Databricks Community

212455 · ‎04-12-2023

I am trying to list OBO tokens that have been created for service principals. I tried using the Token Management API 2.0 (https://docs.databricks.com/dev-tools/api/latest/token-management.html#operation/get-tokens) to list workspace tokens, but it only returns personal access tokens for users. The service principal was created at the account level and then federated to the workspace. How can I achieve this?

Anonymous · ‎04-15-2023

@Nick Tran :

You can use the Azure Active Directory (Azure AD) Graph API to list the OBO tokens that have been created for service principals. Here are the steps you can follow:

1) Authenticate to the Azure AD Graph API using the Azure CLI or other methods. You will need to have permissions to read service principals.

2) Get the object ID of the service principal that you are interested in. You can do this by running the following command:

az ad sp show --id <service-principal-name>

3) The command will return a JSON object containing information about the service principal, including its object ID.

4) Use the Graph API to list the OBO tokens for the service principal. You can do this by sending a GET request to the following endpoint:

https://graph.windows.net/<your-tenant-ID>/servicePrincipals/<service-principal-object-ID>/oauth2Per...

5) Replace <your-tenant-ID> with the ID of your Azure AD tenant and <service-principal-object-ID> with the object ID of the service principal that you obtained in step 2.

6)The response will be a JSON object containing a list of OAuth2PermissionGrant resources. Each resource represents an OBO token that has been granted to the service principal. You can extract the access token and other information from each resource.

I hope this helps! Let me know if you have any further questions.

View solution in original post

Anonymous · ‎04-15-2023

@Nick Tran :

You can use the Azure Active Directory (Azure AD) Graph API to list the OBO tokens that have been created for service principals. Here are the steps you can follow:

1) Authenticate to the Azure AD Graph API using the Azure CLI or other methods. You will need to have permissions to read service principals.

2) Get the object ID of the service principal that you are interested in. You can do this by running the following command:

az ad sp show --id <service-principal-name>

3) The command will return a JSON object containing information about the service principal, including its object ID.

4) Use the Graph API to list the OBO tokens for the service principal. You can do this by sending a GET request to the following endpoint:

https://graph.windows.net/<your-tenant-ID>/servicePrincipals/<service-principal-object-ID>/oauth2Per...

5) Replace <your-tenant-ID> with the ID of your Azure AD tenant and <service-principal-object-ID> with the object ID of the service principal that you obtained in step 2.

6)The response will be a JSON object containing a list of OAuth2PermissionGrant resources. Each resource represents an OBO token that has been granted to the service principal. You can extract the access token and other information from each resource.

I hope this helps! Let me know if you have any further questions.

Anonymous · ‎04-15-2023

Hi @Nick Tran

Hope everything is going great.

Just wanted to check in if you were able to resolve your issue. If yes, would you be happy to mark an answer as best so that other members can find the solution more quickly? If not, please tell us so we can help you.

Cheers!

Databricks Community

List Service Principal OBO Tokens

Connect with Databricks Users in Your Area

Introducing an exclusively Databricks-hosted Assistant

How to present and share your Notebook insights in AI/BI Dashboards

Meet the Databricks MVPs

Now Hiring: Databricks Community Technical Moderator

Insights from a global survey of 1,100 technologists and interviews with 28 CIOs