https://community.databricks.com/t5/data-engineering/on-behalf-of-token-creation-for-spn/m-p/38595#M26683 <P>My understanding is that Microsoft has this disabled this but it's not very clear in any of the MS documentation. Our MS rep had to do some digging to get to that conclusion.&nbsp;</P> Thu, 27 Jul 2023 19:42:02 GMT Chris_Shehu 2023-07-27T19:42:02Z https://community.databricks.com/t5/data-engineering/on-behalf-of-token-creation-for-spn/m-p/32451#M23646 <P>I am trying to create an on-behalf-token for and SPN on my Azure Databricks Premium instance. The response is a FEATURE_DISABLED error message ("On-behalf-of token creation for service principals is not enabled for this workspace"). How do I turn on this feature? </P><P></P><P></P> Tue, 06 Sep 2022 12:55:02 GMT https://community.databricks.com/t5/data-engineering/on-behalf-of-token-creation-for-spn/m-p/32451#M23646 clapton79 2022-09-06T12:55:02Z https://community.databricks.com/t5/data-engineering/on-behalf-of-token-creation-for-spn/m-p/32452#M23647 <P>HI @Laszlo Katai-Pal​&nbsp;</P><P>You need to provide <B>CAN_USE</B> permission to the service principal in the token manage permission, you can see this option in : Admin-&gt;workspace setting</P><P></P><P><span class="lia-inline-image-display-wrapper" image-alt="image"><img src="https://community.databricks.com/t5/image/serverpage/image-id/1526iF8C68B2591E1718A/image-size/large?v=v2&amp;px=999" role="button" title="image" alt="image" /></span><span class="lia-inline-image-display-wrapper" image-alt="image"><img src="https://community.databricks.com/t5/image/serverpage/image-id/1532iFDBCF4AC7DF633D0/image-size/large?v=v2&amp;px=999" role="button" title="image" alt="image" /></span>Once you provide this permission to your SP , you can create token on behalf of SP</P> Tue, 20 Sep 2022 06:08:06 GMT https://community.databricks.com/t5/data-engineering/on-behalf-of-token-creation-for-spn/m-p/32452#M23647 User16752245772 2022-09-20T06:08:06Z https://community.databricks.com/t5/data-engineering/on-behalf-of-token-creation-for-spn/m-p/38592#M26681 <P>Hi there,</P><P>I've performed the above steps and am trying to create an OBO token via CLI 0.2 using "databricks</P><DIV><DIV><SPAN>token</SPAN><SPAN>-</SPAN><SPAN>management create</SPAN><SPAN>-</SPAN><SPAN>obo</SPAN><SPAN>-</SPAN><SPAN>token &lt;app-id-here&gt;</SPAN><SPAN>&nbsp;</SPAN><SPAN>3600"</SPAN></DIV></DIV><P>but I continue to get the error message: "On-behalf-of token creation for service principals is not enabled for this workspace"</P><P>Is there anything else that's a prerequisite to allowing these tokens to be created? The SP has been added to a group which has been added to the workspace, and given CAN_USE on tokens via the admin screen. Do the SPs need admin rights on the workspace?</P> Thu, 27 Jul 2023 18:58:39 GMT https://community.databricks.com/t5/data-engineering/on-behalf-of-token-creation-for-spn/m-p/38592#M26681 gklassen 2023-07-27T18:58:39Z https://community.databricks.com/t5/data-engineering/on-behalf-of-token-creation-for-spn/m-p/38595#M26683 <P>My understanding is that Microsoft has this disabled this but it's not very clear in any of the MS documentation. Our MS rep had to do some digging to get to that conclusion.&nbsp;</P> Thu, 27 Jul 2023 19:42:02 GMT https://community.databricks.com/t5/data-engineering/on-behalf-of-token-creation-for-spn/m-p/38595#M26683 Chris_Shehu 2023-07-27T19:42:02Z https://community.databricks.com/t5/data-engineering/on-behalf-of-token-creation-for-spn/m-p/45537#M27922 <P><A href="https://community.databricks.com/t5/user/viewprofilepage/user-id/44214" target="_self"><SPAN class="">gklassen</SPAN></A>&nbsp;and&nbsp;<SPAN class=""><A href="https://community.databricks.com/t5/user/viewprofilepage/user-id/82981" target="_self"><SPAN class="">Chris_Shehu</SPAN></A>&nbsp;: Any further luck on this issue. Is it resolved.. ? I am also facing the same issue..&nbsp;</SPAN></P> Thu, 21 Sep 2023 14:26:45 GMT https://community.databricks.com/t5/data-engineering/on-behalf-of-token-creation-for-spn/m-p/45537#M27922 chaitanyak 2023-09-21T14:26:45Z https://community.databricks.com/t5/data-engineering/on-behalf-of-token-creation-for-spn/m-p/49746#M28615 <P><SPAN>There is no On-behalf-of token on Azure - just generate an AAD token for the Service Principal and use it to create PAT (make sure that SP has permission to use PATs).</SPAN></P> <P><SPAN>The easiest way of doing it is to use the new Databricks CLI that supports <A href="https://learn.microsoft.com/en-us/azure/databricks/dev-tools/auth#--azure-service-principal-authentication" target="_self">unified authentication</A> - just set the correct environment variables or define all parameters as a profile in the configuration file, and use "databricks tokens create" command to generate tokens. Something like this:</SPAN></P> <PRE><SPAN>export DATABRICKS_HOST=https://adb-....17.azuredatabricks.net<BR />export ARM_CLIENT_SECRET=&lt;sp_secret&gt;<BR />export ARM_CLIENT_ID=&lt;application_id&gt;<BR />export ARM_TENANT_ID=&lt;tenant_id&gt;<BR />databricks tokens create --lifetime-seconds 30 --comment "test"</SPAN></PRE> <P><SPAN>Here is a <A href="https://stackoverflow.com/questions/74613470/create-databricks-token-for-another-user/74614770#74614770" target="_self">reference implementation</A> for the Databricks Terraform provider.</SPAN></P> Mon, 23 Oct 2023 14:43:03 GMT https://community.databricks.com/t5/data-engineering/on-behalf-of-token-creation-for-spn/m-p/49746#M28615 alexott 2023-10-23T14:43:03Z