Events
31 Mar, 23 - 2 Apr, 23
The ultimate Microsoft Fabric, Power BI, SQL, and AI community-led event. March 31 to April 2, 2025.
Register todayThis browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
To access a Azure Databricks resource with the Databricks CLI or REST APIs, clients must authenticate using a Azure Databricks account with the required authorization to access the resource. To securely run a Databricks CLI command or call a Databricks API request that requires authorized access to an account or workspace, you must provide an access token based on valid Azure Databricks account credentials. This article covers the authentication options to provide those credentials and authorize access to an Azure Databricks workspace or account.
The following table shows the authentication methods available to your Azure Databricks account.
Because Azure Databricks tools and SDKs work with one or more supported Azure Databricks authentication methods, you can select the best authentication method for your use case. For details, see the tool or SDK documentation in Developer tools.
Method | Description | Use case |
---|---|---|
OAuth for service principals (OAuth M2M) | Short-lived OAuth tokens for service principals. | Unattended authentication scenarios, such as fully automated and CI/CD workflows. |
OAuth for users (OAuth U2M) | Short-lived OAuth tokens for users. | Attended authentication scenarios, where you use your web browser to authenticate with Azure Databricks in real time, when prompted. |
Personal access tokens (PAT) | Short-lived or long-lived tokens for users or service principals. | Scenarios where your target tool does not support OAuth. |
Azure managed identities authentication | Microsoft Entra ID tokens for Azure managed identities. | Use only with Azure resources that support managed identities, such as Azure virtual machines. |
Microsoft Entra ID service principal authentication | Microsoft Entra ID tokens for Microsoft Entra ID service principals. | Use only with Azure resources that support Microsoft Entra ID tokens and do not support managed identities, such as Azure DevOps. |
Azure CLI authentication | Microsoft Entra ID tokens for users or Microsoft Entra ID service principals. | Use to authenticate access to Azure resources and Azure Databricks using the Azure CLI. |
Microsoft Entra ID user authentication | Microsoft Entra ID tokens for users. | Use only with Azure resources that only support Microsoft Entra ID tokens. Databricks does not recommend that you create Microsoft Entra ID tokens for Azure Databricks users manually. |
You have two options to authenticate a Databricks CLI command or API call for access to your Azure Databricks resources:
For more details on using an MS Entra service principal to access Databricks resources, see MS Entra service principal authentication.
You must also have an access token linked to the account you will use to call the Databricks API. This token can be either an OAuth 2.0 access token or a personal access token (PAT). However, Azure Databricks strongly recommends you use OAuth over PATs for authorization as OAuth tokens are automatically refreshed by default and do not require the direct management of the access token, improving your security against token hijacking and unwanted access. Because OAuth creates and manages the access token for you, you provide an OAuth token endpoint URL, a client ID, and a secret you generate from your Azure Databricks workspace instead of directly providing a token string yourself. PATs expose the risk of long-lived tokens providing egress opportunities if they are not regularly audited and rotated or revoked, or if the token strings and passwords are not securely managed for your development environment.
Azure Databricks provides unified client authentication to assist you with authentication by using a default set of environment variables you can set to specific credential values. This helps you work more easily and securely since these environment variables are specific to the environment that will be running the Azure Databricks CLI commands or calling Azure Databricks APIs.
These environment variables are:
DATABRICKS_HOST
: This environment variable is set to the URL of either your Azure Databricks account console (http://accounts.cloud.databricks.com
) or your Azure Databricks workspace URL (https://{workspace-id}.cloud.databricks.com
). Choose a host URL type based on the type of operations you will be performing in your code. Specifically, if you are using Azure Databricks account-level CLI commands or REST API requests, set this variable to your Azure Databricks account URL. If you are using Azure Databricks workspace-level CLI commands or REST API requests, use your Azure Databricks workspace URL.DATABRICKS_ACCOUNT_ID
: Used for Azure Databricks account operations. This is your Azure Databricks account ID. To get it, see Locate your account ID.DATABRICKS_CLIENT_ID
: (M2M OAuth only) The client ID you were assigned when creating your service principal.DATABRICKS_CLIENT_SECRET
: (M2M OAuth only) The client secret you generated when creating your service principal.You can set these directly, or through the use of a Databricks configuration profile (.databrickscfg
) on your client machine.
To use an OAuth access token, your Azure Databricks workspace or account administrator must have granted your user account or service principal the CAN USE
privilege for the account and workspace features your code will access.
For more details on configuring OAuth authorization for your client and to review cloud provider-specific authorization options, see Unified client authentication.
If you are writing code which accesses third-party services, tools, or SDKs you must use the authentication and authorization mechanisms provided by the third-party. However, if you must grant a third-party tool, SDK, or service access to your Azure Databricks account or workspace resources, Databricks provides the following support:
Databricks Terraform Provider: This tool can access Azure Databricks APIs from Terraform on your behalf, using your Azure Databricks user account. For more details, see Provision a service principal by using Terraform.
Git providers such as GitHub, GitLab, and Bitbucket can access Azure Databricks APIs using a Databricks service principal. For more details, see Service principals for CI/CD.
Jenkins can access Azure Databricks APIs using a Databricks service principal. For more details, see CI/CD with Jenkins on Azure Databricks.
Azure DevOps can access Azure Databricks APIs using an MS Entra service principal and ID. For more details, see Authenticate with Azure DevOps on Databricks.
An Azure Databricks configuration profile contains settings and other information that Azure Databricks needs to authenticate. Azure Databricks configuration profiles are stored in local client files for your tools, SDKs, scripts, and apps to use. The standard configuration profile file is named .databrickscfg
. For more information, see Azure Databricks configuration profiles.
Events
31 Mar, 23 - 2 Apr, 23
The ultimate Microsoft Fabric, Power BI, SQL, and AI community-led event. March 31 to April 2, 2025.
Register todayTraining
Module
Secure Azure OpenAI authentication and authorization - Training
Learn about the security considerations for different ways of authenticating to Azure OpenAI and how to assign role based access control permissions to managed identities
Certification
Microsoft Certified: Azure Database Administrator Associate - Certifications
Administer an SQL Server database infrastructure for cloud, on-premises and hybrid relational databases using the Microsoft PaaS relational database offerings.