Databricks

Chris_Shehu · ‎03-22-2023

While trying to setup a Power BI connection to the Azure Delta Lake we ran into several issues around Service Principals.

1) The API listed on the learn.microsoft site (link 1 below) indicates that there is an API you can use to create SP tokens. When trying to utilize this functionality a message gets generated stating that on-behalf of is disabled.

2) Documentation (Link 2) on using service-principals doesn't mention the above API or that Behalf-of is disabled.

3) The path that's described uses an Azure AD Token process. This process only works if you're setting up a configuration that can send a token to request a temporary access token for use. (Rest API)

4) Our use case was in regards to Power BI so the application can't directly follow the process referenced and there isn't another solution provided.

*It was noticed that the AWS documentation actually talks about using the API to get the On-Behalf of token.

I think there's room for improvement here when we're talking about documentation. I opened github request with Microsoft but it's not really moving.

Link 1 - Administration Guide, Service Principals

Link 2 - Tokens

Link 3 - Administration Guide, Service Principals (AWS)

Incorrect method of generating Access Tokens being referenced in API documentation. · Issue #105809 ...

Our solution:(Still on going)

Granting temporary access to the users who need it through the traditional User AD setup. We're currently getting 403 errors with this but it's being investigated by databricks.

DrK · ‎03-31-2023

You`ve not had any more advancement on this have you?, we`ve just driven headling into the same brickwall.

Chris_Shehu · ‎03-31-2023

No I can't seem to get any answers from anyone on this issue. The github issue has been open for a month. We had to use AD User accounts instead as a workaround.

DrK · ‎03-31-2023

Hey Chris,

Just sharing this with you (were going to ask the question of databricks anyway) however, we have managed to get something working by;

1/ Generating an AAD token (one of the huge ones) from the command line (i.e. https://learn.microsoft.com/en-us/azure/databricks/dev-tools/api/latest/aad/user-aad-token)

2/ Using THIS token as the Bearer token in the REST call to .../token-management/on-behalf-of/tokens

3/ This gives us a PAT and no error, this PAT then actually works in PowerBI.

Disclaimer, we don`t know if this PAT is retaining it`s lifetime yet.

Andy

Chris_Shehu · ‎03-31-2023

Thanks @Andy Skinner

DrK · ‎03-31-2023

BTW the bearer token was generated using the service principles id in the --resource parameter, it`s effectively generating a bearer token on behalf of the sprinp. Still not sure how it`s working!

Anonymous · ‎03-31-2023

Hi @Christopher Shehu

Hope everything is going great.

Just wanted to check in if you were able to resolve your issue. If yes, would you be happy to mark an answer as best so that other members can find the solution more quickly? If not, please tell us so we can help you.

Cheers!