How do I properly create service principal secret in Azure

I’m trying to figure out the difference between this 2 resources (azuread_service_principal_password and azuread_application_password) . I’m creating with code below and expected it to create service principal

resource "azuread_application" "sp-application" {
  display_name = "${}-app"
  owners       = local.owners
  tags         = ["Auto-rotate"]

resource "azuread_service_principal" "sp-serviceprincipal" {
  application_id               = azuread_application.sp-application.application_id
  app_role_assignment_required = false
  owners                       = local.owners
  notes                        = "Service principal for Databricks application to access storage account"
  tags                         = ["Auto-rotate"]

resource "azuread_service_principal_password" "sp-password" {
  service_principal_id = azuread_service_principal.sp-serviceprincipal.object_id
  rotate_when_changed = {
    rotation =

It does create a password which I can capture in output but I don’t see this password as part of service principal secret in portal. Objecty_id being returned actually is object_id of application itself and not service principal derived from it. I don’t see any option to see any passwords present in Enterprise Application either. Confused about what password being created and where.

azuread_service_principal creates an enterprise application, and azuread_service_principal_password sets a credential for that.

azuread_application creates an application registrations and azuread_application_password sets a password for that.

When creating azuread_application_password it takes a good 10 minutes before it shows in the portal.


Naming seems to be backwards though I expected azuread_application to create Enterprise Application and azuread_service_principal to create App Registration instead.

Yea it is confusing.

You actually need both azuread_application and azuread_service_principal if your going to do role assignments. The oid of the latter is used as the principal_id at assignment time, but the application_id and password value of the former are used to authenticate to the resource.

Go figure

Hello @b0bu,

So, I don’t actually need “azuread_service_principal_password” to create, right ?
only below are enough, right ?
azuread_application, azuread_application_password - For Authentication
azuread_service_principal - For RBAC