cancel
Showing results for 
Search instead for 
Did you mean: 
Data Governance
Join discussions on data governance practices, compliance, and security within the Databricks Community. Exchange strategies and insights to ensure data integrity and regulatory compliance.
cancel
Showing results for 
Search instead for 
Did you mean: 

List Service Principal OBO Tokens

212455
New Contributor

I am trying to list OBO tokens that have been created for service principals. I tried using the Token Management API 2.0 (https://docs.databricks.com/dev-tools/api/latest/token-management.html#operation/get-tokens) to list workspace tokens, but it only returns personal access tokens for users. The service principal was created at the account level and then federated to the workspace. How can I achieve this?

1 ACCEPTED SOLUTION

Accepted Solutions

Anonymous
Not applicable

@Nick Tran​ :

You can use the Azure Active Directory (Azure AD) Graph API to list the OBO tokens that have been created for service principals. Here are the steps you can follow:

1) Authenticate to the Azure AD Graph API using the Azure CLI or other methods. You will need to have permissions to read service principals.

2) Get the object ID of the service principal that you are interested in. You can do this by running the following command:

az ad sp show --id <service-principal-name>

3) The command will return a JSON object containing information about the service principal, including its object ID.

4) Use the Graph API to list the OBO tokens for the service principal. You can do this by sending a GET request to the following endpoint:

https://graph.windows.net/<your-tenant-ID>/servicePrincipals/<service-principal-object-ID>/oauth2Per...

5) Replace <your-tenant-ID> with the ID of your Azure AD tenant and <service-principal-object-ID> with the object ID of the service principal that you obtained in step 2.

6)The response will be a JSON object containing a list of OAuth2PermissionGrant resources. Each resource represents an OBO token that has been granted to the service principal. You can extract the access token and other information from each resource.

I hope this helps! Let me know if you have any further questions.

View solution in original post

2 REPLIES 2

Anonymous
Not applicable

@Nick Tran​ :

You can use the Azure Active Directory (Azure AD) Graph API to list the OBO tokens that have been created for service principals. Here are the steps you can follow:

1) Authenticate to the Azure AD Graph API using the Azure CLI or other methods. You will need to have permissions to read service principals.

2) Get the object ID of the service principal that you are interested in. You can do this by running the following command:

az ad sp show --id <service-principal-name>

3) The command will return a JSON object containing information about the service principal, including its object ID.

4) Use the Graph API to list the OBO tokens for the service principal. You can do this by sending a GET request to the following endpoint:

https://graph.windows.net/<your-tenant-ID>/servicePrincipals/<service-principal-object-ID>/oauth2Per...

5) Replace <your-tenant-ID> with the ID of your Azure AD tenant and <service-principal-object-ID> with the object ID of the service principal that you obtained in step 2.

6)The response will be a JSON object containing a list of OAuth2PermissionGrant resources. Each resource represents an OBO token that has been granted to the service principal. You can extract the access token and other information from each resource.

I hope this helps! Let me know if you have any further questions.

Anonymous
Not applicable

Hi @Nick Tran​ 

Hope everything is going great.

Just wanted to check in if you were able to resolve your issue. If yes, would you be happy to mark an answer as best so that other members can find the solution more quickly? If not, please tell us so we can help you. 

Cheers!