diff --git a/src/azure-cli-core/azure/cli/core/tests/test_profile.py b/src/azure-cli-core/azure/cli/core/tests/test_profile.py
index 61402e7fe53..00ec7c2533a 100644
--- a/src/azure-cli-core/azure/cli/core/tests/test_profile.py
+++ b/src/azure-cli-core/azure/cli/core/tests/test_profile.py
@@ -654,6 +654,34 @@ def test_get_raw_token(self, mock_get_token, mock_read_cred_file):
         self.assertEqual(sub, '1')
         self.assertEqual(tenant, self.tenant_id)
 
+    @mock.patch('azure.cli.core._profile._load_tokens_from_file', autospec=True)
+    @mock.patch('azure.cli.core._profile.CredsCache.retrieve_token_for_service_principal', autospec=True)
+    def test_get_raw_token_for_sp(self, mock_get_token, mock_read_cred_file):
+        cli = DummyCli()
+        some_token_type = 'Bearer'
+        mock_read_cred_file.return_value = [TestProfile.token_entry1]
+        mock_get_token.return_value = (some_token_type, TestProfile.raw_token1,
+                                       TestProfile.token_entry1)
+        # setup
+        storage_mock = {'subscriptions': None}
+        profile = Profile(cli_ctx=cli, storage=storage_mock, use_global_creds_cache=False, async_persist=False)
+        consolidated = profile._normalize_properties('sp1',
+                                                     [self.subscription1],
+                                                     True)
+        profile._set_subscriptions(consolidated)
+        # action
+        creds, sub, tenant = profile.get_raw_token(resource='https://foo')
+
+        # verify
+        self.assertEqual(creds[0], self.token_entry1['tokenType'])
+        self.assertEqual(creds[1], self.raw_token1)
+        # the last in the tuple is the whole token entry which has several fields
+        self.assertEqual(creds[2]['expiresOn'], self.token_entry1['expiresOn'])
+        mock_get_token.assert_called_once_with(mock.ANY, 'sp1', 'https://foo', self.tenant_id)
+        self.assertEqual(mock_get_token.call_count, 1)
+        self.assertEqual(sub, '1')
+        self.assertEqual(tenant, self.tenant_id)
+
     @mock.patch('azure.cli.core._profile._load_tokens_from_file', autospec=True)
     @mock.patch('msrestazure.azure_active_directory.MSIAuthentication', autospec=True)
     def test_get_raw_token_msi_system_assigned(self, mock_msi_auth, mock_read_cred_file):
@@ -1392,6 +1420,26 @@ def test_credscache_add_preexisting_sp_new_secret(self, _, mock_open_for_write,
         self.assertEqual(creds_cache._service_principal_creds, [new_creds])
         self.assertTrue(mock_open_for_write.called)
 
+    @mock.patch('azure.cli.core._profile._load_tokens_from_file', autospec=True)
+    @mock.patch('os.fdopen', autospec=True)
+    @mock.patch('os.open', autospec=True)
+    def test_credscache_match_service_principal_correctly(self, _, mock_open_for_write, mock_read_file):
+        cli = DummyCli()
+        test_sp = {
+            "servicePrincipalId": "myapp",
+            "servicePrincipalTenant": "mytenant",
+            "accessToken": "Secret"
+        }
+        mock_open_for_write.return_value = FileHandleStub()
+        mock_read_file.return_value = [test_sp]
+        factory = mock.MagicMock()
+        factory.side_effect = ValueError('SP was found')
+        creds_cache = CredsCache(cli, factory, async_persist=False)
+
+        # action and verify(we plant an exception to throw after the SP was found; so if the exception is thrown,
+        # we know the matching did go through)
+        self.assertRaises(ValueError, creds_cache.retrieve_token_for_service_principal, 'myapp', 'resource1', 'mytenant', False)
+
     @mock.patch('azure.cli.core._profile._load_tokens_from_file', autospec=True)
     @mock.patch('os.fdopen', autospec=True)
     @mock.patch('os.open', autospec=True)