cancel
Showing results for 
Search instead for 
Did you mean: 
Data Engineering
Join discussions on data engineering best practices, architectures, and optimization strategies within the Databricks Community. Exchange insights and solutions with fellow data engineers.
cancel
Showing results for 
Search instead for 
Did you mean: 

On-Behalf of tokens disabled for Azure Environments?

Chris_Shehu
Valued Contributor III

While trying to setup a Power BI connection to the Azure Delta Lake we ran into several issues around Service Principals.

1) The API listed on the learn.microsoft site (link 1 below) indicates that there is an API you can use to create SP tokens. When trying to utilize this functionality a message gets generated stating that on-behalf of is disabled.

2) Documentation (Link 2) on using service-principals doesn't mention the above API or that Behalf-of is disabled.

3) The path that's described uses an Azure AD Token process. This process only works if you're setting up a configuration that can send a token to request a temporary access token for use. (Rest API)

4) Our use case was in regards to Power BI so the application can't directly follow the process referenced and there isn't another solution provided.

*It was noticed that the AWS documentation actually talks about using the API to get the On-Behalf of token.

I think there's room for improvement here when we're talking about documentation. I opened github request with Microsoft but it's not really moving.

Link 1 - Administration Guide, Service Principals

Link 2 - Tokens

Link 3 - Administration Guide, Service Principals (AWS)

Incorrect method of generating Access Tokens being referenced in API documentation. · Issue #105809 ...

Our solution:(Still on going)

  • Granting temporary access to the users who need it through the traditional User AD setup. We're currently getting 403 errors with this but it's being investigated by databricks.
7 REPLIES 7

DrK
New Contributor III

You`ve not had any more advancement on this have you?, we`ve just driven headling into the same brickwall.

Chris_Shehu
Valued Contributor III

No I can't seem to get any answers from anyone on this issue. The github issue has been open for a month. We had to use AD User accounts instead as a workaround.

DrK
New Contributor III

Hey Chris,

Just sharing this with you (were going to ask the question of databricks anyway) however, we have managed to get something working by;

1/ Generating an AAD token (one of the huge ones) from the command line (i.e. https://learn.microsoft.com/en-us/azure/databricks/dev-tools/api/latest/aad/user-aad-token)

2/ Using THIS token as the Bearer token in the REST call to .../token-management/on-behalf-of/tokens

3/ This gives us a PAT and no error, this PAT then actually works in PowerBI.

Disclaimer, we don`t know if this PAT is retaining it`s lifetime yet.

Andy

Chris_Shehu
Valued Contributor III

Thanks @Andy Skinner​ 

DrK
New Contributor III

BTW the bearer token was generated using the service principles id in the --resource parameter, it`s effectively generating a bearer token on behalf of the sprinp. Still not sure how it`s working!

Anonymous
Not applicable

Hi @Christopher Shehu​ 

Hope everything is going great.

Just wanted to check in if you were able to resolve your issue. If yes, would you be happy to mark an answer as best so that other members can find the solution more quickly? If not, please tell us so we can help you. 

Cheers!

meetskorun
New Contributor II

hello,

i am new here from india, here to share some thoughts with you all

Connect with Databricks Users in Your Area

Join a Regional User Group to connect with local Databricks users. Events will be happening in your city, and you won’t want to miss the chance to attend and share knowledge.

If there isn’t a group near you, start one and help create a community that brings people together.

Request a New Group