrect RBAC assignments. " + "Use a unique object ID or app ID instead. For more details, " + "see https://go.microsoft.com/fwlink/?linkid=2342455.", cmd.name) logger.warning("Found an existing application instance: (id) %s. We will patch it.", existing_apps[0][ID]) body = update_application( From 75b7dcab9f259c0e814daf72246b81017a6ffcf4 Mon Sep 17 00:00:00 2001 From: Qinkai Wu Date: Wed, 3 Dec 2025 11:06:17 +1100 Subject: [PATCH 7/7] Update warning message --- src/azure-cli/azure/cli/command_modules/role/_help.py | 11 +++++------ .../azure/cli/command_modules/role/custom.py | 11 ++++------- 2 files changed, 9 insertions(+), 13 deletions(-) diff --git a/src/azure-cli/azure/cli/command_modules/role/_help.py b/src/azure-cli/azure/cli/command_modules/role/_help.py index 91c446e50ae..3c2c0bcadd5 100644 --- a/src/azure-cli/azure/cli/command_modules/role/_help.py +++ b/src/azure-cli/azure/cli/command_modules/role/_help.py @@ -23,13 +23,13 @@ type: command short-summary: Create an application. long-summary: >- - IMPORTANT: The "az ad app create" command can modify an existing application or service principal if + WARNING: The "az ad app create" command can modify an existing application if another object shares the same display name. Display names aren't unique and can change, which - could result in credential loss or incorrect RBAC assignments. Use a unique object ID or app ID instead. + could result in credential loss or incorrect RBAC assignments. For more details, see https://go.microsoft.com/fwlink/?linkid=2342455. - For more detailed documentation, see https://learn.microsoft.com/graph/api/resources/application + For more detailed documentation on Microsoft Entra application, see https://learn.microsoft.com/graph/api/resources/application examples: - name: Create an application. text: | @@ -515,7 +515,6 @@ helps['ad sp create'] = """ type: command short-summary: Create a service principal. -long-summary: examples: - name: Create a service principal. (autogenerated) text: az ad sp create --id 00000000-0000-0000-0000-000000000000 @@ -528,9 +527,9 @@ Create an application and its associated service principal, optionally configure the service principal's RBAC role assignments. long-summary: >- - IMPORTANT: The "az ad sp create-for-rbac" command can modify an existing application or service principal if + WARNING: The "az ad sp create-for-rbac" command can modify an existing application or service principal if another object shares the same display name. Display names aren't unique and can change, which - could result in credential loss or incorrect RBAC assignments. Use a unique object ID or app ID instead. + could result in credential loss or incorrect RBAC assignments. For more details, see https://go.microsoft.com/fwlink/?linkid=2342455. diff --git a/src/azure-cli/azure/cli/command_modules/role/custom.py b/src/azure-cli/azure/cli/command_modules/role/custom.py index 0091f074d65..2cce537e28b 100644 --- a/src/azure-cli/azure/cli/command_modules/role/custom.py +++ b/src/azure-cli/azure/cli/command_modules/role/custom.py @@ -615,14 +615,11 @@ def create_application(cmd, client, display_name, identifier_uris=None, raise CLIError("More than one application have the same display name '{}': (id) {}, please remove " 'them first.'.format(display_name, ', '.join([x[ID] for x in existing_apps]))) if len(existing_apps) == 1: - logger.warning("IMPORTANT: The \"az %s\" command can modify an existing application or service principal " - "if another object shares the same display name. " - "Display names aren't unique and can change, " + logger.warning("Found an existing application instance: (id) %s.", existing_apps[0][ID]) + logger.warning("Please notice that display names aren't unique, " "which could result in credential loss or incorrect RBAC assignments. " - "Use a unique object ID or app ID instead. For more details, " - "see https://go.microsoft.com/fwlink/?linkid=2342455.", cmd.name) - logger.warning("Found an existing application instance: (id) %s. We will patch it.", - existing_apps[0][ID]) + "To create a new application, use a unique display name instead. For more details, " + "see https://go.microsoft.com/fwlink/?linkid=2342455.") body = update_application( existing_apps[0], display_name=display_name, identifier_uris=identifier_uris, is_fallback_public_client=is_fallback_public_client,