cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Help
Community Platform Discussions
Connect with fellow community members to discuss general topics related to the Databricks platform, industry trends, and best practices. Share experiences, ask questions, and foster collaboration within the community.
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Azure Databricks Enterprise Application User Impersonation Token Group Claims Issue

ahsan_aj
Contributor II

‎09-26-2024 09:08 AM - edited ‎09-26-2024 09:10 AM

Hi all,

 
I am using the Azure Databricks Microsoft Managed Enterprise Application scope (2ff814a6-3304-4ab8-85cb-cd0e6f879c1d/user_impersonation) to fetch an access token on behalf of a user. The authentication process is successful; however, the access token includes group claims. For users who are part of many Azure AD groups, the token becomes quite large because it lists all the groups in the claims. How can I modify my request for the token to exclude group claims from the access token?
 
I am using the React MSAL library, and here’s a sample of the code I am working with:

 

export const getDatabricksToken = async () => {
    const account = msalInstance.getActiveAccount();
    const response = await msalInstance.acquireTokenSilent({
        scopes: ["2ff814a6-3304-4ab8-85cb-cd0e6f879c1d/user_impersonation"],
        account: account,
    })
    return response.accessToken
};

 

0 Kudos
5 REPLIES 5

skraszki
New Contributor II

‎01-09-2025 11:14 AM

Hi, did you find an answer for it?

0 Kudos

ahsan_aj
Contributor II
In response to skraszki

‎01-09-2025 09:39 PM

I got in touch with Microsoft support and they mentioned it is not possible as the Azure Databricks app registration is managed by Databricks and changing the manifest to exclude group claims on that application is not possible and it impacts all users.

0 Kudos

Alberto_Umana
Databricks Employee
Databricks Employee

‎01-09-2025 11:55 AM

Hi @ahsan_aj,

You can modify your token request by adding a claims parameter

    const claimsRequest = {

        "access_token": {

            "groups": null

        }

https://learn.microsoft.com/en-us/security/zero-trust/develop/configure-tokens-group-claims-app-role...

0 Kudos

ahsan_aj
Contributor II
In response to Alberto_Umana

‎01-09-2025 09:39 PM

Let me try this and get back to you.

0 Kudos

ahsan_aj
Contributor II
In response to Alberto_Umana

‎01-09-2025 09:54 PM

I tried it like this, however it still adds group claims in the access token:

 

export const getDatabricksToken = async () => {
    const account = msalInstance.getActiveAccount();
    const response = await msalInstance.acquireTokenSilent({
        scopes: ["2ff814a6-3304-4ab8-85cb-cd0e6f879c1d/user_impersonation"],
        account: account,
        claims: JSON.stringify({
            "access_token": {
                "groups": null
            }
        })        
    })
    return response.accessToken
};

 

0 Kudos

Join Us as a Local Community Builder!

Passionate about hosting events and connecting people? Help us grow a vibrant local community—sign up today to get started!

Sign Up Now
Announcements
Top