diff --git a/docs/serviceprincipal.md b/docs/serviceprincipal.md
index 8912b514d9..9453b1760b 100644
--- a/docs/serviceprincipal.md
+++ b/docs/serviceprincipal.md
@@ -19,11 +19,18 @@ There are several ways to create a Service Principal in Azure Active Directory:
 
 * **With the [Azure CLI](https://github.com/Azure/azure-cli)**
 
-   ```shell
-   az login
-   az account set --subscription="${SUBSCRIPTION_ID}"
-   az ad sp create-for-rbac --role="Contributor" --scopes="/subscriptions/${SUBSCRIPTION_ID}"
-   ```
+  * Subscription level scope
+     ```shell
+     az login
+     az account set --subscription="${SUBSCRIPTION_ID}"
+     az ad sp create-for-rbac --role="Contributor" --scopes="/subscriptions/${SUBSCRIPTION_ID}"
+     ```
+  * Resource group level scope
+     ```shell
+     az login
+     az account set --subscription="${SUBSCRIPTION_ID}"
+     az ad sp create-for-rbac --role="Contributor" --scopes="/subscriptions/${SUBSCRIPTION_ID}/resourceGroups/${RESOURCE_GROUP_NAME}"
+     ```
 
    This will output your `appId`, `password`, `name`, and `tenant`.  The `name` or `appId` may be used for the `servicePrincipalProfile.clientId` and the `password` is used for `servicePrincipalProfile.secret`.