diff --git a/src/azure-cli/azure/cli/command_modules/appservice/_params.py b/src/azure-cli/azure/cli/command_modules/appservice/_params.py
index c1fcc1e4685..cebd4ec32ff 100644
--- a/src/azure-cli/azure/cli/command_modules/appservice/_params.py
+++ b/src/azure-cli/azure/cli/command_modules/appservice/_params.py
@@ -541,6 +541,8 @@ def load_arguments(self, _):
                    help='Application ID to integrate AAD organization account Sign-in into your web app')
         c.argument('client_secret', options_list=['--aad-client-secret'], arg_group='Azure Active Directory',
                    help='AAD application secret')
+        c.argument('client_secret_certificate_thumbprint', options_list=['--aad-client-secret-certificate-thumbprint', '--thumbprint'], arg_group='Azure Active Directory',
+                   help='Alternative to AAD Client Secret, thumbprint of a certificate used for signing purposes')
         c.argument('allowed_audiences', nargs='+', options_list=['--aad-allowed-token-audiences'],
                    arg_group='Azure Active Directory', help="One or more token audiences (space-delimited).")
         c.argument('issuer', options_list=['--aad-token-issuer-url'],
diff --git a/src/azure-cli/azure/cli/command_modules/appservice/custom.py b/src/azure-cli/azure/cli/command_modules/appservice/custom.py
index 9c73fc87a8e..333aad98a3d 100644
--- a/src/azure-cli/azure/cli/command_modules/appservice/custom.py
+++ b/src/azure-cli/azure/cli/command_modules/appservice/custom.py
@@ -847,6 +847,7 @@ def update_auth_settings(cmd, resource_group_name, name, enabled=None, action=No
                          client_id=None, token_store_enabled=None, runtime_version=None,  # pylint: disable=unused-argument
                          token_refresh_extension_hours=None,  # pylint: disable=unused-argument
                          allowed_external_redirect_urls=None, client_secret=None,  # pylint: disable=unused-argument
+                         client_secret_certificate_thumbprint=None,  # pylint: disable=unused-argument
                          allowed_audiences=None, issuer=None, facebook_app_id=None,  # pylint: disable=unused-argument
                          facebook_app_secret=None, facebook_oauth_scopes=None,  # pylint: disable=unused-argument
                          twitter_consumer_key=None, twitter_consumer_secret=None,  # pylint: disable=unused-argument
diff --git a/src/azure-cli/azure/cli/command_modules/appservice/tests/latest/recordings/test_webapp_authentication.yaml b/src/azure-cli/azure/cli/command_modules/appservice/tests/latest/recordings/test_webapp_authentication.yaml
index 689b3b4d9bf..251aaa5378e 100644
--- a/src/azure-cli/azure/cli/command_modules/appservice/tests/latest/recordings/test_webapp_authentication.yaml
+++ b/src/azure-cli/azure/cli/command_modules/appservice/tests/latest/recordings/test_webapp_authentication.yaml
@@ -653,7 +653,7 @@ interactions:
       ParameterSetName:
       - -g -n --enabled --action --token-store --token-refresh-extension-hours --runtime-version
         --aad-client-id --aad-client-secret --aad-allowed-token-audiences --aad-token-issuer-url
-        --facebook-app-id --facebook-app-secret --facebook-oauth-scopes
+        --aad-client-secret-certificate-thumbprint --facebook-app-id --facebook-app-secret --facebook-oauth-scopes
       User-Agent:
       - python/3.7.2 (Darwin-16.7.0-x86_64-i386-64bit) msrest/0.6.9 msrest_azure/0.6.3
         azure-mgmt-web/0.47.0 Azure-SDK-For-Python AZURECLI/2.9.0
@@ -702,8 +702,8 @@ interactions:
       "RedirectToLoginPage", "tokenStoreEnabled": false, "defaultProvider": "Facebook",
       "tokenRefreshExtensionHours": 7.2, "clientId": "aad_client_id", "clientSecret":
       "aad_secret", "issuer": "https://issuer_url", "allowedAudiences": ["https://audience1"],
-      "facebookAppId": "facebook_id", "facebookAppSecret": "facebook_secret", "facebookOAuthScopes":
-      ["public_profile", "email"]}}'
+      "clientSecretCertificateThumbprint": "aad_thumbprint", "facebookAppId": "facebook_id", "facebookAppSecret":
+      "facebook_secret", "facebookOAuthScopes": ["public_profile", "email"]}}'
     headers:
       Accept:
       - application/json
@@ -720,7 +720,7 @@ interactions:
       ParameterSetName:
       - -g -n --enabled --action --token-store --token-refresh-extension-hours --runtime-version
         --aad-client-id --aad-client-secret --aad-allowed-token-audiences --aad-token-issuer-url
-        --facebook-app-id --facebook-app-secret --facebook-oauth-scopes
+        --aad-client-secret-certificate-thumbprint --facebook-app-id --facebook-app-secret --facebook-oauth-scopes
       User-Agent:
       - python/3.7.2 (Darwin-16.7.0-x86_64-i386-64bit) msrest/0.6.9 msrest_azure/0.6.3
         azure-mgmt-web/0.47.0 Azure-SDK-For-Python AZURECLI/2.9.0
@@ -731,7 +731,7 @@ interactions:
   response:
     body:
       string: '{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_webapp_authentication000001/providers/Microsoft.Web/sites/webapp-authentication-test000002/config/authsettings","name":"authsettings","type":"Microsoft.Web/sites/config","location":"Japan
-        West","properties":{"enabled":true,"runtimeVersion":"1.2.8","unauthenticatedClientAction":"RedirectToLoginPage","tokenStoreEnabled":false,"allowedExternalRedirectUrls":null,"defaultProvider":"Facebook","tokenRefreshExtensionHours":7.2,"clientId":"aad_client_id","clientSecret":"aad_secret","clientSecretCertificateThumbprint":null,"issuer":"https://issuer_url","allowedAudiences":["https://audience1"],"additionalLoginParams":null,"isAadAutoProvisioned":false,"googleClientId":null,"googleClientSecret":null,"googleOAuthScopes":null,"facebookAppId":"facebook_id","facebookAppSecret":"facebook_secret","facebookOAuthScopes":["public_profile","email"],"twitterConsumerKey":null,"twitterConsumerSecret":null,"microsoftAccountClientId":null,"microsoftAccountClientSecret":null,"microsoftAccountOAuthScopes":null}}'
+        West","properties":{"enabled":true,"runtimeVersion":"1.2.8","unauthenticatedClientAction":"RedirectToLoginPage","tokenStoreEnabled":false,"allowedExternalRedirectUrls":null,"defaultProvider":"Facebook","tokenRefreshExtensionHours":7.2,"clientId":"aad_client_id","clientSecret":"aad_secret","clientSecretCertificateThumbprint":"aad_thumbprint","issuer":"https://issuer_url","allowedAudiences":["https://audience1"],"additionalLoginParams":null,"isAadAutoProvisioned":false,"googleClientId":null,"googleClientSecret":null,"googleOAuthScopes":null,"facebookAppId":"facebook_id","facebookAppSecret":"facebook_secret","facebookOAuthScopes":["public_profile","email"],"twitterConsumerKey":null,"twitterConsumerSecret":null,"microsoftAccountClientId":null,"microsoftAccountClientSecret":null,"microsoftAccountOAuthScopes":null}}'
     headers:
       cache-control:
       - no-cache
diff --git a/src/azure-cli/azure/cli/command_modules/appservice/tests/latest/test_webapp_commands.py b/src/azure-cli/azure/cli/command_modules/appservice/tests/latest/test_webapp_commands.py
index bda65d0c58b..4c7b3a9f9f6 100644
--- a/src/azure-cli/azure/cli/command_modules/appservice/tests/latest/test_webapp_commands.py
+++ b/src/azure-cli/azure/cli/command_modules/appservice/tests/latest/test_webapp_commands.py
@@ -2084,6 +2084,7 @@ def test_webapp_authentication(self, resource_group):
             JMESPathCheck('runtimeVersion', None),
             JMESPathCheck('clientId', None),
             JMESPathCheck('clientSecret', None),
+            JMESPathCheck('clientSecretCertificateThumbprint', None),
             JMESPathCheck('allowedAudiences', None),
             JMESPathCheck('issuer', None),
             JMESPathCheck('facebookAppId', None),
@@ -2094,7 +2095,7 @@ def test_webapp_authentication(self, resource_group):
         # update and verify
         result = self.cmd('webapp auth update -g {} -n {} --enabled true --action LoginWithFacebook '
                           '--token-store false --token-refresh-extension-hours 7.2 --runtime-version 1.2.8 '
-                          '--aad-client-id aad_client_id --aad-client-secret aad_secret '
+                          '--aad-client-id aad_client_id --aad-client-secret aad_secret --aad-client-secret-certificate-thumbprint aad_thumbprint '
                           '--aad-allowed-token-audiences https://audience1 --aad-token-issuer-url https://issuer_url '
                           '--facebook-app-id facebook_id --facebook-app-secret facebook_secret '
                           '--facebook-oauth-scopes public_profile email'
@@ -2108,6 +2109,7 @@ def test_webapp_authentication(self, resource_group):
                               JMESPathCheck('runtimeVersion', '1.2.8'),
                               JMESPathCheck('clientId', 'aad_client_id'),
                               JMESPathCheck('clientSecret', 'aad_secret'),
+                              JMESPathCheck('clientSecretCertificateThumbprint', 'aad_thumbprint'),
                               JMESPathCheck('issuer', 'https://issuer_url'),
                               JMESPathCheck('facebookAppId', 'facebook_id'),
                               JMESPathCheck('facebookAppSecret', 'facebook_secret')]).get_output_in_json()