Skip to content

az ad sp create-for-rbac should support finer grain of credential expiry time #28521

Description

@jiasli

Related command
az ad sp create-for-rbac

Is your feature request related to a problem? Please describe.
Currently, only integer --years is supported which is too rough:

> az ad sp create-for-rbac -h
...
Credential Arguments
    --years                             : Number of years for which the credentials will be valid.
                                          Default: 1 year.

The minimum expiry time is 1 year which is against the security best practice of setting expiry time as short as possible.

Caution

If there is a policy in the tenant that forbids expiry time >= 1 year, az ad sp create-for-rbac will fail.

Describe the solution you'd like

  1. Support --end-date similar to that from az ad app credential reset and az ad app create.
  2. Support --days like Azure Portal: image

Describe alternatives you've considered
Drop --year as it encourages imprecise expiry time and it also causes ambiguity in leap years (#28520).

Metadata

Metadata

Assignees

Labels

Auto-AssignAuto assign by botAzure CLI TeamThe command of the issue is owned by Azure CLI teamGraph(doesn't work with label-triggered comments; use Graph.Microsoft instead) az adact-identity-squadpotential-pruningquestionThe issue doesn't require a change to the product in order to be resolved. Most issues start as that

Type

No type
No fields configured for issues without a type.

Projects

No projects

Relationships

None yet

Development

No branches or pull requests

Issue actions