Databricks Community

martkev · 3 weeks ago

Hi everyone,

I'm currently setting up Snowflake federation with Databricks using Microsoft Entra ID (U2M OAuth). However, I'm skeptical that the connection truly switches the user identity dynamically for each Databricks user (https://docs.databricks.com/aws/en/query-federation/snowflake-entra).

Since the connection requires a static Snowflake username during setup, it seems that all queries might still run under this single identity rather than the identity of the logged-in Databricks user.

Can someone confirm whether Snowflake federation actually propagates per-user identity at query time, or if the connection always uses the initially configured user?

Thanks!

Raman_Unifeye · 3 weeks ago

In theory, the User-to-Machine (U2M) OAuth flow you are setting up with Microsoft Entra ID is designed to propagate the per-user identity dynamically at query time. I haven't set it up myself though.

RG #Driving Business Outcomes with Data Intelligence

martkev · Friday

I tested this with two different accounts. I created a conection and a foreign snowflake catalog and shared it from first owner user to second consumer user. If OBO would work correctly ideally an explicit sign in flow would trigger and the a new consumer user session would show up in Snowflake with a jdbc connector from the databricks ip range. guess what... The connection of consumer user was established with the owner user credentials. I configured snowflake external oauth authentication for a different web application before. It seems to not work in databricks and I think its because of the current architecture. Any ideas how to solve that?

martkev · 3 weeks ago

So why do you have to set a username in the unity catalog connection then (see image.png attachment)? This would make no sense and I highly assume the user identity will stay static. Anyone tried it before?

mark_ott · 3 weeks ago

Snowflake federation with Databricks using Microsoft Entra ID (U2M OAuth) is intended to support per-user identity propagation—that is, each Databricks user is supposed to have queries executed under their own Snowflake identity at query time, rather than a static, system-level account. The design of Snowflake federation using Entra ID with the U2M OAuth flow specifically enables Databricks to obtain a user-specific OAuth token from Entra ID, which is then mapped to the appropriate Snowflake user.

However, confusion often arises because setting up this integration sometimes requires specifying a static Snowflake user in certain configuration steps (such as for token verification or as part of legacy connection settings). In practice, for true U2M (User-to-Machine) federation, the OAuth access token Databricks obtains from Entra ID includes identity claims for the logged-in Databricks user. Snowflake validates this token and, based on mapping settings (like email, login_name, or a custom claim), associates the session with the matching Snowflake user.

If the connection uses the U2M (user-based) OAuth flow and the mapping is correctly configured, queries will indeed run as the logged-in Databricks user's Snowflake identity. If it's set up incorrectly (or uses a machine-to-machine OAuth flow), all queries will execute under the service (static) account. It is important to confirm that:

The Databricks-Snowflake federation setup explicitly uses the "on behalf of user" (U2M) OAuth flow.
The token mapping and user provisioning between Entra ID and Snowflake are correctly in place (SCIM or similar mapping).

If you see required fields in the Databricks configuration for a static Snowflake username, this might only be to allow Databricks to bootstrap initial token validation and not for actual per-query execution. In modern, user-federated configurations, Snowflake will execute the query under the identity from the Entra-provided OAuth token representing the active Databricks user.

Key Takeaway

If U2M OAuth is correctly configured in both Databricks and Snowflake, queries should execute as the individual Databricks user mapped into Snowflake, not a fixed account.
If there is static user configuration in the connection, double-check that it's not being used for actual query executions, or re-examine documentation and test with multiple users to confirm real user propagation.

This approach ensures per-user auditability, granular permissions, and alignment with security best practices for enterprise data systems federation.

martkev · 2 weeks ago

Hi @mark_ott Thank you for your AI generated response. Its not very helpful. We are using OBO Flows in other web applications with snowflake an it works. I tested the catalog with two different accounts and my owner user seems to delegate his access token to other users in order to browse the catalog. It seems that I need to configure something in order to trigger the obo flow for different users. So please some help? I used this documentation. https://docs.databricks.com/aws/en/query-federation/snowflake-entra Maybe I have to parametrize the user_name or some other config?

martkev · Friday

Hi @mark_ott

You are wrong. I tested it see comment above. U2M databricks snowflake federation just uses the identity from the initial foreign catalog connection owner. I tested it with two users. Any session browsing or selecting data assets in the unity catalog was established via the owner user instead of the consumer user in Snowflake. Prove me wrong please!?