Azure CLI login with a Microsoft Entra ID service principal
Follow these steps to use the Azure CLI to log in to Azure Databricks with a Microsoft Entra ID service principal. For information about Azure Databricks service principals, see Manage service principals.
Gather the following information:
Parameter Description Tenant ID
The Directory (tenant) ID
for the related application registered in Microsoft Entra ID.Client ID
The Application (client) ID
for the related application registered in Microsoft Entra ID.Client secret
The Value
of the client secret for the related application registered in Microsoft Entra ID.Get the correct Azure subscription ID for the Microsoft Entra ID service principal, if you do not already know this ID, by doing one of the following:
In your Azure Databricks workspace's top navigation bar, click your username and then click Azure Portal. On the Azure Databricks workspace resource page that appears, click Overview in the sidebar. Then look for the Subscription ID field, which contains the subscription ID.
Use the Azure CLI to run the az databricks workspace list command, using the
--query
and-o
or--output
options to narrow down the results. Replaceadb-0000000000000000.0.databricks.azure.cn
with the name of your workspace instance, not including thehttps://
. In this example, the00000000-0000-0000-0000-000000000000
after/subscriptions/
in the output is the subscription ID.az databricks workspace list --query "[?workspaceUrl==\`adb-0000000000000000.0.databricks.azure.cn\`].{id:id}" -o tsv # /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/my-rg/providers/Microsoft.Databricks/workspaces/my-ws
If the following message displays, you are signed in to the wrong tenant:
The subscription of '<subscription-id>' doesn't exist in cloud 'AzureCloud'.
To sign in to the correct tenant, you must run theaz login
command again, using the-t
or--tenant
option to specify the correct tenant ID.You can get the tenant ID for an Azure Databricks workspace by running the command
curl -v <per-workspace-URL>/aad/auth
and looking in the output< location: https://login.chinacloudapi.cn/00000000-0000-0000-0000-000000000000
, where00000000-0000-0000-0000-000000000000
is the tenant ID. See also Get subscription and tenant IDs in the Azure portal.az cloud set -n AzureChinaCloud az login -t <tenant-id> # az cloud set -n AzureCloud //means return to Public Azure.
After you have the correct Azure tenant ID, client ID, client secret, and subscription ID for your Microsoft Entra ID service principal, sign in to Azure by using the Azure CLI to run the az login command. Use the
--service-principal
option along with specifying the values for the parameters ofTenant ID
(Directory (tenant) ID
),Client ID
(Application (client) ID
), andClient secret
(Value
) for the related application registered in Microsoft Entra ID.az cloud set -n AzureChinaCloud # az cloud set -n AzureCloud //means return to Public Azure. az login \ --service-principal \ -t <Tenant-ID> \ -u <Client-ID> \ -p <Client-secret>
Confirm that you are signed in to the correct subscription for your signed-in Microsoft Entra ID service principal. To do this, run the az account set command, using the
-s
or--subscription
option to specify the correct subscription ID.az account set -s <subscription-id>