Get Microsoft Entra ID (formerly Azure Active Directory) tokens for users by using the Azure CLI

  • Article

Important

This article describes how to manually create Microsoft Entra ID (formerly Azure Active Directory) tokens for users by using the Azure CLI.

Databricks does not recommend that you create Microsoft Entra ID (formerly Azure Active Directory) tokens for Azure Databricks users manually. This is because each Microsoft Entra ID token is short-lived, typically expiring within one hour. After this time, you must manually generate a replacement Microsoft Entra ID token. Instead, use one of the participating tools or SDKs that implement the Databricks client unified authentication standard. These tools and SDKs automatically generate and replace expired Microsoft Entra ID tokens for you, leveraging Azure CLI authentication.

You can use the Azure CLI to get Microsoft Entra ID access tokens for users.

Note

You can also define a service principal in Azure Active Directory and then get a Microsoft Entra ID access token for that service principal instead of for a user. See Get Microsoft Entra ID (formerly Azure Active Directory) tokens for service principals.

  1. Get the correct Azure subscription ID for your user account, if you do not already know this ID, by doing one of the following:

    • In your Azure Databricks workspace’s top navigation bar, click your username and then click Azure Portal. On the Azure Databricks workspace resource page that appears, click Overview in the sidebar. Then look for the Subscription ID field, which contains the subscription ID.

    • Use the Azure CLI to run the az databricks workspace list command, using the --query and -o or --output options to narrow down the results. Replace adb-0000000000000000.0.azuredatabricks.net with the name of your workspace instance, not including the https://. In this example, the 00000000-0000-0000-0000-000000000000 after /subscriptions/ in the output is the subscription ID.

      az databricks workspace list --query "[?workspaceUrl==\`adb-0000000000000000.0.azuredatabricks.net\`].{id:id}" -o tsv

# /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/my-rg/providers/Microsoft.Databricks/workspaces/my-ws

      If the following message appears, you are signed in to the wrong tenant: The subscription of '<subscription-id>' doesn't exist in cloud 'AzureCloud'. To sign in to the correct tenant, you must run the az login command again, using the -t or --tenant option to specify the correct tenant ID.

      You can get the tenant ID for an Azure Databricks workspace by running the command curl -v <per-workspace-URL>/aad/auth and looking in the output < location: https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000, where 00000000-0000-0000-0000-000000000000 is the tenant ID. See also Get subscription and tenant IDs in the Azure portal.

      az login -t <tenant-id>

  2. After you have the correct Azure subscription ID for your user account, begin signing in to Azure by using the Azure CLI to run the az login command. After you run this command, follow the on-screen instructions to finish signing in with your account.

    az login

  3. Confirm that you are signed in to the correct subscription for your signed-in user. To do this, run the az account set command, using the -s or --subscription option to specify the correct subscription ID.

    az account set -s <subscription-id>

  4. Generate your Microsoft Entra ID (formerly Azure Active Directory) access token by running the az account get-access-token command. Use the --resource option to specify the unique resource ID for the Azure Databricks service, which is 2ff814a6-3304-4ab8-85cb-cd0e6f879c1d. You can display just the Microsoft Entra ID token’s value in the output of the command by using the --query and -o or --output options.

    az account get-access-token \
--resource 2ff814a6-3304-4ab8-85cb-cd0e6f879c1d \
--query "accessToken" \
-o tsv

Note

The MSAL-based Azure CLI uses Microsoft Authentication Library (MSAL) as the underlying authentication library. If you are not able to successfully use the Microsoft Entra ID access token that the Azure CLI generates, as an alternative you can try using MSAL directly to get a Microsoft Entra ID access token for a user. See Get Microsoft Entra ID (formerly Azure Active Directory) tokens for users by using MSAL.