Facing below error message when trying to create a storage credential in Databricks

Question

Getting above message when trying to create a storage credential under Databricks, i am not sure how to proceed, please assist.

Answer 1

Kiran Akella - Thanks for the question and using MS Q&A platform.

If your Azure user account shows #EXT# in the User Principal Name (UPN), you’re using a guest account in Microsoft Entra ID. Databricks cannot validate ARM tokens from guest accounts when creating external storage credentials.

Step1: Check if you’re a guest user

• Go to Azure Portal → Microsoft Entra ID → Users → Your Account → Properties.
• Look at User Principal Name. If it contains #EXT#, you’re on a guest account.

Step2: Switch to the correct tenant

• Use the tenant that owns your Azure resources (not the guest one).
• Or use a non-guest user for that tenant.

Step3: Sign in to Databricks with the right tenant

• Go to https://accounts.azuredatabricks.net/login.
• Select the correct directory/tenant and log in.

Step4: Retry creating the storage credential

Now, create the external credential again under the correct directory.

Hope this helps. Let me know if you have any further questions or need additional assistance. Also, if these answer your query, do click the "Upvote" and click "Accept the answer" of which might be beneficial to other community members reading this thread.

---

𝘛𝘰 𝘴𝘵𝘢𝘺 𝘪𝘯𝘧𝘰𝘳𝘮𝘦𝘥 𝘢𝘣𝘰𝘶𝘵 𝘵𝘩𝘦 𝘭𝘢𝘵𝘦𝘴𝘵 𝘶𝘱𝘥𝘢𝘵𝘦𝘴 𝘢𝘯𝘥 𝘪𝘯𝘴𝘪𝘨𝘩𝘵𝘴 𝘰𝘯 𝘈𝘻𝘶𝘳𝘦 𝘋𝘢𝘵𝘢𝘣𝘳𝘪𝘤𝘬𝘴, 𝘥𝘢𝘵𝘢 𝘦𝘯𝘨𝘪𝘯𝘦𝘦𝘳𝘪𝘯𝘨, 𝘢𝘯𝘥 Data & AI 𝘪𝘯𝘯𝘰𝘷𝘢𝘵𝘪𝘰𝘯𝘴, 𝘧𝘰𝘭𝘭𝘰𝘸 𝘮𝘦 𝘰𝘯 𝘓𝘪𝘯𝘬𝘦𝘥𝘐𝘯.

Answer 2

Thank you PRADEEPCHEEKATLA for providing a clear and helpful solution to this storage credential issue in Databricks. Your step-by-step guidance on checking guest account status and switching to the correct tenant is spot on.

I'd like to add a couple of important points that might help others facing this issue. The underlying reason guest accounts (#EXT#) fail during storage credential creation is that Databricks needs to validate Azure Resource Manager (ARM) tokens against the home tenant, which guest accounts cannot properly authenticate against. If you're unable to switch tenants immediately, another option is to have your Azure administrator grant you direct permissions in the resource tenant instead of using guest access.

Also, when you see error messages mentioning "Invalid ARM token" or "Authentication failed for storage credential," this is typically the root cause. After switching to the correct tenant, you may need to clear your browser cache or use an incognito window to ensure Databricks picks up the new authentication context properly.

If the issue persists even after following these steps, it might be worth checking with your Azure administrator to ensure the Databricks workspace has the necessary permissions configured at the subscription level.

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Thanks

Pratyush

Answer 3

looks like a new azure account root account will now get created with #EXT and hence we need to create a new user logged as root user. Once done we need to grant subscription to the user as well as the Global administrator role to the user. Granting subscription was a bit challenging and I finally ended up using the CLI to successfully grant the subscription, without granting the subscription this new user will not be able to create any new resources as it is marked as reader and to create a resource this user must be either an Owner, or Contributor.

Once the global administrator role as well as subscription was added was able to create the resource successfully.

CLI Command

az role assignment create \

  --assignee <object-id-of-new-user> \

  --role Owner \

  --scope /subscriptions/<subscription-id>

example: 

az role assignment create \

  --assignee 3232e3bf-62be-4729-562c5d59dd76 \

  --role Owner \

  --scope /subscriptions/7fe2ead8-090e-4912-d6baf3100b72 the output of the above command will be in a JSON format.