Error creating service credentials from Access Connector in Azure Databricks

Question

Error creating service credentials from Access Connector in Azure Databricks

Darshan Jain 25

I set up an Access Connector for Azure Databricks and granted it Blob Contributor access on the target storage account. Since service credentials are required, I tried creating them using this Access Connector (managed identity). However, I keep getting the following error:

Missing validation token for service principal. Please provide a valid ARM-scoped Entra ID token in the 'X-Databricks-Azure-SP-Management-Token' request header and retry. For details, check https://docs.databricks.com/api/workspace/storagecredentials

I’ve been stuck on this issue for the past three days and haven’t been able to resolve it. Has anyone encountered this before or knows what I might be missing?

Happy to share more details if needed. Thanks in advance for your help! Screenshot 2025-09-14 010026

Darshan Jain 25 Reputation points

2025-09-19T14:48:46.55+00:00

Hi @Abhisek Mishra
Thank you for checking and responding. I’ve followed the same steps you mentioned, as shown in the screenshots and details I shared earlier. Could you confirm whether you reproduced this issue using a new account or an existing one?

I created a new Azure account about a week ago and have been testing since then. Could this be related to using a new account, or is there anything else I should check to identify the root cause? I’ve already tried all the steps you suggested.
Abhisek Mishra 1,020 Reputation points Microsoft External Staff Moderator

2025-09-19T16:58:13.96+00:00

Hi Darshan Jain,

The resources I used are close to two weeks old.
Abhisek Mishra 1,020 Reputation points Microsoft External Staff Moderator

2025-09-23T12:10:51.5466667+00:00
Hi Darshan Jain,

This has nothing to do with the age of the account (being a week old). I went ahead and created the credentials with new resources again today.
Request you to recheck the steps, accesses and follow the instructions from the below Microsoft learn links.

Azure managed identities

You can learn more about external locations by following the below learn link: External Locations

If you still have questions, please let us know what is needed in the comments so the question can be answered.
Abhisek Mishra 1,020 Reputation points Microsoft External Staff Moderator

2025-09-24T06:34:10.2766667+00:00

Hi Darshan Jain,

I hope you had a chance to review the information shared earlier, and I hope this information has been helpful! If you still have questions, please let us know what is needed in the comments so the question can be answered.
Abhisek Mishra 1,020 Reputation points Microsoft External Staff Moderator

2025-09-25T04:10:56.66+00:00

Hi Darshan Jain,

We haven't heard back from you. Please reply if you have any questions in this matter and we will gladly continue the discussion.
Sandeep Joshi 0 Reputation points

2025-11-29T14:14:34.2433333+00:00

I am facing similar issue. Did anyone got the solution ?? I have already assigned 'Storage Blob Data Contributor' Role to my Storage account
Pankaj Kaushik 0 Reputation points

2025-11-29T15:47:15.02+00:00

Go to user and copy the principle user name after that logout and relogging using the principle user name then you will not face this issue.

Answer accepted by question author

3 additional answers

Your answer

Darshan Jain 25 Reputation points

2025-09-19T14:48:46.55+00:00

Hi @Abhisek Mishra
Thank you for checking and responding. I’ve followed the same steps you mentioned, as shown in the screenshots and details I shared earlier. Could you confirm whether you reproduced this issue using a new account or an existing one?

I created a new Azure account about a week ago and have been testing since then. Could this be related to using a new account, or is there anything else I should check to identify the root cause? I’ve already tried all the steps you suggested.
Abhisek Mishra 1,020 Reputation points Microsoft External Staff Moderator

2025-09-19T16:58:13.96+00:00

Hi Darshan Jain,

The resources I used are close to two weeks old.
Abhisek Mishra 1,020 Reputation points Microsoft External Staff Moderator

2025-09-23T12:10:51.5466667+00:00

Hi Darshan Jain,

This has nothing to do with the age of the account (being a week old). I went ahead and created the credentials with new resources again today.
Request you to recheck the steps, accesses and follow the instructions from the below Microsoft learn links.

Azure managed identities

You can learn more about external locations by following the below learn link: External Locations

If you still have questions, please let us know what is needed in the comments so the question can be answered.
Abhisek Mishra 1,020 Reputation points Microsoft External Staff Moderator

2025-09-24T06:34:10.2766667+00:00

Hi Darshan Jain,

I hope you had a chance to review the information shared earlier, and I hope this information has been helpful! If you still have questions, please let us know what is needed in the comments so the question can be answered.
Abhisek Mishra 1,020 Reputation points Microsoft External Staff Moderator

2025-09-25T04:10:56.66+00:00

Hi Darshan Jain,

We haven't heard back from you. Please reply if you have any questions in this matter and we will gladly continue the discussion.
Sandeep Joshi 0 Reputation points

2025-11-29T14:14:34.2433333+00:00

I am facing similar issue. Did anyone got the solution ?? I have already assigned 'Storage Blob Data Contributor' Role to my Storage account
Pankaj Kaushik 0 Reputation points

2025-11-29T15:47:15.02+00:00

Go to user and copy the principle user name after that logout and relogging using the principle user name then you will not face this issue.

Answer 1

RJ Aragon 100

Error: Missing validation token for service principal. Please provide a valid ARM-scoped Entra ID token in the 'X-Databricks-Azure-SP-Management-Token' request header and retry. For details, check https://docs.databricks.com/api/workspace/storagecredentials

Hi!

I hit this for a week and finally got it working. Sharing what fixed it for me.

If your Azure user shows #EXT# in the User Principal Name (UPN), you’re on a guest account. Databricks doesn’t like that for external credentials.

What I did

Open the Azure portal → search Microsoft Entra ID.
Go to Users → open your account.
In Properties, check User principal name.
- If it has #EXT#, that’s the problem.
Switch to the tenant that owns your resources (not the guest one), or use a non-guest user for that tenant.
Go back to Databricks and try creating the External Credential again under the correct directory/tenant.
If it still won’t cooperate sign in at https://accounts.azuredatabricks.net/login using the correct tenant, then retry the steps you did before getting this error.

Once you’ve done this, you should be able to move on with the next steps.

If this fix helped, comment so others can find it. Happy learning!

Darshan Jain 25 Reputation points

2025-09-26T06:12:28.0333333+00:00

Thank you so much @RJ Aragon. It worked for me now.
Anonymous

2025-09-26T11:35:18.1566667+00:00

Hi , I am facing the same issue with the same error , cloud you please help me here, in 4th step of solution what do I need to do exactly ? create a new user in Microsoft infra id with global admin role, and then now I need to login to my workspace with that new user and then try to create storage credential ??
Arjun Dataengineering 0 Reputation points

2025-11-18T21:12:42.8733333+00:00

@Darshan Jain can you please let me know how you solved it? Can you please explain the 4th point?
pankaj kaushik 0 Reputation points

2025-11-27T16:06:13.54+00:00

I was struggling with same issue from last few days finally its resolved. to resolve this issue login with your principle user name ( you can get this from user tab on portal) and perform the same steps to create credential then error will not come.
Soham Santosh Nimbalkar 0 Reputation points

2025-11-28T12:52:36.56+00:00

I created a new user in Microsoft Entra ID and assigned it the Global Administrator role. Then, I signed in using this account across all platforms—Azure Portal, Databricks, and the console. Everything is now working as expected.

Thank you!!

Answer 2

Sina Salam 26,661 Volunteer Moderator

Hello Darshan Jain,

Welcome to the Microsoft Q&A and thank you for posting your questions here.

I understand that you are having error creating service credentials from Access Connector in Azure Databricks.

The error occurs because Databricks requires two tokens when creating service/storage credentials with an Access Connector: a Databricks API token (Authorization: Bearer) and an ARM-scoped Entra ID token (X-Databricks-Azure-SP-Management-Token) obtained for the scope https://management.azure.com/.default. If you’re using the UI, Databricks handles this automatically once the Access Connector’s managed identity has Storage Blob Data Contributor on the storage account; if automating API/Terraform, you must explicitly fetch the ARM token via a service principal OAuth flow or IMDS for managed identities, then include it with the Databricks call as shown in the Databricks storage credentials API docs.

I hope this is helpful! Do not hesitate to let me know if you have any other questions or clarifications.

Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.

Darshan Jain 25 Reputation points

2025-09-17T03:54:41.37+00:00

Hi @Sina Salam ,
Thank you for your response. I’ve already assigned the Storage Blob Data Contributor role to this access connector on the storage account, but I’m still facing the same issue.

Please let me know if you need any more details. Thank you for your help.
Darshan Jain 25 Reputation points

2025-09-17T13:13:51.1166667+00:00

Hi @Sina Salam , Thank you for your response. I’ve already assigned the Storage Blob Data Contributor role to this access connector on the storage account, but I’m still facing the same issue.

Please let me know if you need any more details. Thank you for your help.
Sina Salam 26,661 Reputation points Volunteer Moderator

2025-09-17T15:06:54.7866667+00:00

Hello Darshan Jain,

Thanks for your feedback.

This is not the issue of Storage Blob Data Contributor role, read the answer carefully and use the associated links.

Success
Nagarjun D E 0 Reputation points

2025-09-19T04:21:54.85+00:00

@Sina Salam Thanks for your answer, but as you have clearly mentioned, 2 tokens are not required if you are trying to connect Databricks with ADLS via UI. You have said that UI will automatically take care of it if we have assigned the Data Contributor role to the access connector, right? I am using the UI to create the credentials in Databricks but still facing the same issue.

@Darshan Jain I am also facing the same issue now. Did you manage to solve? if yes, can you please let me know how?
Darshan Jain 25 Reputation points

2025-09-19T06:47:33.1566667+00:00

@Nagarjun D E I tried creating a new subscription and setting up a new workspace, but the error persists. I haven’t found any solution anywhere yet; it might be a new bug. Please share an update here if you manage to find a solution, and I’ll do the same if I come across anything.
Nagarjun D E 0 Reputation points

2025-09-19T14:27:29.8633333+00:00

@darshan jain Sure I'll do that. Even I tried deleting my entire resource group and tried from scratch, but it's still the same thing. But my friend is able to connect successfully to Databricks using the same method from his Azure account. Not sure how !!
Darshan Jain 25 Reputation points

2025-09-19T14:53:02.26+00:00

@Nagarjun D E, Did you create the Azure account recently? I suspect this could be an issue with the new account.
Nagarjun D E 0 Reputation points

2025-09-19T17:02:23.11+00:00

@darshan jain Yes, I created my account recently, but my friend also created the new account just 1 day before me. Yet he was able to connect through Unity catalog
Darshan Jain 25 Reputation points

2025-09-23T07:33:58.17+00:00

Hi @Nagarjun D E, any solution you got?
Pagidi Nitin Kumar Reddy 0 Reputation points

2025-12-03T10:11:03.3166667+00:00

Hi Team,

Can someone help with step by step procedure, facing the same issue and unable to resolve it

Thank you

Answer 3

Hello Darshan Jain,

Welcome to the Microsoft Q&A and thank you for posting your questions here.

I went through all the discussions that happened till now and I understand you want to allow Azure Databricks (via an Access Connector) to securely access a storage account, by creating a credential inside Unity Catalog, using the UI, currently you are stuck at creating the credentials.

I reproduced your problem and was able to create the credentials.

So, I am not going to talk about access, I think you already have that sorted. However, still mentioning the accesses that I used.

My Storage Account has a managed identity role assignment for the Access Connector which has a role of Storage Blob Data Contributor access.
Note: I am the owner of my subscription.

Choose the Unity Catalog Metastore.

In the top-left dropdown, make sure you're in the Unity Catalog metastore (not Hive or legacy catalogs) and continue creating the credentials. Here's a snip of the credential that I created. Let us know if you need anything further.

Answer 4

This is the correct solution below, try to follow this
this is the next step of RJ Aragon ans above

When setting up Azure Databricks with Unity Catalog or configuring external storage, you may encounter errors like:

Missing validation token
Or your account appears as:

xyz_gmail.com#EXT#@<tenant>.onmicrosoft.com

This happens because your Microsoft account is treated as a guest user in the tenant created during Azure signup.

Why This Happens

Signing up for Azure with a personal Microsoft account creates a tenant (e.g., xyz.onmicrosoft.com) and adds your account as a guest.
Guest accounts cannot generate ARM tokens for Databricks external storage setup.
You need a native user in the tenant with proper permissions.

Solution (Step-by-Step)

Step 1: Create a Native User

Go to Azure Portal → Microsoft Entra ID → Users → New User.
Fill details:
- Username: ******@xyz.onmicrosoft.com
  - Assign Global Administrator role.
  1. Set a password and save.

Sign out from your Microsoft account.
Sign in using:

******@xyz.onmicrosoft.com

Switch directory to your tenant (Default Directory).

Step 3: Assign Owner Role to New User

Go to Subscriptions → [Your Subscription] → Access Control (IAM).
Click Add → Add role assignment.
Select Owner.
Assign to your new user.
Click Review + assign.

Step 4: Verify

Log in as the new user.
Go to Subscriptions → You should see all your existing resources (Databricks, VNet, Storage, etc.).

Step 5: Retry Databricks Setup

Launch Databricks workspace from Azure Portal.
Create Storage Credential for Unity Catalog using:
- Managed Identity (recommended), or
  - Service Principal (if needed).

After this, the #EXT# issue is gone, and Databricks will accept ARM tokens.

Share via

Error creating service credentials from Access Connector in Azure Databricks

3 additional answers

Why This Happens

Solution (Step-by-Step)

Step 1: Create a Native User

Step 2: Sign in With the Native User

Step 3: Assign Owner Role to New User

Step 4: Verify

Step 5: Retry Databricks Setup

Your answer