Get Microsoft Entra ID tokens for service principals

This page shows how to create service principals in Azure and generate Microsoft Entra ID access tokens to authenticate with Azure Databricks REST APIs. Service principals use the OAuth 2.0 client credentials flow and can have different access control than regular users.

To generate a token, perform the following steps:

1. Create a service principal in Azure if you don't have one.
2. Generate an access token with your service principal credentials.
3. Use the token with Databricks APIs.

Create a service principal

If you don't have a service principal, create one using either the Azure portal or Azure CLI. You'll use the service principal credentials to generate an access token.

Azure portal

1. Sign in to the Azure portal.
2. Switch to the correct tenant using Directories + subscriptions if needed.
3. Search for and select Microsoft Entra ID.
4. Click + Add > App registration.
5. Enter a Name and select Accounts in this organizational directory only (Single tenant).
6. Click Register.
7. Copy these values from the Overview page:
   • Application (client) ID
   • Directory (tenant) ID
8. Go to Certificates & secrets > Client secrets > New client secret.
9. Add a description, set an expiry period, and click Add.
10. Copy and securely store the client secret Value. This is your application password.

Azure CLI

See Create an Azure service principal with Azure CLI for complete instructions.

Generate an access token

You can generate a token using the REST API or Azure CLI. Before you use either method, gather the following service principal information:

REST API

Use this method to directly call the Microsoft identity platform REST API to generate an access token.

curl -X POST -H 'Content-Type: application/x-www-form-urlencoded' \
https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token \
-d 'client_id=<client-id>' \
-d 'grant_type=client_credentials' \
-d 'scope=2ff814a6-3304-4ab8-85cb-cd0e6f879c1d%2F.default' \
-d 'client_secret=<client-secret>'

Don't change the value of the scope parameter. It represents the programmatic ID for Azure Databricks (2ff814a6-3304-4ab8-85cb-cd0e6f879c1d) along with the default scope (/.default, URL-encoded as %2F.default).

The access token is in the access_token field of the response.

Azure CLI

Use this method to generate an access token through the Azure CLI, which handles authentication flow and token management automatically.

1. Get your Azure subscription ID:

   • From the Azure Databricks workspace: Click your username > Azure Portal > Overview, and find the Subscription ID.

   • With the Azure CLI: Run the following command (replace with your workspace URL):

     az databricks workspace list --query "[?workspaceUrl==\`adb-0000000000000000.0.azuredatabricks.net\`].{id:id}" -o tsv
     
     # /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/my-rg/providers/Microsoft.Databricks/workspaces/my-ws
     

     The 00000000-0000-0000-0000-000000000000 after /subscriptions/ is your subscription ID.

     If you get a tenant error, sign in to the correct tenant:

     az login -t <tenant-id>
     

     See Get subscription and tenant IDs in the Azure portal.

2. Sign in with your service principal:

   az login \
   --service-principal \
   -t <Tenant-ID> \
   -u <Client-ID> \
   -p <Client-secret>
   

3. Confirm and set the correct subscription for your service principal:

   az account set -s <subscription-id>
   

4. Generate the access token:

   az account get-access-token \
   --resource 2ff814a6-3304-4ab8-85cb-cd0e6f879c1d \
   --query "accessToken" \
   -o tsv
   

   The resource ID 2ff814a6-3304-4ab8-85cb-cd0e6f879c1d is the standard identifier for Azure Databricks across all Azure environments.

Use access tokens with Databricks APIs

Choose the appropriate method based on your service principal's workspace access.

Service principals in the workspace

First, add your service principal to the workspace using the Service Principals API or Databricks CLI.

1. Use your access token with the Databricks API:

   Databricks CLI (recommended):

   databricks clusters list -p <profile-name-that-references-azure-ad-access-token>
   

   curl:

   curl -X GET \
   -H 'Authorization: Bearer <access-token>' \
   https://<databricks-instance>/api/2.0/clusters/list
   

Service principals with an Azure role

Use this method if your service principal has the Contributor or Owner role on the workspace resource in Azure but isn't added to the Azure Databricks workspace yet.

1. Gather the required information:

   Parameter	Description
   Service principal credentials	Tenant ID, client ID, and client secret from the related application registered in Microsoft Entra ID
   Microsoft Entra ID access token	Token generated using the REST API method above
   Subscription ID	The Azure subscription ID associated with your Azure Databricks workspace. To find this and the following Azure resource information, see Open resources.
   Resource group name	The Azure resource group associated with your Azure Databricks workspace
   Workspace name	The name of the target Azure Databricks workspace

2. Get a management token for Azure Resource Manager:

   curl -X POST -H 'Content-Type: application/x-www-form-urlencoded' \
   https://login.microsoftonline.com/<tenant-id>/oauth2/token \
   -d 'client_id=<client-id>' \
   -d 'grant_type=client_credentials' \
   -d 'resource=https%3A%2F%2Fmanagement.core.windows.net%2F' \
   -d 'client_secret=<client-secret>'
   

3. Call the Databricks API using both tokens:

    curl -X GET \
   -H 'Authorization: Bearer <databricks-access-token>' \
    -H 'X-Databricks-Azure-SP-Management-Token: <management-access-token>' \
    -H 'X-Databricks-Azure-Workspace-Resource-Id: /subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.Databricks/workspaces/<workspace-name>' \
    https://<databricks-instance>/api/2.0/clusters/list
   

   After first authentication, the service principal becomes a workspace admin and no longer needs the Azure role for API access.