PowerShell login with a Microsoft Entra ID service principal
Follow these steps to use PowerShell to log in to Azure Databricks with a Microsoft Entra ID service principal. For information about Azure Databricks service principals, see Manage service principals.
Important
Azure Databricks managed service principals are managed directly within Azure Databricks. Microsoft Entra ID managed service principals are managed in Microsoft Entra ID, which requires additional permissions. Databricks recommends that you use Azure Databricks managed service principals for most use cases. However, Databricks recommends that you use Microsoft Entra ID managed service principals in cases where you must authenticate with Azure Databricks and other Azure resources at the same time.
To create an Azure Databricks managed service principal instead of a Microsoft Entra ID managed service principal, see Manage service principals.
Gather the following information:
Parameter Description Tenant ID
The Directory (tenant) ID
for the related application registered in Microsoft Entra ID.Client ID
The Application (client) ID
for the related application registered in Microsoft Entra ID.Client secret
The Value
of the client secret for the related application registered in Microsoft Entra ID.Sign in the service principal to Azure by using PowerShell to run the following lines of code, one line at a time, concluding with calling the Connect-AzAccount -Environment AzureChinaCloud cmdlet.
$SecurePassword = ConvertTo-SecureString -String "<Client-secret>" -AsPlainText -Force $TenantId = "<Tenant-ID>" $ApplicationId = "<Client-ID>" $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $ApplicationId, $SecurePassword Connect-AzAccount -Environment AzureChinaCloud -ServicePrincipal -TenantId $TenantId -Credential $Credential
Note
If an error message states that the
Connect-AzAccount -Environment AzureChinaCloud
cmdlet is not recognized, install it by running the following cmdlet:Install-Module -Name Az -Repository PSGallery -Force
Confirm that you are signed in to the correct subscription for your signed-in service principal. To get the name and ID of your signed-in subscription, as well as the subscription's related tenant ID, run the following cmdlet:
Get-AzContext | Select-Object -ExpandProperty Subscription
If you are not sure what the correct subscription should be, you can for example get the subscription ID for an Azure Databricks workspace by clicking your username > Azure Portal in the workspace navigation bar. On the Azure Databricks workspace resource page that appears, click Overview in the sidebar. Then look for the Subscription ID field, which contains the subscription ID.
If you cannot access the Azure Portal, but you have access to your Azure Databricks account console, you can get the correct subscription for an Azure Databricks workspace as follows:
- Make a note of the workspace's programmatic name, which is located next your username in the workspace navigation bar.
- Click your username > Manage Account in the workspace navigation bar.
- In the sidebar, click Workspaces.
- In the Filter workspaces box, enter the workspace's programmatic name and press
Enter
. - Click the workspace's programmatic name in the results list.
- Make a note of the Subscription field, which contains the subscription ID.
If you need to switch to a different subscription, run the Set-AzContext cmdllet, using the
-Name
or-Subscription
parameter to specify the correct subscription name or ID.Set-AzContext -Name "<subscription-name>" # Or ... Set-AzContext -Subscription <subscription-id>
If the following message displays, you are signed in to the wrong tenant:
The subscription of '<subscription-id>' doesn't exist in cloud 'AzureCloud'.
To sign in to the correct tenant, you must run theConnect-AzAccount -Environment AzureChinaCloud
cmdlet again, using the-Tenant
option to specify the correct tenant ID.You can get the tenant ID for an Azure Databricks workspace by running the command
curl -v <per-workspace-URL>/aad/auth
and looking in the output< location: https://login.chinacloudapi.cn/00000000-0000-0000-0000-000000000000
, where00000000-0000-0000-0000-000000000000
is the tenant ID. See also Get subscription and tenant IDs in the Azure portal.Connect-AzAccount -Environment AzureChinaCloud -Tenant <tenant-id>