MicrosoftDocs · jiasli · Nov 13, 2024 · Nov 8, 2024 · Nov 13, 2024 · jiasli
@@ -5,10 +5,10 @@ ms.date: 09/02/2024
 ms.topic: concept-article
 ms.service: azure-cli
 ms.custom: devx-track-azurecli
-#customer intent: As an app developer, I need to security automate authentication to Azure using a service principal. 
+#customer intent: As an app developer, I need to security automate authentication to Azure using a service principal.
 ---
 
-# Sign into Azure with a service principal using the Azure CLI 
+# Sign into Azure with a service principal using the Azure CLI
 
 Service principals are accounts not tied to any particular user, which can have permissions on them assigned through
 predefined roles. Authenticating with a service principal is the best way to write secure scripts or programs,
@@ -18,32 +18,40 @@ about service principals, see [Work with Azure service principals using the Azur
 To sign in with a service principal, you need:
 
 * The URL or name associated with the service principal
-* The service principal password, or the X509 certificate used to create the service principal in PEM format
-* The tenant associated with the service principal, as either an `.onmicrosoft.com` domain or Azure object ID
+* The service principal client secret, or the X509 certificate used to create the service principal in PEM format
+* The tenant associated with the service principal, as either an `.onmicrosoft.com` domain or Microsoft Entra tenant ID
 
 Note two important facts when working with service principals and the Azure CLI:
 
 * A **CERTIFICATE** must be appended to the **PRIVATE KEY** within a PEM file. For an example of a PEM file format, see [Certificate-based authentication](./azure-cli-sp-tutorial-3.md).
 
 * If your service principal uses a certificate that is stored in Key Vault, that certificate's private key must be available without signing in to Azure. To retrieve the certificate for `az login`, see [Retrieve certificate from Key Vault](./azure-cli-sp-tutorial-3.md#work-with-azure-key-vault).
 
+Log in with client secret:
+
+```azurecli-interactive
+az login --service-principal --username APP_ID --password CLIENT_SECRET --tenant TENANT_ID
+```
+
+Log in with certificate:
+
 ```azurecli-interactive
-az login --service-principal -u <app-id> -p <password-or-cert> --tenant <tenant>
+az login --service-principal --username APP_ID --certificate /path/to/cert.pem --tenant TENANT_ID
 ```
 
 > [!IMPORTANT]
 > If you want to avoid displaying your password on console and are using `az login` interactively,
 > use the `read -s` command under `bash`.
 >
 > ```bash
-> read -sp "Azure password: " AZ_PASS && echo && az login --service-principal -u <app-id> -p $AZ_PASS --tenant <tenant>
+> read -sp "Azure password: " AZ_PASS && echo && az login --service-principal --username <app-id> --password $AZ_PASS --tenant <tenant>
 > ```
 >
 > Under PowerShell, use the `Get-Credential` cmdlet.
 >
 > ```powershell
 > $AzCred = Get-Credential -UserName <app-id>
-> az login --service-principal -u $AzCred.UserName -p $AzCred.GetNetworkCredential().Password --tenant <tenant>
+> az login --service-principal --username $AzCred.UserName --password $AzCred.GetNetworkCredential().Password --tenant <tenant>
 > ```
 
 ## See also

@@ -10,7 +10,7 @@ keywords: azure service principal, create service principal azure, create servic
 
 # Use an Azure service principal with certificate-based authentication
 
-When creating a service principal, you choose the type of sign-in authentication it uses. There are two types of authentication available for Azure service principals: **password-based authentication** and **certificate-based authentication**. 
+When creating a service principal, you choose the type of sign-in authentication it uses. There are two types of authentication available for Azure service principals: **password-based authentication** and **certificate-based authentication**.
 
 We recommend using certificate-based authentication due to the security restrictions of password-based authentication. Certificate-based authentication enables you to adopt a phishing resistant authentication by using [conditional access policies](/azure/active-directory/conditional-access/overview), which better protects Azure resources. To learn more about why certificate-based authentication is more secure, see [Microsoft Entra certificate-based authentication](/azure/active-directory/authentication/concept-certificate-based-authentication).
 
@@ -102,8 +102,6 @@ az keyvault secret download --file /path/to/cert.pfx \
                             --name CertName \
                             --encoding base64
 openssl pkcs12 -in cert.pfx -passin pass: -passout pass: -out cert.pem -nodes
-
-az login --service-principal -u "<myAppClientID>" -p cert.pem --tenant "<myTenantID>"
 ```
 
 ## Convert an existing PKCS12 file
@@ -142,10 +140,7 @@ The output includes credentials that you must protect. Be sure that you do not i
 To sign in with a certificate, the certificate must be available locally as a PEM or DER file in ASCII format. PKCS#12 files (.p12/.pfx) don't work. When you use a PEM file, the **PRIVATE KEY** and **CERTIFICATE** must be appended together within the file. You don't need to prefix the path with an `@` like you do with other az commands.
 
 ```azurecli-interactive
-az login --service-principal \
-         --username myServicePrincipalID \
-         --tenant myOwnerOrganizationId \
-         --password /path/to/cert
+az login --service-principal --username APP_ID --certificate /path/to/cert.pem --tenant TENANT_ID
 ```
 
 ## Next Steps

@@ -63,6 +63,12 @@ The [db-up](https://github.com/Azure/azure-cli-extensions/tree/main/src/db-up) e
 
 - This command group has been deprecated and will be removed in next breaking change release(2.67.0). Use 'az network public-ip ddos-protection' instead.
 
+## profile
+
+### `az login`
+
+- The `--password` parameter will not accept service principal certificate. Use the `--certificate` parameter instead.
+
 ## sql
 
 [Link to sql mi link subgroup](/cli/azure/sql/mi/link)