Skip to content

Azure AD (Entra ID) OAuth authentication

The Unity Catalog connector defaults to token-based authentication. This topic is for Azure Databricks only: authenticate with Microsoft Entra ID (Azure AD) using an application (service principal) and the OAuth 2.0 client credentials flow. Configure JDBC Authentication Mechanism as azure_oauth and enter the Entra application (client) ID, client secret, and directory (tenant) ID in the Setup section for your deployment type (Self-Managed Portal, Privacera Manager / data plane, or PrivaceraCloud).

For Databricks workspace OAuth (oauth)—not Entra ID client credentials—see OAuth Authentication.

Background from Microsoft on OAuth machine-to-machine (service principal) access to Azure Databricks: Authenticate service principals with OAuth (Microsoft Learn).

Prerequisites

Step 1: Create or locate a service principal in Azure

  1. Sign in to the Microsoft Azure portal.
  2. Navigate to Microsoft Entra ID (formerly Azure Active Directory).
  3. Select App registrations.
  4. Click New registration (or select an existing app).
  5. Provide:
    • Name: databricks-oauth-sp (or your preferred name).
    • Supported account types: Single tenant (recommended).
  6. Click Register.

Step 2: Copy the Azure OAuth credentials

After registration, open the Overview tab and copy:

Field Use as
Application (client) ID OAuth2ClientId
Directory (tenant) ID AzureTenantId

Step 3: Create a client secret

  1. In the registered application, go to Certificates & secrets.
  2. Click New client secret.
  3. Add a description and choose an expiration period.
  4. Click Add.
  5. Copy the Value immediately.
Field Use as
Client secret value OAuth2Secret

Client secret visibility

This value is shown only once—store it securely.

Step 4: Add the service principal to Azure Databricks

  1. Open your Azure Databricks workspace.
  2. Navigate to SettingsIdentity and accessService principals.
  3. Click Add service principal.
  4. Enter the Client ID.
  5. Grant appropriate permissions, for example:
    • Access to SQL warehouses
    • Unity Catalog privileges
    • Workspace access

Step 5: Grant required Unity Catalog permissions

After configuring the Azure service principal in Databricks, grant the Unity Catalog privileges the connector needs to access metadata and enforce policies. These permissions allow the service principal to read catalogs, schemas, and tables required by the connector.

Metastore Admin role

If the service principal is assigned the Metastore Admin role, explicit catalog permissions are not required.

Run the following SQL statements in a Databricks SQL workspace or using an account with sufficient privileges.

Grant catalog-level access

SQL
1
2
GRANT USE CATALOG ON CATALOG <catalog_name> TO `<client_id>`;
GRANT MANAGE ON CATALOG <catalog_name> TO `<client_id>`;

Replace placeholders

  • Replace <catalog_name> with your Unity Catalog object names.
  • Replace <client_id> with the Entra application (client) ID of the service principal (the same value you configure as OAuth Client ID in Setup).

Setup

Replace <server-hostname>, <http-path>, <AZURE_CLIENT_ID>, <AZURE_CLIENT_SECRET_VALUE>, and <AZURE_TENANT_ID> with real values.

  1. Navigate to SettingsApplications in the Self-Managed Portal.

  2. From the list of Connected Applications, select Databricks Unity Catalog.

  3. Click on the application name or the icon to edit. Then, go to the Access Management tab.

  4. Under the BASIC tab

    • Update the value for JDBC Authentication Mechanism as azure_oauth.

    • Update the value for Databricks JDBC url with the following format:

      Bash
      jdbc:databricks://<server-hostname>:443/default;transportMode=http;ssl=1;AuthMech=11;Auth_Flow=1;httpPath=<http-path>;

    • Make sure the value for Databricks personal access token is empty.

    • Add the values for OAuth Client ID and OAuth Client Secret (Entra Application (client) ID and client secret value for Azure AD).

  5. For Directory (tenant) ID, open the ADVANCE tab.

    • Under Add New Custom Properties, add the following property, for example:
    Text Only
    1
    ranger.policysync.connector.0.azure.oauth.tenant.id=<AZURE_TENANT_ID>

    Replace <AZURE_TENANT_ID> with your Entra Directory (tenant) ID (UUID). Replace 0 with your connector index when you use multiple connectors.

  6. Click SAVE to apply the changes.

Auth mechanism value in YAML

Examples use azure_oauth. The connector treats azure_oauth and AZURE_OAUTH (and similar casing) as the same value.

To enable Azure AD OAuth, update the connector variables in Privacera Manager.

  1. SSH to the instance where Privacera Manager is installed.

  2. Open the connector vars file (replace instance1 if you use another instance name):

    Bash
    1
    vi ~/privacera/privacera-manager/config/custom-vars/connectors/databricks-unity-catalog/instance1/vars.connector.databricks.unity.catalog.yml

  3. Set Azure AD OAuth as follows:

    YAML
    1
2
3
4
5
    CONNECTOR_DATABRICKS_UNITY_CATALOG_JDBC_URL: "jdbc:databricks://<server-hostname>:443/default;transportMode=http;ssl=1;AuthMech=11;Auth_Flow=1;httpPath=<http-path>;"
CONNECTOR_DATABRICKS_UNITY_CATALOG_AUTH_MECHANISM: "azure_oauth"
CONNECTOR_DATABRICKS_UNITY_CATALOG_OAUTH_CLIENT_ID: "<AZURE_CLIENT_ID>"
CONNECTOR_DATABRICKS_UNITY_CATALOG_OAUTH_CLIENT_SECRET: "<AZURE_CLIENT_SECRET_VALUE>"
CONNECTOR_DATABRICKS_UNITY_CATALOG_AZURE_OAUTH_TENANT_ID: "<AZURE_TENANT_ID>"

    Treat CONNECTOR_DATABRICKS_UNITY_CATALOG_OAUTH_CLIENT_SECRET like other sensitive connector secrets: use your secrets manager or include it in your deployment’s encrypted connector properties list (for example CONNECTOR_ENCRYPT_PROPS_LIST or the mechanism your environment uses for CONNECTOR_* secrets).

  4. After the properties are configured, update the Privacera Manager platform:

    Step 1 - Setup which generates the helm charts. This step usually takes few minutes.

    Bash
    1
2
    cd ~/privacera/privacera-manager
./privacera-manager.sh setup
    Step 2 - Apply the Privacera Manager helm charts.
    Bash
    1
2
    cd ~/privacera/privacera-manager
./pm_with_helm.sh upgrade
    Step 3 - (Optional) Post-installation step which generates Plugin tar ball, updates Route 53 DNS and so on. This step is not required if you are updating only connector properties.

    Bash
    1
2
    cd ~/privacera/privacera-manager
./privacera-manager.sh post-install

  1. In the PrivaceraCloud portal, navigate to SettingsApplications.

  2. On the Connected Applications screen, select Databricks Unity Catalog.

  3. Click the pen icon or the Account Name to modify the settings.

  4. On the Edit Application screen, go to Access Management.

  5. Under the BASIC tab

    • Update the value for JDBC Authentication Mechanism as azure_oauth.

    • Update the value for Databricks JDBC url with the following format:

      Bash
      jdbc:databricks://<server-hostname>:443/default;transportMode=http;ssl=1;AuthMech=11;Auth_Flow=1;httpPath=<http-path>;

    • Make sure the value for Databricks personal access token is empty.

    • Add the values for OAuth Client ID and OAuth Client Secret (Entra Application (client) ID and client secret value for Azure AD).

  6. For Directory (tenant) ID, open the ADVANCE tab.

    • Under Add New Custom Properties, add the following property, for example:
    Text Only
    1
    ranger.policysync.connector.0.azure.oauth.tenant.id=<AZURE_TENANT_ID>

    Replace <AZURE_TENANT_ID> with your Entra Directory (tenant) ID (UUID). Replace 0 with your connector index when you use multiple connectors.

  7. Click SAVE to apply the changes.

Troubleshooting

  • 401 / invalid_client — Wrong client ID, secret, or tenant; confirm the Entra app and secret expiry.
  • Insufficient privileges — The application lacks required Databricks or Azure permissions for PolicySync.
  • Wrong modeJDBC Authentication Mechanism does not match the credential source (for example Entra ID values with oauth, or Databricks OAuth client values with azure_oauth). For azure_oauth, ensure the directory (tenant) ID is set as required by your deployment (see Setup).