[Microsoft Entra ID] az ad sp create-for-rbac: Add --create-password argument

src/azure-cli/azure/cli/command_modules/role/_help.py

@@ -536,6 +536,8 @@
   text: az ad sp create-for-rbac -n MyApp
 - name: Create with a Contributor role assignments on specified scopes. To retrieve current subscription ID, run `az account show --query id --output tsv`.
   text: az ad sp create-for-rbac -n MyApp --role Contributor --scopes /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/resourceGroup1 /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/resourceGroup2
+- name: Do not create password credential.
+  text: az ad sp create-for-rbac --create-password false
 - name: Create using a self-signed certificate.
   text: az ad sp create-for-rbac --create-cert
 - name: Create using an existing certificate string.

src/azure-cli/azure/cli/command_modules/role/_params.py

@@ -186,6 +186,9 @@ def load_arguments(self, _):
         c.argument('display_name', options_list=['--display-name', '--name', '-n'],
                    help='Display name of the service principal. If not present, default to azure-cli-%Y-%m-%d-%H-%M-%S '
                         'where the suffix is the time of creation.')
+        c.argument('create_password', arg_type=get_three_state_flag(), arg_group='Credential',
+                   help='Create a password credential (secret) on the the application. This is the default behavior. '
+                        'Set this argument to false to disable creating password credential.')
         c.argument('scopes', nargs='+',
                    help="Space-separated list of scopes the service principal's role assignment applies to. e.g., "
                         "subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, "

src/azure-cli/azure/cli/command_modules/role/custom.py

@@ -1219,6 +1219,7 @@ def create_service_principal_for_rbac(
         # pylint:disable=too-many-statements,too-many-locals, too-many-branches, unused-argument
         cmd, display_name=None,
         service_management_reference=None,
+        create_password=True,
         years=None, create_cert=False, cert=None, scopes=None, role=None,
         show_auth_in_json=None, skip_assignment=False, keyvault=None):
     import time
@@ -1278,7 +1279,7 @@ def create_service_principal_for_rbac(
 
     # Password credential is created *after* application creation.
     # https://learn.microsoft.com/en-us/graph/api/resources/passwordcredential
-    if not use_cert:
+    if create_password and not use_cert:
         result = _application_add_password(graph_client, aad_application, 'rbac', app_start_date, app_end_date)
         password = result['secretText']
 
@@ -1333,7 +1334,9 @@ def create_service_principal_for_rbac(
                                        ex.response.headers)  # pylint: disable=no-member
                     raise
 
-    logger.warning(CREDENTIAL_WARNING)
+    # No need to show warning if no credential is created
+    if password or cert_file:
+        logger.warning(CREDENTIAL_WARNING)
 
     if show_auth_in_json:
         from azure.cli.core._profile import Profile