External embedding for reports using federated credentials fails

iamgoce — Fri, 28 Nov 2025 18:57:28 GMT

Hi,

We are implementing external dashboard embedding in Azure Databricks and want to avoid using client secrets by leveraging **Azure Managed Identity** with **OAuth token federation** for generating the embedded report token.

Following OAuth token federation documentation, we successfully obtain an AAD token using:

credential = ManagedIdentityCredential(client_id=CONFIG['service_principal_id']) aad_token_res = credential.get_token("api://AzureADTokenExchange/.default") aad_token = aad_token_res.token

Then, we exchange this token for a Databricks **all-apis** token using:

federated_params = { "grant_type": "urn:ietf:params:oauth:grant-type:token-exchange", "client_id": CONFIG["service_principal_id"], "subject_token": aad_token, "subject_token_type": "urn:ietf:params:oauth:token-type:jwt", "scope": "all-apis" }

Next, we call `/published/tokeninfo` with `external_viewer_id` and `external_value` to retrieve `authorization_details` and `custom_claim`. This step works as expected and returns the same data as when using Basic Auth with a service principal secret.

However, when we perform the **scoped token exchange** using OAuth federation:

scoped_params = { "grant_type": "urn:ietf:params:oauth:grant-type:token-exchange", "client_id": "<Databricks SP UUID>", "custom_claim": "urn:aibi:external_data:testss:test:DASHBOARD_ID", "subject_token": aad_token, "subject_token_type": "urn:ietf:params:oauth:token-type:jwt", "authorization_details": json.dumps(token_info["authorization_details"]), }

The resulting JWT **does not include the `custom.claim`**. It only contains `authorization_details` and `scope`. In contrast, when using Basic Auth + SP secret, the scoped token includes:

"custom": { "claim": "urn:aibi:external_data:<external_value>:<external_viewer_id>:<dashboard_id>" }

Without this claim, embedding fails with:

{"message":"BAD_REQUEST","name":"Dashboard ID is missing in token claim."}

Question

Is this a known limitation of the current public preview for OAuth token federation? If so, is there an ETA for supporting **custom claim injection** in scoped tokens for external embedding?

Code Summary (Federation Flow):

scoped_params = { "grant_type": "urn:ietf:params:oauth:grant-type:token-exchange", "client_id": "<Databricks SP UUID>", "custom_claim": "urn:aibi:external_data:testss:test:DASHBOARD_ID", "subject_token": aad_token, # MI token for api://AzureADTokenExchange/.default "subject_token_type": "urn:ietf:params:oauth:token-type:jwt", "authorization_details": json.dumps(token_info["authorization_details"]), } response = [requests.post]( f"{instance_url}/oidc/v1/token", headers={"Content-Type": "application/x-www-form-urlencoded"}, data=scoped_params )

Decoded JWT (Federation):

{ "client_id": "…", "scope": "…", ... "authorization_details": […] }

Decoded JWT (Basic Auth):

{ "custom": { "claim": "urn:aibi:external_data:testss:test:<dashboard_id>" }, "client_id": "…", "scope": "…", "authorization_details": […] ... }

References:

- [Embedding dashboards for external users](https://learn.microsoft.com/en-us/azure/databricks/dashboards/embedding/external-embed)
- [OAuth token federation overview](https://learn.microsoft.com/en-us/azure/databricks/dev-tools/auth/oauth-federation)
- [Configure federation policy](https://learn.microsoft.com/en-us/azure/databricks/dev-tools/auth/oauth-federation-policy)

Re: External embedding for reports using federated credentials fails

Eugene_229 — Tue, 07 Apr 2026 23:15:41 GMT

I've also come across this issue and keen to see what the solution was.

When you experience this issue, did you have a federation policy configured?

Re: External embedding for reports using federated credentials fails

iamgoce — Wed, 08 Apr 2026 13:35:29 GMT

At the time Databricks told us that external embedding of reports using federated credentials is not supported. They recommended using Service principal secrets and using that to generate the token needed for embedding.

We do have a federation policy configured and use it for all other Databricks API calls made by our Azure managed identity, without any issues.

Re: External embedding for reports using federated credentials fails

gsbence — Mon, 13 Apr 2026 08:23:41 GMT

Did you get any information whether this is on their roadmap?

I came across this issue last week and the documentation doesn't have anything about this limitation.

topic Re: External embedding for reports using federated credentials fails in Warehousing & Analytics

External embedding for reports using federated credentials fails

Question

Code Summary (Federation Flow):

Decoded JWT (Federation):

Decoded JWT (Basic Auth):

References:

Re: External embedding for reports using federated credentials fails

Re: External embedding for reports using federated credentials fails

Re: External embedding for reports using federated credentials fails