diff --git a/src/azure-cli/azure/cli/command_modules/role/_help.py b/src/azure-cli/azure/cli/command_modules/role/_help.py
index ef5fe871aa1..f4c6cedac30 100644
--- a/src/azure-cli/azure/cli/command_modules/role/_help.py
+++ b/src/azure-cli/azure/cli/command_modules/role/_help.py
@@ -95,6 +95,10 @@
 helps['ad app credential reset'] = """
 type: command
 short-summary: Append or overwrite an application's password or certificate credentials
+long-summary: >-
+    The output includes credentials that you must protect. Be sure that you do not include these credentials
+    in your code or check the credentials into your source control. As an alternative, consider using
+    [managed identities](https://aka.ms/azadsp-managed-identities) if available to avoid the need to use credentials.
 examples:
   - name: Append a certificate to the application with the certificate string.
     text: az ad app credential reset --id 00000000-0000-0000-0000-000000000000 --cert "MIICoT..." --append
@@ -370,6 +374,10 @@
 helps['ad sp create-for-rbac'] = """
 type: command
 short-summary: Create a service principal and configure its access to Azure resources.
+long-summary: >-
+    The output includes credentials that you must protect. Be sure that you do not include these credentials
+    in your code or check the credentials into your source control. As an alternative, consider using
+    [managed identities](https://aka.ms/azadsp-managed-identities) if available to avoid the need to use credentials.
 parameters:
   - name: --name -n
     short-summary: A URI to use as the logic name. It doesn't need to exist. If not present, CLI will generate one.
@@ -441,7 +449,13 @@
 helps['ad sp credential reset'] = """
 type: command
 short-summary: Reset a service principal credential.
-long-summary: Use upon expiration of the service principal's credentials, or in the event that login credentials are lost.
+long-summary: >-
+    Use upon expiration of the service principal's credentials, or in the event that login credentials are lost.
+
+
+    The output includes credentials that you must protect. Be sure that you do not include these credentials
+    in your code or check the credentials into your source control. As an alternative, consider using
+    [managed identities](https://aka.ms/azadsp-managed-identities) if available to avoid the need to use credentials.
 parameters:
   - name: --name -n
     short-summary: Name or app ID of the service principal.
diff --git a/src/azure-cli/azure/cli/command_modules/role/custom.py b/src/azure-cli/azure/cli/command_modules/role/custom.py
index 913d73658a0..45c318ab68f 100644
--- a/src/azure-cli/azure/cli/command_modules/role/custom.py
+++ b/src/azure-cli/azure/cli/command_modules/role/custom.py
@@ -35,6 +35,10 @@
 from ._client_factory import _auth_client_factory, _graph_client_factory
 from ._multi_api_adaptor import MultiAPIAdaptor
 
+CREDENTIAL_WARNING_MESSAGE = (
+    "The output includes credentials that you must protect. Be sure that you do not include these credentials in "
+    "your code or check the credentials into your source control. For more information, see https://aka.ms/azadsp-cli")
+
 logger = get_logger(__name__)
 
 # pylint: disable=too-many-lines
@@ -1523,6 +1527,8 @@ def create_service_principal_for_rbac(
             "Please copy %s to a safe place. When you run 'az login', provide the file path in the --password argument",
             cert_file)
         result['fileWithCertAndPrivateKey'] = cert_file
+
+    logger.warning(CREDENTIAL_WARNING_MESSAGE)
     return result
 
 
@@ -1771,6 +1777,8 @@ def reset_service_principal_credential(cmd, name, password=None, create_cert=Fal
     }
     if cert_file:
         result['fileWithCertAndPrivateKey'] = cert_file
+
+    logger.warning(CREDENTIAL_WARNING_MESSAGE)
     return result