PowerShell login with a Microsoft Entra ID service principal

Follow these steps to use PowerShell to log in to Azure Databricks with a Microsoft Entra ID service principal. For information about Azure Databricks service principals, see Manage service principals.

Important

Azure Databricks managed service principals are managed directly within Azure Databricks. Microsoft Entra ID managed service principals are managed in Microsoft Entra ID, which requires additional permissions. Databricks recommends that you use Azure Databricks managed service principals for most use cases. However, Databricks recommends that you use Microsoft Entra ID managed service principals in cases where you must authenticate with Azure Databricks and other Azure resources at the same time.

To create an Azure Databricks managed service principal instead of a Microsoft Entra ID managed service principal, see Manage service principals.

  1. Gather the following information:

    Parameter Description
    Tenant ID The Directory (tenant) ID for the related application registered in Microsoft Entra ID.
    Client ID The Application (client) ID for the related application registered in Microsoft Entra ID.
    Client secret The Value of the client secret for the related application registered in Microsoft Entra ID.
  2. Sign in the service principal to Azure by using PowerShell to run the following lines of code, one line at a time, concluding with calling the Connect-AzAccount -Environment AzureChinaCloud cmdlet.

    $SecurePassword = ConvertTo-SecureString -String "<Client-secret>" -AsPlainText -Force
    $TenantId = "<Tenant-ID>"
    $ApplicationId = "<Client-ID>"
    $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $ApplicationId, $SecurePassword
    Connect-AzAccount -Environment AzureChinaCloud -ServicePrincipal -TenantId $TenantId -Credential $Credential
    

    Note

    If an error message states that the Connect-AzAccount -Environment AzureChinaCloud cmdlet is not recognized, install it by running the following cmdlet:

    Install-Module -Name Az -Repository PSGallery -Force
    
  3. Confirm that you are signed in to the correct subscription for your signed-in service principal. To get the name and ID of your signed-in subscription, as well as the subscription's related tenant ID, run the following cmdlet:

    Get-AzContext | Select-Object -ExpandProperty Subscription
    

    If you are not sure what the correct subscription should be, you can for example get the subscription ID for an Azure Databricks workspace by clicking your username > Azure Portal in the workspace navigation bar. On the Azure Databricks workspace resource page that appears, click Overview in the sidebar. Then look for the Subscription ID field, which contains the subscription ID.

    If you cannot access the Azure Portal, but you have access to your Azure Databricks account console, you can get the correct subscription for an Azure Databricks workspace as follows:

    1. Make a note of the workspace's programmatic name, which is located next your username in the workspace navigation bar.
    2. Click your username > Manage Account in the workspace navigation bar.
    3. In the sidebar, click Workspaces.
    4. In the Filter workspaces box, enter the workspace's programmatic name and press Enter.
    5. Click the workspace's programmatic name in the results list.
    6. Make a note of the Subscription field, which contains the subscription ID.

    If you need to switch to a different subscription, run the Set-AzContext cmdllet, using the -Name or -Subscription parameter to specify the correct subscription name or ID.

    Set-AzContext -Name "<subscription-name>"
    
    # Or ...
    
    Set-AzContext -Subscription <subscription-id>
    

    If the following message displays, you are signed in to the wrong tenant: The subscription of '<subscription-id>' doesn't exist in cloud 'AzureCloud'. To sign in to the correct tenant, you must run the Connect-AzAccount -Environment AzureChinaCloud cmdlet again, using the -Tenant option to specify the correct tenant ID.

    You can get the tenant ID for an Azure Databricks workspace by running the command curl -v <per-workspace-URL>/aad/auth and looking in the output < location: https://login.chinacloudapi.cn/00000000-0000-0000-0000-000000000000, where 00000000-0000-0000-0000-000000000000 is the tenant ID. See also Get subscription and tenant IDs in the Azure portal.

    Connect-AzAccount -Environment AzureChinaCloud -Tenant <tenant-id>