Azure · jiasli · Dec 17, 2021 · Oct 8, 2021 · Oct 8, 2021 · Dec 9, 2021
@@ -389,14 +389,10 @@
     [managed identities](https://aka.ms/azadsp-managed-identities) if available to avoid the need to use credentials.
 
 
-    By default, this command assigns the 'Contributor' role to the service principal at the subscription scope.
-    To reduce your risk of a compromised service principal, use --skip-assignment to avoid creating a role assignment,
-    then assign a more specific role and narrow the scope to a resource or resource group.
+    By default, this command does not assign any role to the service principal.
+    You may use --role and --scopes to assign a specific role and narrow the scope to a resource or resource group.
+    You may also use `az role assignment create` to create role assignments for this service principal later.
     See [steps to add a role assignment](https://aka.ms/azadsp-more) for more information.
-
-
-    WARNING: In a future release, this command will NOT create a 'Contributor' role assignment by default.
-    If needed, use the --role argument to explicitly create a role assignment.
 parameters:
   - name: --name -n
     short-summary: Display name of the service principal. If not present, default to azure-cli-%Y-%m-%d-%H-%M-%S where the suffix is the time of creation.
@@ -419,12 +415,10 @@
   - name: --role
     short-summary: Role of the service principal.
 examples:
-  - name: Create with a default role assignment.
+  - name: Create without role assignment.
     text: az ad sp create-for-rbac
-  - name: Create using a custom name, and with a default assignment.
+  - name: Create using a custom display name.
     text: az ad sp create-for-rbac -n "MyApp"
-  - name: Create without a default assignment.
-    text: az ad sp create-for-rbac --skip-assignment
   - name: Create with a Contributor role assignments on specified scope.
     text: az ad sp create-for-rbac -n "MyApp" --role Contributor --scopes /subscriptions/{SubID}/resourceGroups/{ResourceGroup1} /subscriptions/{SubID}/resourceGroups/{ResourceGroup2}
   - name: Create using a self-signed certificate.

@@ -87,9 +87,7 @@ def load_arguments(self, _):
         c.argument('scopes', nargs='+')
         c.argument('role', completer=get_role_definition_name_completion_list)
         c.argument('skip_assignment', arg_type=get_three_state_flag(),
-                   help='Skip creating the default assignment, which allows the service principal to access resources under the current subscription. '
-                        'When specified, --scopes will be ignored. You may use `az role assignment create` to create '
-                        'role assignments for this service principal later.')
+                   deprecate_info=c.deprecate(target='--skip-assignment', hide=True), help='No-op.')
         c.argument('show_auth_for_sdk', options_list='--sdk-auth', deprecate_info=c.deprecate(target='--sdk-auth'),
                    help='output result in compatible with Azure SDK auth file', arg_type=get_three_state_flag())
 

@@ -37,11 +37,6 @@
     "The output includes credentials that you must protect. Be sure that you do not include these credentials in "
     "your code or check the credentials into your source control. For more information, see https://aka.ms/azadsp-cli")
 
-ROLE_ASSIGNMENT_CREATE_WARNING = (
-    "In a future release, this command will NOT create a 'Contributor' role assignment by default. "
-    "If needed, use the --role argument to explicitly create a role assignment."
-)
-
 logger = get_logger(__name__)
 
 # pylint: disable=too-many-lines
@@ -1401,7 +1396,7 @@ def _validate_app_dates(app_start_date, app_end_date, cert_start_date, cert_end_
 
 # pylint: disable=inconsistent-return-statements
 def create_service_principal_for_rbac(
-        # pylint:disable=too-many-statements,too-many-locals, too-many-branches
+        # pylint:disable=too-many-statements,too-many-locals, too-many-branches, unused-argument
         cmd, name=None, years=None, create_cert=False, cert=None, scopes=None, role=None,
         show_auth_for_sdk=None, skip_assignment=False, keyvault=None):
     import time
@@ -1467,13 +1462,10 @@ def create_service_principal_for_rbac(
                     raise
     sp_oid = aad_sp.object_id
 
-    # retry while server replication is done
-    if not skip_assignment:
-        if not role:
-            role = "Contributor"
-            logger.warning(ROLE_ASSIGNMENT_CREATE_WARNING)
+    if role:
         for scope in scopes:
             logger.warning("Creating '%s' role assignment under scope '%s'", role, scope)
+            # retry till server replication is done
             for retry_time in range(0, _RETRY_TIMES):
                 try:
                     _create_role_assignment(cmd.cli_ctx, role, sp_oid, None, scope, resolve_assignee=False,