Given the poor discoverability and the constant confusion that users have regarding AzureAD, ServiceAccount (aka ServicePrincipals) and "Apps", it important that the CLI tooling can be scripted to create these things on users' behalves.

@colemickens if you create them just want to assign role for rbac, you can use account create-sp.
the whole 'az ad' command set will be finalized in near future.

Hm, that sounds helpful, but I don't really understand the distinction.

What does az ad app create followed by az ad sp create do that az account create-sp doesn't do?

CC @ahmetalpbalkan for usability feedback given that we both need to make this process easy for our users.

I agree, we need one and clean way of creating SPs. Look at this 3rd party doc explaining creating AAD SP accounts. It is nothing but confusion* . I very much appreciate if this experience could be unified with one well-known command (preferably az ad sp create).

*: what's an app?, what is homepage uri?, why is username actually client_id?, why am I providing a password? why is password a client_secret? why am I calling all these cmds? why is sp id same as app id?

Some context, before address your concerns

1. We will have ad [sp|app] create to create general purpose entities. Also per discussion with graph team we will have finer support for credential management and finer updating individual property.
2. application and service principal are not just for azure management at command line, it is used much for server applications (mostly web site) which leverage existing identity provider, like Azure AD, to delegate authentication duties.

Because of #2, several concepts such as "redirecturi", "homepage" were exposed from commands which are hard to understand and useless for people which just want to manage azure in azure-cli. So simplification like the create-sp has been very well accepted.
Once #1 is done, we will likely rename and position create-sp to new places be closer to the majority. But for the sake of regular azure-cli users, we will keep this specific custom command to greatly relieve the learning pain to on-board RBAC

This sounds great! I love how simple this is:

$ az account create-sp

Service principal has been configured with name: 'http://azure-cli-2016-08-05-14-31-15', secret: '[redacted]'
Useful commands to manage azure:
  Assign a role: "az role assignment create --assignee af73d34f-7cde-4c73-a4d5-redact --role Contributor"
  Log in: "az login --service-principal -u http://azure-cli-2016-08-05-14-31-15 -p [redacted] --tenant 72f988bf-86f1-41af-91ab-2d7cd011db47"
  Reset credentials: "az account reset-sp-credentials --name http://azure-cli-2016-08-05-14-31-15"

And I can override the name, duration and password (client_secret). Excellent!

So I am submitting #664 which should address all I mentioned early on

1. I am moving the convenience command to ad sp create-for-rbac . There is also a new create command which is for general purpose.
2. create-for-rbac will emit out 2 more command snippets for you to revoke the service principals if you are done with it.
3. For app show/delete and sp show/delete, i simplify them by exposing a common parameter of --id , which should work with both object id and logical name.

That sounds great as well. Only other thing might be letting me do the RBAC assignment in the ad sp create-for-rbac command that will use the special Graph header to ensure I don't have to loop-retry in my own script.

I can file a separate issue for that though?

Please file a separate issue. Sort of hack, but we can have sp create-for-rbac capture the ocp-aad-session-key, and expose ocp-aad-session-key from the role assignment create

I filed: https://github.com/Azure/azure-cli/issues/667

I'll close this, if you don't, when your PR goes in.

Thanks @yugangw-msft, I think these are going to be popular.

664 is merged.

@brunoterkaly and @jasonrshaver, please note, account create-sp has been moved to ad sp create-for-rbac