From 853d4cba9c5e980c34833a8dfe4a2dee2346e136 Mon Sep 17 00:00:00 2001
From: Bill Pratt <billpratt@users.noreply.github.com>
Date: Thu, 24 May 2018 15:45:44 -0400
Subject: [PATCH] SP with resource group level scope example

---
 docs/serviceprincipal.md | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

diff --git a/docs/serviceprincipal.md b/docs/serviceprincipal.md
index 8912b514d9..9453b1760b 100644
--- a/docs/serviceprincipal.md
+++ b/docs/serviceprincipal.md
@@ -19,11 +19,18 @@ There are several ways to create a Service Principal in Azure Active Directory:
 
 * **With the [Azure CLI](https://github.com/Azure/azure-cli)**
 
-   ```shell
-   az login
-   az account set --subscription="${SUBSCRIPTION_ID}"
-   az ad sp create-for-rbac --role="Contributor" --scopes="/subscriptions/${SUBSCRIPTION_ID}"
-   ```
+  * Subscription level scope
+     ```shell
+     az login
+     az account set --subscription="${SUBSCRIPTION_ID}"
+     az ad sp create-for-rbac --role="Contributor" --scopes="/subscriptions/${SUBSCRIPTION_ID}"
+     ```
+  * Resource group level scope
+     ```shell
+     az login
+     az account set --subscription="${SUBSCRIPTION_ID}"
+     az ad sp create-for-rbac --role="Contributor" --scopes="/subscriptions/${SUBSCRIPTION_ID}/resourceGroups/${RESOURCE_GROUP_NAME}"
+     ```
 
    This will output your `appId`, `password`, `name`, and `tenant`.  The `name` or `appId` may be used for the `servicePrincipalProfile.clientId` and the `password` is used for `servicePrincipalProfile.secret`.