401 Unauthorized When Remounting ADLS/Blob Storage in Azure Databricks with Valid Service Principal

Question

401 Unauthorized When Remounting ADLS/Blob Storage in Azure Databricks with Valid Service Principal

Ndjamen, P0462JN (601-ITC-Herden GmbH) 0

Hello,

I recently generated a new client secret for our App Registration, as the previous one had expired. I then updated our Databricks Secret Scope using the following command:

databricks secrets put --scope <secret-scope> --key <secret-key> --string-value <new secret value>

As documented in Microsoft Learn – Mounting cloud object storage on Azure Databricks, I unmounted the existing mount point that was using the old secret and attempted to remount it using the updated credentials.

However, I am now encountering a 401 Unauthorized error when remounting.

Error Details:

AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID.

What I’ve Already Tried:

Verified that the correct client ID, client secret value (not the secret ID), and tenant ID are being used.

Confirmed the credentials are valid by successfully authenticating via the Azure CLI and also via POST-Request to get a Token.

Regenerated the client secret to ensure it is active and not expired.

Double-checked the syntax and parameters of the mount command.

Restarted the Databricks cluster to clear any potential caching issues.
Even when hardcoding the secrets in the notebook, the error persist like the mount-Function use another secret.

Despite these steps, the issue persists.

Could someone please help identify why Databricks still returns a 401 Unauthorized error, even though authentication with the same Service Principal and secret works correctly outside of Databricks?

Thanks in advance for any guidance.

Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Krupal Bandari 770 Reputation points Microsoft External Staff Moderator

2025-06-25T01:09:45.39+00:00

Hi@Ndjamen, P0462JN (601-ITC-Herden GmbH) We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.

2 answers

Your answer

Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Krupal Bandari 770 Reputation points Microsoft External Staff Moderator

2025-06-25T01:09:45.39+00:00

Hi@Ndjamen, P0462JN (601-ITC-Herden GmbH) We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.

Answer 1

Krupal Bandari 770 Microsoft External Staff Moderator

Hi @Ndjamen, P0462JN (601-ITC-Herden GmbH)
Thanks for your patience. Yes, the following two links are highly relevant and helpful for your issue:

Microsoft Q&A – How do I mitigate AADSTS7000215:
https://learn.microsoft.com/en-us/answers/questions/1000888/how-do-i-mitigate-aadsts7000215-invalid-client-sec
This explains the root cause and confirms that using the client secret value (not the ID) is key.
Stack Overflow – Rare AADSTS7000215 error from Microsoft: https://stackoverflow.com/questions/62424076/rare-aadsts7000215-error-from-microsoft-invalid-client-secret-is-provided
This highlights that in rare cases, a full service principal credential reset is needed to resolve lingering authentication issues.

If this is helpful, please click Accept Answer and kindly upvote it so that other people who faces similar issue may get benefitted from it.

Let me know if you have any further Queries.

Ndjamen, P0462JN (601-ITC-Herden GmbH) 0 Reputation points

2025-06-26T05:50:01.6966667+00:00

Hello @Krupal Bandari
thanks for your propositions but i went through all these steps, but it still did not solve the problem.
A ticket has been open on Azure Portal and the Support Team is investigating on it. When i get a solution from them, i will share with the community. But from what they told me, it is probably a Databricks Issue.
Krupal Bandari 770 Reputation points Microsoft External Staff Moderator

2025-06-26T06:48:46.13+00:00

Hi@Ndjamen, P0462JN (601-ITC-Herden GmbH)
Thanks a lot for the update and I really appreciate you going through all the suggested steps.

It’s helpful to know that you’ve already opened a support ticket through the Azure Portal and that the issue may be on the Databricks side. You're absolutely right if the secret is valid and works outside of Databricks, but still fails during the mount process, there could be something deeper happening under the hood (like credential caching, workspace-level scope sync, or internal token handling).

Please do share the outcome once the support team provides a resolution it will be incredibly valuable for others in the community facing similar 401/AADSTS7000215 issues.

Answer 2

Ndjamen, P0462JN (601-ITC-Herden GmbH) 0

I have good news—The problem has been solved.

The issue was caused by leftover mount points from other storage accounts. Even though we where working with a different storage account, it seems that Databricks was somehow using secrets from the existing mount points (probably because it was mounted with the same service principal).
To fix it, I unmounted all the mount points from every storage account. When remounting them again, everything worked fine.

Share via

401 Unauthorized When Remounting ADLS/Blob Storage in Azure Databricks with Valid Service Principal

2 answers

Your answer