Configure Databricks OAuth via Microsoft Entra ID for Data Product Chat

Alation Cloud Service Applies to Alation Cloud Service instances of Alation

This topic provides step-by-step instructions for configuring OAuth 2.0 authentication for Azure Databricks data products using Microsoft Entra ID (formerly Azure Active Directory) as the OAuth provider. After configuration, users who chat with the data product are redirected to the Entra ID login screen to authenticate before querying the data source.

In this topic:

• Prerequisites

• Step 1: Register a Service Principal in Microsoft Entra ID

• Step 2: Create a Client Secret

• Step 3: Configure API Permissions

• Step 4: Collect Authentication Endpoints

• Step 5: Add the Service Principal to the Databricks Workspace

• Step 6: Create an Authentication Profile in Alation

• Step 7: Configure the Data Product to Use OAuth

• Step 8: Authenticate via Chat

• Troubleshooting

Prerequisites

Before you begin, confirm the following:

• You have an Azure Databricks or Azure Databricks Unity Catalog data source configured in Alation using the OCF connector.

• You have the Application Administrator role in Microsoft Entra ID.

• You have the Server Admin role in Alation.

• Each user who needs to chat with the data product has an account in both Entra ID and the Databricks workspace.

• The Databricks connector version supports OAuth for Compose (version 2.2.0 or later for Azure Databricks, version 3.1.0 or later for Unity Catalog).

Step 1: Register a Service Principal in Microsoft Entra ID

1. Sign in to the Azure Portal.

2. Go to Microsoft Entra ID > App registrations and click New registration.

3. Enter a name for the application, for example Alation Databricks OAuth.

4. Under Supported account types, select Single tenant.

5. Under Redirect URI, select Web and enter the following URI:

   https://<your_alation_url>/api/v2/auth/callback
   

   Replace <your_alation_url> with the base URL of your Alation instance. Do not include a trailing slash.

6. Click Register.

7. On the application’s Overview page, copy and save the Application (client) ID. You will need it in Step 5.

Step 2: Create a Client Secret

1. In the registered application, go to Certificates & secrets.

2. Click New client secret.

3. Enter a description and select an expiration period.

4. Click Add.

5. Copy and save the secret Value immediately. This value is shown only once.

Step 3: Configure API Permissions

1. In the registered application, go to API permissions in the left menu.

2. Click Add a permission and select APIs my organization uses.

3. Search for AzureDatabricks (no space) and click the AzureDatabricks API.

4. Select the user_impersonation permission and click Add permissions.

5. On the API permissions page, click Grant admin consent for <your organization> and confirm by clicking Yes.

Step 4: Collect Authentication Endpoints

1. In the registered application, go to Overview and click Endpoints.

2. Copy and save the following values (use the v1 versions):

   Endpoint	Example
   OAuth 2.0 authorization endpoint (v1)	https://login.microsoftonline.com/<tenant-id>/oauth2/authorize
   OAuth 2.0 token endpoint (v1)	https://login.microsoftonline.com/<tenant-id>/oauth2/token

   Important

   Use the v1 endpoints, not v2. The v2 endpoints use a different token format that may not be compatible with Databricks.

Step 5: Add the Service Principal to the Databricks Workspace

The service principal must exist in the Databricks workspace so that OAuth tokens issued by Entra ID are recognized.

1. In the Azure Databricks workspace, go to Settings > Identity and access.

2. Under Service principals, click Add service principal.

3. Select the application you registered in Step 1.

4. Assign the service principal to the workspace with appropriate permissions.

Alternatively, you can add the service principal using the Databricks SCIM API or Terraform.

Note

Each user who authenticates through OAuth must also exist in the Databricks workspace. Confirm that user provisioning (via SCIM or manual assignment) is configured.

Step 6: Create an Authentication Profile in Alation

1. Log in to Alation as a Server Admin.

2. Click the Settings icon in the upper right to open Admin Settings.

3. Select Authentication.

4. Scroll to Authentication Configuration Methods for External Systems.

5. Click Add Configuration and select OAuth.

6. Fill in the following fields:

   Field	Value
   Config Name	A descriptive name, for example databricks_entra_dp_auth.
   Client ID	The Application (client) ID from Step 1.
   Client Secret	The secret value from Step 2.
   Scope	2ff814a6-3304-4ab8-85cb-cd0e6f879c1d/.default offline_access
   Grant Type	auth_code
   PKCE Verifier	Enable if your Entra ID configuration enforces PKCE.
   Authorize Endpoint URL	The OAuth 2.0 authorization endpoint (v1) from Step 4.
   Redirect URL	https://<your_alation_url>/api/v2/auth/callback — replace <your_alation_url> with the base URL of your Alation instance.
   Token Endpoint URL	The OAuth 2.0 token endpoint (v1) from Step 4.
   User Info Endpoint URL	Use the same value as the Token Endpoint URL.

7. Click Save.

8. Refresh the page and note the Config Name for the profile you created.

Note

For more information about external authentication profiles, see Authentication Configuration Methods for External Systems.

Step 7: Configure the Data Product to Use OAuth

1. Navigate to Data Products App from the left-side navigation.

2. Select My Data Products.

3. Locate the data product and click the Edit icon, then select the Configure tab. Alternatively, click the data product name, then click the three-dot menu and select Configure Chat.

4. Under Configure, expand Configure Connection.

5. Select OAuth.

6. From the list of available authentication profiles, select the profile you created in Step 6 (for example, databricks_entra_dp_auth).

7. Click Save.

Step 8: Authenticate via Chat

1. Open the data product and click the Chat button.

2. Click the connection indicator.

3. A new browser tab opens with the Microsoft Entra ID login screen. Enter your credentials.

4. After successful authentication, the tab closes and the Chat is ready for use.

5. Type your question and click the Send icon to verify the connection works.

Troubleshooting

Issue	Resolution
AADSTS50011: The redirect URI does not match	The Redirect URI in the Entra app registration does not match the Alation callback URL. Verify it is https://<your_alation_url>/api/v2/auth/callback (replace <your_alation_url> with your Alation base URL) with no trailing slash.
AADSTS700016: Application not found in the directory	The Client ID is incorrect or the app registration is in a different tenant. Verify the Application (client) ID and that you are using a Single tenant configuration.
Token expires and users must re-authenticate frequently	Increase the token lifetime in Entra ID. Confirm that the Scope in the authentication profile includes offline_access to enable refresh tokens.
User not found in Databricks workspace	The authenticated user must exist in the Databricks workspace. Configure SCIM provisioning or add the user manually.
OAuth login succeeds but queries fail with permission errors	The user’s Databricks identity does not have access to the tables referenced by the data product. Grant the necessary table or schema permissions in Databricks.

Related Topics

• Configure Chat with Data Product