Assess personal access token usage in your Databricks account

Secure access to Azure Databricks resources with personal access tokens (PATs) requires regularly revoking individual access tokens. This topic provides a notebook that, when run in your Azure Databricks workspace, lists all the personal access tokens (PATs) that have not been rotated or updated in the last 90 days so you can revoke them.

Note

Databricks recommends that you use OAuth secrets and access tokens for authentication rather than PATs.

Prerequisites

To run this notebook in your Azure Databricks workspace, you must have identity federation enabled for your Azure Databricks workspace. If you have account administrator permissions, you can enable identity federation for a user by following these instructions: Enable identity federation.

Databricks workspace PAT usage notebook

Run the following notebook and review the state of the PATs in your account:

Assess PAT usage for your Databricks account and workspaces

Get notebook

Next steps

Once you have assessed the PAT usage for your Azure Databricks account, Databricks recommends you minimize your token exposure with the following steps:

  1. Set a short lifetime for all new tokens created in your workspace(s). The lifetime should be less than 90 days.
  2. Work with your Azure Databricks workspace administrators and users to switch to those tokens with shorter lifetimes.
  3. Revoke all long-lived tokens to reduce the risk of these older tokens getting misused over time. Databricks automatically revokes all PATs for your Azure Databricks workspaces when the token hasn't been used in 90 or more days.

Best practices

For authenticating API access to your Azure Databricks workspaces and resources in your automation, Databricks recommends you use a service principal and OAuth. While Databricks still supports PATs for compatibility, they are no longer a preferred mechanism for authentication due to their greater security risk.