Authenticate using Azure Active Directory tokens


As a security best practice, when authenticating with automated tools, systems, scripts, and apps, Databricks recommends you use access tokens belonging to service principals instead of workspace users. For more information, see Manage service principals.

To authenticate to Databricks REST APIs, you can use Azure Databricks personal access tokens or Azure Active Directory tokens.

This section describes how to get, use, and refresh Azure AD tokens. For Azure Databricks personal access tokens, see Authentication using Azure Databricks personal access tokens.

This section describes three ways to get and use Azure AD access tokens:

  • Use the Azure CLI to get an Azure AD access token for a user.
  • Use the Microsoft Authentication Library (MSAL) instead of the Azure CLI to get an Azure AD access token for a user.
  • Define a service principal in Azure Active Directory and then get an Azure AD access token for that service principal instead of for a user. You configure the service principal as one on which authentication and authorization policies can be enforced in Azure Databricks. Service principals in an Azure Databricks workspace can have different fine-grained access control than regular users (user principals).


MSAL replaces the Azure Active Directory Authentication Library (ADAL). All Microsoft support and development for ADAL, including security fixes, ended on June 30, 2022. See Migrate applications to the Microsoft Authentication Library (MSAL).

In this section: