Configure Azure Databricks (Service Principal Access)

Step 1: Configure an app in Azure portal

Register an application with the Microsoft Entra ID endpoint in the Azure portal. Alternatively, you can use a Microsoft Entra ID app that is already registered. 

  1. Sign in to theAzure portal. 
  2. If you have access to multiple tenants, subscriptions, or directories, click theDirectories + subscriptions(directory with filter) icon in the top menu to switch to the directory in which you want to register the application. 
  3. Search for and selectMicrosoft Entra ID. 
  4. WithinManage, selectApp registrations > New registration. 
  5. ForName, enter a name for the application. 
  6. In theSupported account typessection, selectAccounts in this organizational directory only (Single tenant). 
  7. In theRedirect URL (optional)leave empty 
  8. ClickRegister. 
  9. On the application page’sOverviewpage, in theEssentialssection, copy the following values: 
    • Application (client) ID 
    • Directory (tenant) ID 
    azure1.png
  10. AddAzureDatabricksto the required permissions of the registered application. You must be an admin user to perform this step. If you encounter a permissions-related issue while you perform this action, contact your administrator for help. 
    1. On the application page’sOverviewpage, on theGet Startedtab, clickView API permissions. Azure registered app settings
    2. ClickAdd a permission.GetImage.png
  11. In theRequest API permissionspane, click theAPIs my organization usestab, search forAzureDatabricks, and then select it.Add AzureDatabricks API permission
  12. Enable theuser_impersonationcheck box, and then clickAdd permissions. Azure app delegated permissions
  13. ClickGrant admin consent for ###and thenYes. To perform this action, you must be an admin user or have the privilege to grant consent to the application. 

Add additional users and groups to app permissions

Step 2: Add the Microsoft Entra ID service principal to your Azure Databricks account 

This steps works only if your target Azure Databricks workspace is enabled foridentity federation. If your workspace is not enabled for identity federation, skip ahead to Step 3. 

  1. In your Azure Databricks workspace, click your username in the top bar and clickManage account. 
    Alternatively, go directly to your Azure Databricks account console at https://accounts.azuredatabricks.net. 
  2. Sign in to your Azure Databricks account, if prompted. 
  3. On the sidebar, clickUser management. 
  4. Click theService principalstab. 
  5. ClickAdd service principal. 
  6. Enter aNamefor the Microsoft Entra ID service principal. 
  7. ForUUID, enter theApplication (client) IDvalue from Step 1. 
  8. ClickAdd. Your Microsoft Entra ID service principal is added as an Azure Databricks service principal in your Azure Databricks account.  

Step 3: Add the Microsoft Entra ID service principal to your Azure Databricks workspace 

If your workspace is enabled foridentity federation: 

  1. In your Azure Databricks workspace, click your username in the top bar and clickAdmin Settings. 
  2. Click on theIdentity and accesstab. 
  3. Next toService principals, clickManage. 
  4. ClickAdd service principal. 
  5. Select your Microsoft Entra ID service principal from Step 2 and clickAdd. Your Microsoft Entra ID service principal is added as an Azure Databricks service principal in your Azure Databricks workspace. 

Skip ahead to Step 4. 

If your workspace is not enabled for identity federation: 

  1. In your Azure Databricks workspace, click your username in the top bar and clickAdmin Settings. 
  2. Click on theIdentity and accesstab. 
  3. Next toService principals, clickManage. 
  4. ClickAdd service principal. 
  5. ClickAdd new. 
  6. ForApplicationId, enter theApplication (client) IDfor your Azure service principal from Step 1. 
  7. Enter someDisplay Namefor the new service principal and clickAdd. Your Microsoft Entra ID service principal is added as an Azure Databricks service principal in your Azure Databricks workspace 

Step 4: Assign workspace-level permissions to the service principal 

  1. If the admin console for your workspace is not already opened, click your username in the top bar and clickAdmin Settings. 
  2. Click on theIdentity and accesstab. 
  3. Next toService principals, clickManage. 
  4. Click the name of your service principal to open its settings page. 
  5. On theConfigurationstab, check the box next to each entitlement that you want your service principal to have for this workspace, and then clickUpdate. Check following check boxes 
    1. Active 
    2. Databricks SQL Access 
    3. Workspace access 
  6. On thePermissionstab, grant access to any Azure Databricks users, service principals, and groups that you want to manage and use this service principal. 

Step 5: Enable Personal access token for Service principal 

  1. Log into your Databricks workspace 
  2. If the admin console for your workspace is not already opened, click your username in the top bar and clickAdmin Settings. 
  3. Click on the Advanced tab. 
  4. In Access control 
    1. Enable personal access token 
    2. Click on permission settings 
      1. Search for your service principal name 
        1. Select permission "Can Use" 
      2. Click Add 

step 5.png

Step 5.1.png

Step 6: Enable Hive metadata access for Service principal 

  1. Log into your Databricks workspace 
  2. Click on the Catalog tab in left menu. 
  3. Click on hive_metastore 
    1. Open permissions tab 
    2. Click on Grant 
      1. Search for your service principal name 
        1. Check the privileges you would like to grant 
          1. Select "All" 
      2. Click Grant 

step 6.png

 

Additional References: 

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.
Powered by Zendesk