Azure CLI login with a Microsoft Entra ID service principal

Follow these steps to use the Azure CLI to log in to Azure Databricks with a Microsoft Entra ID service principal. For information about Azure Databricks service principals, see Manage service principals.

  1. Gather the following information:

    Parameter Description
    Tenant ID The Directory (tenant) ID for the related application registered in Microsoft Entra ID.
    Client ID The Application (client) ID for the related application registered in Microsoft Entra ID.
    Client secret The Value of the client secret for the related application registered in Microsoft Entra ID.
  2. Get the correct Azure subscription ID for the Microsoft Entra ID service principal, if you do not already know this ID, by doing one of the following:

    • In your Azure Databricks workspace's top navigation bar, click your username and then click Azure Portal. On the Azure Databricks workspace resource page that appears, click Overview in the sidebar. Then look for the Subscription ID field, which contains the subscription ID.

    • Use the Azure CLI to run the az databricks workspace list command, using the --query and -o or --output options to narrow down the results. Replace adb-0000000000000000.0.databricks.azure.cn with the name of your workspace instance, not including the https://. In this example, the 00000000-0000-0000-0000-000000000000 after /subscriptions/ in the output is the subscription ID.

      az databricks workspace list --query "[?workspaceUrl==\`adb-0000000000000000.0.databricks.azure.cn\`].{id:id}" -o tsv
      
      # /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/my-rg/providers/Microsoft.Databricks/workspaces/my-ws
      

      If the following message displays, you are signed in to the wrong tenant: The subscription of '<subscription-id>' doesn't exist in cloud 'AzureCloud'. To sign in to the correct tenant, you must run the az login command again, using the -t or --tenant option to specify the correct tenant ID.

      You can get the tenant ID for an Azure Databricks workspace by running the command curl -v <per-workspace-URL>/aad/auth and looking in the output < location: https://login.chinacloudapi.cn/00000000-0000-0000-0000-000000000000, where 00000000-0000-0000-0000-000000000000 is the tenant ID. See also Get subscription and tenant IDs in the Azure portal.

      az cloud set -n AzureChinaCloud
      az login -t <tenant-id>
      # az cloud set -n AzureCloud   //means return to Public Azure.
      
  3. After you have the correct Azure tenant ID, client ID, client secret, and subscription ID for your Microsoft Entra ID service principal, sign in to Azure by using the Azure CLI to run the az login command. Use the --service-principal option along with specifying the values for the parameters of Tenant ID (Directory (tenant) ID), Client ID (Application (client) ID), and Client secret (Value) for the related application registered in Microsoft Entra ID.

    az cloud set -n AzureChinaCloud
    # az cloud set -n AzureCloud   //means return to Public Azure.
    az login \
    --service-principal \
    -t <Tenant-ID> \
    -u <Client-ID> \
    -p <Client-secret>
    
  4. Confirm that you are signed in to the correct subscription for your signed-in Microsoft Entra ID service principal. To do this, run the az account set command, using the -s or --subscription option to specify the correct subscription ID.

    az account set -s <subscription-id>