Authentication settings for the Databricks ODBC Driver
This article describes how to configure Azure Databricks authentication settings for the Databricks ODBC Driver.
The Databricks ODBC Driver supports the following Azure Databricks authentication types:
- Azure Databricks personal access token
- Microsoft Entra ID token
- OAuth 2.0 tokens
- Databricks OAuth user-to-machine (U2M) authentication
- Microsoft Entra ID OAuth user-to-machine (U2M) authentication
- OAuth machine-to-machine (M2M) authentication
- Microsoft Entra ID OAuth machine-to-machine (M2M) authentication
- Azure managed identities authentication
Azure Databricks personal access token
To create a Azure Databricks personal access token, follow the steps in Azure Databricks personal access tokens for workspace users.
To authenticate using an Azure Databricks personal access token, add the following configurations to your compute settings and any special or advanced driver capability settings:
Setting | Value |
---|---|
AuthMech |
3 |
UID |
token |
PWD |
The Databricks personal access token for your workspace user |
To create a DSN for non-Windows systems, use the following format:
[Databricks]
Driver=<path-to-driver>
Host=<server-hostname>
Port=443
HTTPPath=<http-path>
SSL=1
ThriftTransport=2
AuthMech=3
UID=token
PWD=<personal-access-token>
To create a DSN-less connection string, use the following format. Line breaks have been added for readability. The string must not contain these line breaks:
Driver=<path-to-driver>;
Host=<server-hostname>;
Port=443;
HTTPPath=<http-path>;
SSL=1;
ThriftTransport=2;
AuthMech=3;
UID=token;
PWD=<personal-access-token>
- To get the value for
<path-to-driver>
, see Download and install the Databricks ODBC Driver. - To get the values for
<server-hostname>
and<http-path>
, see Compute settings for the Databricks ODBC Driver. - You can also add special or advanced driver capability settings.
Microsoft Entra ID token
ODBC driver 2.6.15 and above supports Microsoft Entra ID tokens for an Azure Databricks user or a Microsoft Entra ID service principal.
To create a Microsoft Entra ID access token, do the following:
- For an Azure Databricks user, you can use the Azure CLI. See Get Microsoft Entra ID tokens for users by using the Azure CLI.
- For a Microsoft Entra ID service principal, see Get a Microsoft Entra ID access token with the Azure CLI. To create a Microsoft Entra ID managed service principal, see Manage service principals.
Microsoft Entra ID access tokens have a default lifetime of about 1 hour. An access token can be refreshed programmatically for an existing session without breaking the connection by running the code in Refresh a Microsoft Entra ID access token. For instructions about how to refresh the token, see the section Configuring Authentication on Windows > Providing a New Access Token
in the Databricks ODBC Driver Guide.
To authenticate using a Microsoft Entra ID token, add the following configurations to your compute settings and any special or advanced driver capability settings:
Setting | Value |
---|---|
AuthMech |
11 |
Auth_Flow |
0 |
Auth_AccessToken |
The Microsoft Entra ID token |
To create a DSN for non-Windows systems, use the following format:
[Databricks]
Driver=<path-to-driver>
Host=<server-hostname>
Port=443
HTTPPath=<http-path>
SSL=1
ThriftTransport=2
AuthMech=11
Auth_Flow=0
Auth_AccessToken=<microsoft-entra-id-token>
To create a DSN-less connection string, use the following format. Line breaks have been added for readability. The string must not contain these line breaks:
Driver=<path-to-driver>;
Host=<server-hostname>;
Port=443;
HTTPPath=<http-path>;
SSL=1;
ThriftTransport=2;
AuthMech=11;
Auth_Flow=0;
Auth_AccessToken=<microsoft-entra-id-token>
- To get the value for
<path-to-driver>
, see Download and install the Databricks ODBC Driver. - To get the values for
<server-hostname>
and<http-path>
, see Compute settings for the Databricks ODBC Driver. - You can also add special or advanced driver capability settings.
For more information, see the Token Pass-through
sections in the Databricks ODBC Driver Guide.
OAuth 2.0 tokens
ODBC driver 2.7.5 and above supports an OAuth 2.0 token for a Microsoft Entra ID service principal. This is also known as OAuth 2.0 token pass-through authentication.
- To create an OAuth 2.0 token for token pass-through authentication for a Microsoft Entra ID service principal, see Manually generate and use access tokens for OAuth M2M authentication. Make a note of the service principal’s OAuth
access_token
value. - To create a Microsoft Entra ID managed service principal, see Manage service principals.
Important
ODBC driver 2.7.5 and above support using Azure Databricks OAuth secrets to create OAuth 2.0 tokens. Microsoft Entra ID secrets are not supported.
OAuth 2.0 tokens have a default lifetime of 1 hour. To generate a new OAuth 2.0 token, repeat this process.
To authenticate using OAuth 2.0 token pass-through authentication, add the following configurations to your compute settings and any special or advanced driver capability settings:
Setting | Value |
---|---|
AuthMech |
11 |
Auth_Flow |
0 |
Auth_AccessToken |
The Azure Databricks OAuth token (Microsoft Entra ID tokens are not supported for OAuth 2.0 token pass-through authentication.) |
To create a DSN for non-Windows systems, use the following format:
[Databricks]
Driver=<path-to-driver>
Host=<server-hostname>
Port=443
HTTPPath=<http-path>
SSL=1
ThriftTransport=2
AuthMech=11
Auth_Flow=0
Auth_AccessToken=<databricks-oauth-token>
To create a DSN-less connection string, use the following format. Line breaks have been added for readability. The string must not contain these line breaks:
Driver=<path-to-driver>;
Host=<server-hostname>;
Port=443;
HTTPPath=<http-path>;
SSL=1;
ThriftTransport=2;
AuthMech=11;
Auth_Flow=0;
Auth_AccessToken=<databricks-oauth-token>
- To get the value for
<path-to-driver>
, see Download and install the Databricks ODBC Driver. - To get the values for
<server-hostname>
and<http-path>
, see Compute settings for the Databricks ODBC Driver. - You can also add special or advanced driver capability settings.
For more information, see the Token Pass-through
sections in the Databricks ODBC Driver Guide.
Databricks OAuth user-to-machine (U2M) authentication
ODBC driver 2.8.2 and above supports OAuth user-to-machine (U2M) authentication for an Azure Databricks user. This is also known as OAuth 2.0 browser-based authentication.
OAuth U2M or OAuth 2.0 browser-based authentication has no prerequisites. OAuth 2.0 tokens have a default lifetime of 1 hour. OAuth U2M or OAuth 2.0 browser-based authentication should refresh expired OAuth 2.0 tokens for you automatically.
Note
OAuth U2M or OAuth 2.0 browser-based authentication works only with applications that run locally. It does not work with server-based or cloud-based applications.
To authenticate using OAuth user-to-machine (U2M) or OAuth 2.0 browser-based authentication, add the following configurations to your compute settings and any special or advanced driver capability settings:
Setting | Value |
---|---|
AuthMech |
11 |
Auth_Flow |
2 |
PWD |
A password of your choice. The driver uses this key for refresh token encryption. |
Auth_Client_ID (optional) |
databricks-sql-odbc (default) You can find all the applicable applications under App connections settings in the Databricks Account Console See Enable custom OAuth applications using the Azure Databricks UI. |
Auth_Scope (optional) |
sql offline_access (default) |
OAuth2RedirectUrlPort (optional) |
8020 (default) |
To create a DSN for non-Windows systems, use the following format:
[Databricks]
Driver=<path-to-driver>
Host=<server-hostname>
Port=443
HTTPPath=<http-path>
SSL=1
ThriftTransport=2
AuthMech=11
Auth_Flow=2
PWD=<password>
To create a DSN-less connection string, use the following format. Line breaks have been added for readability. The string must not contain these line breaks:
Driver=<path-to-driver>;
Host=<server-hostname>;
Port=443;
HTTPPath=<http-path>;
SSL=1;
ThriftTransport=2;
AuthMech=11;
Auth_Flow=2;
PWD=<password>
- To get the value for
<path-to-driver>
, see Download and install the Databricks ODBC Driver. - To get the values for
<server-hostname>
and<http-path>
, see Compute settings for the Databricks ODBC Driver. - You can also add special or advanced driver capability settings.
For more information, see the Browser Based
sections in the Databricks ODBC Driver Guide.
Microsoft Entra ID OAuth user-to-machine (U2M) authentication
ODBC driver 2.8.2 and above supports Microsoft Entra ID OAuth user-to-machine (U2M) authentication for an Azure Databricks user
To use Microsoft Entra ID OAuth user-to-machine (U2M), the OAuth client (application) must be registered in Microsoft Entra ID, see instruction.
To authenticate using Microsoft Entra ID OAuth user-to-machine (U2M), add the following configurations to your compute settings and any special or advanced driver capability settings:
Setting | Value |
---|---|
AuthMech |
11 |
Auth_Flow |
2 |
PWD |
A password of your choice. The driver uses this key for refresh token encryption |
Auth_Client_ID |
Application (client) ID of the Azure application |
Auth_Scope |
2ff814a6-3304-4ab8-85cb-cd0e6f879c1d/user_impersonation offline_access |
OIDCDiscoveryEndpoint |
https://login.microsoftonline.com/<azureTenantId>/v2.0/.well-known/openid-configuration |
OAuth2RedirectUrlPort |
Redirect port of the Azure application |
To create a DSN for non-Windows systems, use the following format:
[Databricks]
Driver=<path-to-driver>
Host=<server-hostname>
Port=443
HTTPPath=<http-path>
SSL=1
ThriftTransport=2
AuthMech=11
Auth_Flow=1
Auth_Client_ID=<application-id-azure-application>
Auth_Scope=2ff814a6-3304-4ab8-85cb-cd0e6f879c1d/user_impersonation offline_access
OIDCDiscoveryEndpoint=https://login.microsoftonline.com/<azureTenantId>/v2.0/.well-known/openid-configuration
OAuth2RedirectUrlPort=<redirect port of the Azure application>
To create a DSN-less connection string, use the following format. Line breaks have been added for readability. The string must not contain these line breaks:
Driver=<path-to-driver>;
Host=<server-hostname>;
Port=443;
HTTPPath=<http-path>;
SSL=1;
ThriftTransport=2;
AuthMech=11;
Auth_Flow=1;
Auth_Client_ID=<application-id-azure-application>;
Auth_Scope=2ff814a6-3304-4ab8-85cb-cd0e6f879c1d/user_impersonation offline_access;
OIDCDiscoveryEndpoint=https://login.microsoftonline.com/<azureTenantId>/v2.0/.well-known/openid-configuration;
OAuth2RedirectUrlPort=<redirect port of the Azure application>;
- To get the value for
<path-to-driver>
, see Download and install the Databricks ODBC Driver. - To get the values for
<server-hostname>
and<http-path>
, see Compute settings for the Databricks ODBC Driver. - You can also add special or advanced driver capability settings.
OAuth machine-to-machine (M2M) authentication
ODBC driver supports OAuth machine-to-machine (M2M) authentication for an Azure Databricks service principal. This is also known as OAuth 2.0 client credentials authentication.
To configure OAuth M2M or OAuth 2.0 client credentials authentication, do the following:
Create an Azure Databricks service principal in your Azure Databricks workspace, and create an OAuth secret for that service principal.
To create the service principal and its OAuth secret, see Authenticate access to Azure Databricks with a service principal using OAuth (OAuth M2M). Make a note of the service principal’s UUID or Application ID value, and the Secret value for the service principal’s OAuth secret.
Give the service principal access to your cluster or warehouse. See Compute permissions or Manage a SQL warehouse.
To authenticate using OAuth machine-to-machine (M2M) or OAuth 2.0 client credentials authentication, add the following configurations to your compute settings and any special or advanced driver capability settings:
Setting | Value |
---|---|
AuthMech |
11 |
Auth_Flow |
1 |
Auth_Client_ID |
The service principal’s UUID/Application ID value. |
Auth_Client_Secret |
The service principal’s OAuth Secret value. |
Auth_Scope (optional) |
all-apis (default) |
To create a DSN for non-Windows systems, use the following format:
[Databricks]
Driver=<path-to-driver>
Host=<server-hostname>
Port=443
HTTPPath=<http-path>
SSL=1
ThriftTransport=2
AuthMech=11
Auth_Flow=1
Auth_Client_ID=<service-principal-application-ID>
Auth_Client_Secret=<service-principal-secret>
Auth_Scope=all-apis
To create a DSN-less connection string, use the following format. Line breaks have been added for readability. The string must not contain these line breaks:
Driver=<path-to-driver>;
Host=<server-hostname>;
Port=443;
HTTPPath=<http-path>;
SSL=1;
ThriftTransport=2;
AuthMech=11;
Auth_Flow=1;
Auth_Client_ID=<service-principal-application-ID>;
Auth_Client_Secret=<service-principal-secret>;
Auth_Scope=all-apis
- To get the value for
<path-to-driver>
, see Download and install the Databricks ODBC Driver. - To get the values for
<server-hostname>
and<http-path>
, see Compute settings for the Databricks ODBC Driver. - You can also add special or advanced driver capability settings.
For more information, see the Client Credentials
sections in the Databricks ODBC Driver Guide.
Microsoft Entra ID OAuth machine-to-machine (M2M) authentication
ODBC driver 2.8.2 and above supports Entra ID OAuth machine-to-machine (M2M) authentication for a Microsoft Entra ID service principal.
To configure Entra ID OAuth machine-to-machine (M2M) authentication, do the following:
- Create a Microsoft Entra ID managed service principal. To do this, see Manage service principals.
- Give the service principal access to your cluster or warehouse. See Compute permissions or Manage a SQL warehouse.
To authenticate using Entra ID OAuth machine-to-machine (M2M), add the following configurations to your compute settings and any special or advanced driver capability settings:
Setting | Value |
---|---|
AuthMech |
11 |
Auth_Flow |
1 |
Auth_Client_ID |
The service principal’s application ID in Entra ID |
Auth_Client_Secret |
The service principal’s client secret in Entra ID. This is the client secret you create in Certificates & secrets in Microsoft Entra ID. |
Auth_Scope |
2ff814a6-3304-4ab8-85cb-cd0e6f879c1d/.default |
OIDCDiscoveryEndpoint |
https://login.microsoftonline.com/<AzureTenantId>/v2.0/.well-known/openid-configuration |
To create a DSN for non-Windows systems, use the following format:
[Databricks]
Driver=<path-to-driver>
Host=<server-hostname>
Port=443
HTTPPath=<http-path>
SSL=1
ThriftTransport=2
AuthMech=11
Auth_Flow=1
Auth_Client_ID=<entra-id-service-principal-application-ID>
Auth_Client_Secret=<entra-id-service-principal-client-secret>
Auth_Scope=2ff814a6-3304-4ab8-85cb-cd0e6f879c1d/.default
OIDCDiscoveryEndpoint=https://login.microsoftonline.com/<AzureTenantId>/v2.0/.well-known/openid-configuration
To create a DSN-less connection string, use the following format. Line breaks have been added for readability. The string must not contain these line breaks:
Driver=<path-to-driver>;
Host=<server-hostname>;
Port=443;
HTTPPath=<http-path>;
SSL=1;
ThriftTransport=2;
AuthMech=11;
Auth_Flow=1;
Auth_Client_ID=<entra-id-service-principal-application-ID>>;
Auth_Client_Secret=<entra-id-service-principal-client-secret>;
Auth_Scope=2ff814a6-3304-4ab8-85cb-cd0e6f879c1d/.default;
OIDCDiscoveryEndpoint=https://login.microsoftonline.com/<AzureTenantId>/v2.0/.well-known/openid-configuration
- To get the value for
<path-to-driver>
, see Download and install the Databricks ODBC Driver. - To get the values for
<server-hostname>
and<http-path>
, see Compute settings for the Databricks ODBC Driver. - You can also add special or advanced driver capability settings.
Azure managed identities authentication
ODBC driver 2.7.7 and above supports Azure managed identities authentication, which uses managed identities for Azure resources (formerly Managed Service Identities (MSI)) to authenticate with Azure Databricks. Programmatic calls to Azure Databricks workspace operations use these managed identities when working with Azure resources that support managed identities, such as Azure VMs.
- For information about managed identities, see What are managed identities for Azure resources?.
- To learn how to create a managed identity and give it permission to access Azure Databricks workspaces, see Set up and use Azure managed identities authentication for Azure Databricks automation.
To authenticate using Azure managed identities authentication, add the following configurations to your compute settings and any special or advanced driver capability settings:
Setting | Value |
---|---|
AuthMech |
11 |
Auth_Flow |
3 |
Auth_Client_ID |
The Azure managed identity’s ID. |
Azure_workspace_resource_id |
The Azure resource ID for your Azure Databricks workspace. To get this ID, in your Azure Databricks workspace’s top navigation bar, click your username and then click Azure Portal. On the Azure Databricks workspace resource page that appears, click Properties under Settings in the sidebar. The ID is in Id under Essentials. |
To create a DSN for non-Windows systems, use the following format:
[Databricks]
Driver=<path-to-driver>
Host=<server-hostname>
Port=443
HTTPPath=<http-path>
SSL=1
ThriftTransport=2
AuthMech=11
Auth_Flow=3
Auth_Client_ID=<azure-managed-identity-ID>
Azure_workspace_resource_id=<azure-workspace-resource-ID>
To create a DSN-less connection string, use the following format. Line breaks have been added for readability. The string must not contain these line breaks:
Driver=<path-to-driver>;
Host=<server-hostname>;
Port=443;
HTTPPath=<http-path>;
SSL=1;
ThriftTransport=2;
AuthMech=11;
Auth_Flow=3;
Auth_Client_ID=<azure-managed-identity-ID>;
Azure_workspace_resource_id=<azure-workspace-resource-ID>
- To get the value for
<path-to-driver>
, see Download and install the Databricks ODBC Driver. - To get the values for
<server-hostname>
and<http-path>
, see Compute settings for the Databricks ODBC Driver. - You can also add special or advanced driver capability settings.