Get Microsoft Entra ID tokens for Microsoft Entra ID service principals by using the Azure CLI

Important

This article describes how to manually create Microsoft Entra ID tokens for Microsoft Entra ID service principals by using the Azure CLI.

Azure Databricks managed service principals are managed directly within Azure Databricks. Microsoft Entra ID managed service principals are managed in Microsoft Entra ID, which requires additional permissions. Databricks recommends that you use Azure Databricks managed service principals for most use cases. However, Databricks recommends that you use Microsoft Entra ID managed service principals in cases where you must authenticate with Azure Databricks and other Azure resources at the same time.

To create a Azure Databricks managed service principal instead of a Microsoft Entra ID managed service principal, see Manage service principals.

Databricks does not recommend that you create Microsoft Entra ID tokens for Microsoft Entra ID service principals manually. This is because each Microsoft Entra ID token is short-lived, typically expiring within one hour. After this time, you must manually generate a replacement Microsoft Entra ID token. Instead, use one of the participating tools or SDKs that implement the Databricks client unified authentication standard. These tools and SDKs automatically generate and replace expired Microsoft Entra ID tokens for you, leveraging the following Databricks authentication types:

You can use the Azure CLI to get Microsoft Entra ID access tokens for Microsoft Entra ID service principals.

  1. Gather the following information:

    Parameter Description
    Tenant ID The Directory (tenant) ID for the related application registered in Microsoft Entra ID.
    Client ID The Application (client) ID for the related application registered in Microsoft Entra ID.
    Client secret The Value of the client secret for the related application registered in Microsoft Entra ID.
  2. Get the correct Azure subscription ID for the Microsoft Entra ID service principal, if you do not already know this ID, by doing one of the following:

    • In your Azure Databricks workspace’s top navigation bar, click your username and then click Azure Portal. On the Azure Databricks workspace resource page that appears, click Overview in the sidebar. Then look for the Subscription ID field, which contains the subscription ID.

    • Use the Azure CLI to run the az databricks workspace list command, using the --query and -o or --output options to narrow down the results. Replace adb-0000000000000000.0.azuredatabricks.net with the name of your workspace instance, not including the https://. In this example, the 00000000-0000-0000-0000-000000000000 after /subscriptions/ in the output is the subscription ID.

      az databricks workspace list --query "[?workspaceUrl==\`adb-0000000000000000.0.azuredatabricks.net\`].{id:id}" -o tsv
      
      # /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/my-rg/providers/Microsoft.Databricks/workspaces/my-ws
      

      If the following message appears, you are signed in to the wrong tenant: The subscription of '<subscription-id>' doesn't exist in cloud 'AzureCloud'. To sign in to the correct tenant, you must run the az login command again, using the -t or --tenant option to specify the correct tenant ID.

      You can get the tenant ID for an Azure Databricks workspace by running the command curl -v <per-workspace-URL>/aad/auth and looking in the output < location: https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000, where 00000000-0000-0000-0000-000000000000 is the tenant ID. See also Get subscription and tenant IDs in the Azure portal.

      az login -t <tenant-id>
      
  3. After you have the correct Azure tenant ID, client ID, client secret, and subscription ID for your Microsoft Entra ID service principal, sign in to Azure by using the Azure CLI to run the az login command. Use the --service-principal option along with specifying the values for the parameters of Tenant ID (Directory (tenant) ID), Client ID (Application (client) ID), and Client secret (Value) for the related application registered in Microsoft Entra ID.

    az login \
    --service-principal \
    -t <Tenant-ID> \
    -u <Client-ID> \
    -p <Client-secret>
    
  4. Confirm that you are signed in to the correct subscription for your signed-in Microsoft Entra ID service principal. To do this, run the az account set command, using the -s or --subscription option to specify the correct subscription ID.

    az account set -s <subscription-id>
    
  5. Generate the Microsoft Entra ID access token for the signed-in Microsoft Entra ID service principal by running the az account get-access-token command. Use the --resource option to specify the unique resource ID for the Azure Databricks service, which is 2ff814a6-3304-4ab8-85cb-cd0e6f879c1d. You can display just the Microsoft Entra ID token’s value in the output of the command by using the --query and -o or --output options.

    az account get-access-token \
    --resource 2ff814a6-3304-4ab8-85cb-cd0e6f879c1d \
    --query "accessToken" \
    -o tsv
    

Note

The MSAL-based Azure CLI uses Microsoft Authentication Library (MSAL) as the underlying authentication library. If you are not able to successfully use the Microsoft Entra ID access token that the Azure CLI generates, as an alternative you can try using MSAL directly to get a Microsoft Entra ID access token for a Microsoft Entra ID service principal. See Get Microsoft Entra ID tokens for service principals.