Databricks

212455 · ‎04-12-2023

I am trying to list OBO tokens that have been created for service principals. I tried using the Token Management API 2.0 (https://docs.databricks.com/dev-tools/api/latest/token-management.html#operation/get-tokens) to list workspace tokens, but it only returns personal access tokens for users. The service principal was created at the account level and then federated to the workspace. How can I achieve this?

Anonymous · ‎04-15-2023

@Nick Tran :

You can use the Azure Active Directory (Azure AD) Graph API to list the OBO tokens that have been created for service principals. Here are the steps you can follow:

1) Authenticate to the Azure AD Graph API using the Azure CLI or other methods. You will need to have permissions to read service principals.

2) Get the object ID of the service principal that you are interested in. You can do this by running the following command:

az ad sp show --id <service-principal-name>

3) The command will return a JSON object containing information about the service principal, including its object ID.

4) Use the Graph API to list the OBO tokens for the service principal. You can do this by sending a GET request to the following endpoint:

https://graph.windows.net/<your-tenant-ID>/servicePrincipals/<service-principal-object-ID>/oauth2Per...

5) Replace <your-tenant-ID> with the ID of your Azure AD tenant and <service-principal-object-ID> with the object ID of the service principal that you obtained in step 2.

6)The response will be a JSON object containing a list of OAuth2PermissionGrant resources. Each resource represents an OBO token that has been granted to the service principal. You can extract the access token and other information from each resource.

I hope this helps! Let me know if you have any further questions.

View solution in original post

Anonymous · ‎04-15-2023

@Nick Tran :

You can use the Azure Active Directory (Azure AD) Graph API to list the OBO tokens that have been created for service principals. Here are the steps you can follow:

1) Authenticate to the Azure AD Graph API using the Azure CLI or other methods. You will need to have permissions to read service principals.

2) Get the object ID of the service principal that you are interested in. You can do this by running the following command:

az ad sp show --id <service-principal-name>

3) The command will return a JSON object containing information about the service principal, including its object ID.

4) Use the Graph API to list the OBO tokens for the service principal. You can do this by sending a GET request to the following endpoint:

https://graph.windows.net/<your-tenant-ID>/servicePrincipals/<service-principal-object-ID>/oauth2Per...

5) Replace <your-tenant-ID> with the ID of your Azure AD tenant and <service-principal-object-ID> with the object ID of the service principal that you obtained in step 2.

6)The response will be a JSON object containing a list of OAuth2PermissionGrant resources. Each resource represents an OBO token that has been granted to the service principal. You can extract the access token and other information from each resource.

I hope this helps! Let me know if you have any further questions.

Anonymous · ‎04-15-2023

Hi @Nick Tran

Hope everything is going great.

Just wanted to check in if you were able to resolve your issue. If yes, would you be happy to mark an answer as best so that other members can find the solution more quickly? If not, please tell us so we can help you.

Cheers!

Databricks

List Service Principal OBO Tokens

Unity Catalog Lakeguard: Industry-first and only data governance for multi-user Apache™ Spark cluste

Announcing the General Availability of Databricks Asset Bundles

Register now and save 50% on training at Data + AI Summit!

How to successfully build GenAI applications

Meet DBRX, the New Standard for High-Quality LLMs