cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Data Engineering
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

on-behalf-of token creation (for SPN)

Go to solution
clapton79
New Contributor II

‎09-06-2022 05:55 AM

I am trying to create an on-behalf-token for and SPN on my Azure Databricks Premium instance. The response is a FEATURE_DISABLED error message ("On-behalf-of token creation for service principals is not enabled for this workspace"). How do I turn on this feature?

Labels:
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
User16752245772
Contributor

‎09-19-2022 11:08 PM

HI @Laszlo Katai-Pal​ 

You need to provide CAN_USE permission to the service principal in the token manage permission, you can see this option in : Admin->workspace setting

imageimageOnce you provide this permission to your SP , you can create token on behalf of SP

View solution in original post

Preview file
372 KB
Preview file
307 KB
5 REPLIES 5

Go to solution
User16752245772
Contributor

‎09-19-2022 11:08 PM

HI @Laszlo Katai-Pal​ 

You need to provide CAN_USE permission to the service principal in the token manage permission, you can see this option in : Admin->workspace setting

imageimageOnce you provide this permission to your SP , you can create token on behalf of SP

Preview file
372 KB
Preview file
307 KB

Go to solution
gklassen
New Contributor II

‎07-27-2023 11:54 AM - edited ‎07-27-2023 11:58 AM

Hi there,

I've performed the above steps and am trying to create an OBO token via CLI 0.2 using "databricks

token-management create-obo-token <app-id-here> 3600"

but I continue to get the error message: "On-behalf-of token creation for service principals is not enabled for this workspace"

Is there anything else that's a prerequisite to allowing these tokens to be created? The SP has been added to a group which has been added to the workspace, and given CAN_USE on tokens via the admin screen. Do the SPs need admin rights on the workspace?

Go to solution
Chris_Shehu
Valued Contributor III
In response to gklassen

‎07-27-2023 12:42 PM

My understanding is that Microsoft has this disabled this but it's not very clear in any of the MS documentation. Our MS rep had to do some digging to get to that conclusion. 

0 Kudos

Go to solution
chaitanyak
New Contributor II

‎09-21-2023 07:26 AM

gklassen and Chris_Shehu : Any further luck on this issue. Is it resolved.. ? I am also facing the same issue.. 

0 Kudos

Go to solution
alexott
Valued Contributor II
Valued Contributor II

‎10-23-2023 07:43 AM

There is no On-behalf-of token on Azure - just generate an AAD token for the Service Principal and use it to create PAT (make sure that SP has permission to use PATs).

The easiest way of doing it is to use the new Databricks CLI that supports unified authentication - just set the correct environment variables or define all parameters as a profile in the configuration file, and use "databricks tokens create" command to generate tokens. Something like this:

export DATABRICKS_HOST=https://adb-....17.azuredatabricks.net
export ARM_CLIENT_SECRET=<sp_secret>
export ARM_CLIENT_ID=<application_id>
export ARM_TENANT_ID=<tenant_id>
databricks tokens create --lifetime-seconds 30 --comment "test"

Here is a reference implementation for the Databricks Terraform provider.

0 Kudos
Announcements
Welcome to Databricks Community: Lets learn, network and celebrate together

Join our fast-growing data practitioner and expert community of 80K+ members, ready to discover, help and collaborate together while making meaningful connections. 

Click here to register and join today! 

Engage in exciting technical discussions, join a group with your peers and meet our Featured Members.