Assess personal access token usage in your Databricks account

Secure access to Azure Databricks resources with personal access tokens (PATs) requires regularly revoking individual access tokens. This topic provides a notebook that, when run in your Azure Databricks workspace, lists all the personal access tokens (PATs) that have not been rotated or updated in the last 90 days so you can revoke them.

Note

Databricks recommends that you use OAuth secrets and access tokens for authentication rather than PATs. For more details on using OAuth for authenticating access to your Azure Databricks workspace resources, see Authenticate access to Azure Databricks with a user account using OAuth (OAuth U2M).

Prerequisites

To run this notebook in your Azure Databricks workspace, you must have identity federation enabled for your Azure Databricks workspace. If you have account administrator permissions, you can enable identity federation for a user by following these instructions: Enable identity federation.

If you want to use this notebook in your automation or provide it to other users to run it, create a service principal. Grant account administrator permission to the new service principal and add the service principal's client ID and client secret to the notebook (as indicated in the code). The service principal is automatically added with administrator privileges to each workspace so the notebook can be run to list the PATs for that workspace. After running the notebook delete the service principal.

Databricks workspace PAT usage notebook

Run the following notebook and review the state of the PATs in your account:

Assess PAT usage for your Databricks account and workspaces

Get notebook

Next steps

Once you have assessed the PAT usage for your Azure Databricks account, Databricks recommends you minimize your token exposure with the following steps:

  1. Set a short lifetime for all new tokens created in your workspace(s). The lifetime should be less than 90 days.
  2. Work with your Azure Databricks workspace administrators and users to switch to those tokens with shorter lifetimes.
  3. Revoke all long-lived tokens to reduce the risk of these older tokens getting misused over time. Databricks automatically revokes all PATs for your Azure Databricks workspaces when the token hasn't been used in 90 or more days.

Best practices

For authenticating API access to your Azure Databricks workspaces and resources in your automation, Databricks recommends you use a service principal and OAuth. While Databricks still supports PATs for compatibility, they are no longer a preferred mechanism for authentication due to their greater security risk.