Authentication for Azure Databricks tools and APIs
When a tool makes an automation or API request, it includes credentials that authenticate an identity with Azure Databricks. This article describes the credentials that Azure Databricks needs to authenticate and authorize requests.
Azure Databricks authentication types
Azure Databricks provides several ways to authenticate Azure Databricks users, service principals, and Azure managed identities. Select the authentication method that works best for your use case. Azure Databricks tools and SDKs work with one or more supported Azure Databricks authentication types. For details, see the tool or SDK documentation in Developer tools and guidance.
| Method | Description | Use case |
|---|---|---|
| OAuth for service principals (OAuth M2M) | Short-lived OAuth tokens for service principals. | Unattended authentication scenarios, such as fully automated and CI/CD workflows. |
| OAuth for users (OAuth U2M) | Short-lived OAuth tokens for users. | Attended authentication scenario, where you use your web browser to authenticate with Databricks in real time, when prompted. |
| Personal access tokens (PAT) | Short-lived or long-lived tokens for users or service principals. | Scenarios where your target tool does not support OAuth. |
| Azure managed identities authentication | Microsoft Entra ID tokens for Azure managed identities. | Use only with Azure resources that support managed identities, such as Azure virtual machines. |
| Microsoft Entra ID service principal authentication | Microsoft Entra ID tokens for Microsoft Entra ID service principals. | Use only with Azure resources that only support Microsoft Entra ID tokens and not managed identities. |
| Azure CLI authentication | Microsoft Entra ID tokens for users or Microsoft Entra ID service principals. | Use to authenticate to Azure resources and Azure Databricks using the Azure CLI. |
| Microsoft Entra ID user authentication | Microsoft Entra ID tokens for users. | Use only with Azure resources that only support Microsoft Entra ID tokens. Databricks does not recommend that you create Microsoft Entra ID tokens for Azure Databricks users manually. |
Databricks client unified authentication
Databricks client unified authentication centralizes setting up and automating authentication to Azure Databricks. It enables you to configure Databricks authentication once and then use that configuration across multiple Databricks tools and SDKs. Expired Azure Databricks OAuth access tokens can be automatically refreshed by Azure Databricks tools and SDKs that use Databricks client unified authentication. See Databricks client unified authentication.
Azure Databricks configuration profiles
An Azure Databricks configuration profile contains settings and other information that Azure Databricks needs to authenticate. Azure Databricks configuration profiles are stored in Azure Databricks configuration profiles files for your tools, SDKs, scripts, and apps to use. For more information, see Azure Databricks configuration profiles.