Enable or disable partner OAuth applications

This article describes how to enable and disable partner OAuth applications for your Azure Databricks account.

dbt Core, Power BI, Tableau Desktop, and Tableau Cloud OAuth applications are enabled by default for your account.

Note

Updates to OAuth applications can take 30 minutes to process.

Enable or disable apps using the Databricks CLI

This section describes how to use the Databricks CLI to disable the partner OAuth applications that are enabled by default for your account, and how to re-enable them after they've been disabled. It also describes how to enable and disable Tableau Server, which is not enabled by default.

Before you begin

Before you enable or disable partner OAuth application integrations using the Databricks CLI, do the following:

  • Install the Databricks CLI and set up authentication between the Databricks CLI and your Databricks account.

  • To disable or modify an existing OAuth application, locate the integration ID.

    • For dbt Core, Power BI, Tableau Desktop, or Tableau Cloud run the following command:

      databricks account published-app-integration list
      
    • For custom applications, like Tableau Server, run the following command:

      databricks account custom-app-integration list
      

    The unique integration ID for each OAuth application is returned.

Disable dbt Core, Power BI, Tableau Desktop, or Tableau Cloud OAuth application using the CLI

dbt Core, Power BI, Tableau Desktop, and Tableau Cloud OAuth applications are enabled by default for your account. To disable a dbt Core, Power BI, Tableau Desktop, or Tableau Cloud OAuth application, run the following command, replacing <integration-id> with the integration ID of the OAuth application you want to delete:

databricks account published-app-integration delete <integration-id>

Re-enable dbt Core, Power BI, Tableau Desktop, or Tableau Cloud OAuth application using the CLI

dbt Core, Power BI, Tableau Desktop, and Tableau Cloud are enabled as OAuth applications in your account by default. To re-enable one of these OAuth applications after it's been disabled, run the following command, replacing <application-id> with databricks-dbt-adapter, power-bi, tableau-desktop or 7de584d0-b7ad-4850-b915-be7de7d58711 (Tableau Cloud):

databricks account published-app-integration create <application-id>

The unique integration ID for the OAuth application is returned.

Enable custom OAuth applications using the CLI

dbt Core, Power BI, Tableau Desktop, and Tableau Cloud OAuth applications are enabled by default for your account. You can use the Azure Databricks CLI to enable additional custom OAuth applications.

For steps to enable a custom Tableau Server OAuth application, see Configure Azure Databricks sign-on from Tableau Server. For generic steps to enable any custom OAuth application using the CLI, see the following:

  1. Run the custom-app-integration create command. The following example creates a non-public (confidential) application:

    databricks account custom-app-integration create --confidential --json '{"name":"<name>", "redirect_urls":["<redirect-url>"], "scopes":[<scopes>]}'
    
    • Replace <name> with a name for your custom OAuth application.
    • Replace <redirect-url> with the redirect URLs for your application.
    • Replace <scopes> with the list of scopes you want to allow for the application.
      • For BI applications, the SQL scope is required to allow the connected app to access Databricks SQL APIs.
      • For applications that need to access Databricks APIs for purposes other than SQL, the ALL APIs scope is required.
      • The openid, email, and profile scopes are required to generate the ID token.
      • The offline_access scope is required to generate refresh tokens.

    For more information about supported values, see POST /api/2.0/accounts/{account_id}/oauth2/custom-app-integrations in the REST API reference.

    A client ID is generated. For non-public (confidential) applications, a client secret is also generated. The following output is returned:

    {"integration_id":"<integration-id>","client_id":"<client-id>","client_secret":"<client-secret>"}
    

    Note

    Enabling an OAuth application can take 30 minutes to process.

  2. Securely store the client secret, if applicable.

    Important

    You can't retrieve the client secret later.

Disable custom OAuth applications using the CLI

To disable an existing custom OAuth application, like Tableau Server, run the following command, replacing <integration-id> with the integration ID of the OAuth application you want to disable:

databricks account custom-app-integration delete <integration-id>

Enable custom OAuth applications using the Azure Databricks UI

dbt Core, Power BI, Tableau Desktop, and Tableau Cloud OAuth applications are enabled by default for your account. You can use the Azure Databricks UI to enable additional custom OAuth applications.

To enable a custom OAuth application in the UI, do the following:

  1. Log in to the account console and click the Settings icon in the sidebar.

  2. On the App connections tab, click Add connection.

  3. Enter the following details:

    1. A name for your connection.

    2. The redirect URLs for your OAuth connection.

    3. For Access scopes, the APIs the application should have access to.

      • For BI applications, the SQL scope is required to allow the connected app to access Databricks SQL APIs.
      • For applications that need to access Databricks APIs for purposes other than querying, the ALL APIs scope is required.

      The following scopes are automatically allowed:

      • openid, email, profile: Required to generate the ID token.
      • offline_access: Required to generate refresh tokens.

      If you don't want to allow these scopes for the application, you can manage fine-grained scopes by using the POST /api/2.0/accounts/{account_id}/oauth2/custom-app-integrations API to create your custom application.

    4. The access token time-to-live (TTL) in minutes. Default: 60.

    5. The refresh token time-to-live (TTL) in minutes. Default: 10080.

    6. Whether to generate a client secret. This is required for non-public (confidential) clients.

      The Connection created dialog box displays the client ID and the client secret, if applicable, for your connection.

  4. If you selected Generate a client secret, copy and securely store the client secret. You can't retrieve the client secret later.

You can edit the redirect URL, token TTL, and refresh token TTL for existing custom OAuth applications in the UI by clicking the application name on the Settings > App connections page in the account console. You can also view your existing published OAuth applications (dbt Core, Power BI, Tableau) in the UI. You can edit the token TTL and refresh token TTL for existing published applications.

You can disable both published and custom OAuth applications in the UI by either clicking the application name or the kebab menu next to the application name, and then clicking Remove.

Note

Disabling an application breaks the application connection, so use caution when disabling OAuth applications. If you disable a published OAuth application in the UI, it can't be re-enabled in the UI. To re-enable a published application, see Re-enable dbt Core, Power BI, Tableau Desktop, or Tableau Cloud OAuth application using the CLI.