How do I properly create service principal secret in Azure

I’m trying to figure out the difference between this 2 resources (azuread_service_principal_password and azuread_application_password) . I’m creating with code below and expected it to create service principal

resource "azuread_application" "sp-application" {
  display_name = "${}-app"
  owners       = local.owners
  tags         = ["Auto-rotate"]

resource "azuread_service_principal" "sp-serviceprincipal" {
  application_id               = azuread_application.sp-application.application_id
  app_role_assignment_required = false
  owners                       = local.owners
  notes                        = "Service principal for Databricks application to access storage account"
  tags                         = ["Auto-rotate"]

resource "azuread_service_principal_password" "sp-password" {
  service_principal_id = azuread_service_principal.sp-serviceprincipal.object_id
  rotate_when_changed = {
    rotation =

It does create a password which I can capture in output but I don’t see this password as part of service principal secret in portal. Objecty_id being returned actually is object_id of application itself and not service principal derived from it. I don’t see any option to see any passwords present in Enterprise Application either. Confused about what password being created and where.