Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Follow these steps to use PowerShell to log in to Azure Databricks with a Microsoft Entra ID service principal. For information about Azure Databricks service principals, see Service principals.
Important
Databricks recommends using Azure Databricks managed service principals for most use cases. Use Microsoft Entra ID managed service principals only when you need to access Azure resources, because they require additional Microsoft Entra ID permissions.
Gather the following information:
Parameter Description Tenant IDThe Directory (tenant) IDfor the related application registered in Microsoft Entra ID.Client IDThe Application (client) IDfor the related application registered in Microsoft Entra ID.Client secretThe Valueof the client secret for the related application registered in Microsoft Entra ID.Sign in the service principal to Azure by using PowerShell to run the following lines of code, one line at a time, concluding with calling the Connect-AzAccount -Environment AzureChinaCloud cmdlet.
$SecurePassword = ConvertTo-SecureString -String "<Client-secret>" -AsPlainText -Force $TenantId = "<Tenant-ID>" $ApplicationId = "<Client-ID>" $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $ApplicationId, $SecurePassword Connect-AzAccount -Environment AzureChinaCloud -ServicePrincipal -TenantId $TenantId -Credential $CredentialNote
If an error message states that the
Connect-AzAccount -Environment AzureChinaCloudcmdlet is not recognized, install it by running the following cmdlet:Install-Module -Name Az -Repository PSGallery -ForceConfirm that you are signed in to the correct subscription for your signed-in service principal. To get the name and ID of your signed-in subscription, as well as the subscription's related tenant ID, run the following cmdlet:
Get-AzContext | Select-Object -ExpandProperty SubscriptionIf you are not sure what the correct subscription should be, you can for example get the subscription ID for an Azure Databricks workspace by clicking your username > Azure Portal in the workspace navigation bar. On the Azure Databricks workspace resource page that appears, click Overview in the sidebar. Then look for the Subscription ID field, which contains the subscription ID.
If you cannot access the Azure Portal, but you have access to your Azure Databricks account console, you can get the correct subscription for an Azure Databricks workspace as follows:
Make a note of the workspace's programmatic name, which is located next your username in the workspace navigation bar.
Click your username > Manage Account in the workspace navigation bar.
In the sidebar, click Workspaces.
In the Filter workspaces box, enter the workspace's programmatic name and press
Enter.Click the workspace's programmatic name in the results list.
Make a note of the Subscription field, which contains the subscription ID.
If you need to switch to a different subscription, run the Set-AzContext cmdllet, using the
-Nameor-Subscriptionparameter to specify the correct subscription name or ID.Set-AzContext -Name "<subscription-name>" # Or ... Set-AzContext -Subscription <subscription-id>If the following message displays, you are signed in to the wrong tenant:
The subscription of '<subscription-id>' doesn't exist in cloud 'AzureCloud'.To sign in to the correct tenant, you must run theConnect-AzAccount -Environment AzureChinaCloudcmdlet again, using the-Tenantoption to specify the correct tenant ID.You can get the tenant ID for an Azure Databricks workspace by running the command
curl -v <per-workspace-URL>/aad/authand looking in the output< location: https://login.chinacloudapi.cn/00000000-0000-0000-0000-000000000000, where00000000-0000-0000-0000-000000000000is the tenant ID. See also Get subscription and tenant IDs in the Azure portal.Connect-AzAccount -Environment AzureChinaCloud -Tenant <tenant-id>