Skip to content

Azure AD (Entra ID) OAuth authentication

The Unity Catalog connector defaults to token authentication. For Azure Databricks workspaces, you can use Azure AD OAuth with a Microsoft Entra ID application (service principal) and the OAuth 2.0 client credentials flow. For official Azure Databricks guidance on OAuth machine-to-machine (service principal) authentication, see Authenticate service principals with OAuth (Microsoft Learn).

The oauth and azure_oauth mechanisms both use CONNECTOR_DATABRICKS_UNITY_CATALOG_OAUTH_CLIENT_ID and CONNECTOR_DATABRICKS_UNITY_CATALOG_OAUTH_CLIENT_SECRET for the OAuth client ID and secret. For oauth, those values come from the Databricks OAuth integration (workspace OIDC client). For azure_oauth, use Entra ID application credentials in the same two variables and also set CONNECTOR_DATABRICKS_UNITY_CATALOG_AZURE_OAUTH_TENANT_ID. For Databricks-only OAuth setup, see OAuth Authentication.

Mechanism (typical) Identity source Privacera Manager variables (client + tenant)
oauth Databricks OAuth / OIDC CONNECTOR_DATABRICKS_UNITY_CATALOG_OAUTH_CLIENT_ID, CONNECTOR_DATABRICKS_UNITY_CATALOG_OAUTH_CLIENT_SECRET
azure_oauth Microsoft Entra ID (Azure AD) Same OAUTH_CLIENT_* variables as oauth, plus CONNECTOR_DATABRICKS_UNITY_CATALOG_AZURE_OAUTH_TENANT_ID

Use azure_oauth when the identity is registered in Azure AD. Use oauth when credentials come from the Databricks OAuth integration. Do not point oauth at Entra credentials, or azure_oauth at Databricks OAuth client credentials, without aligning jdbc.auth.mechanism with the credential source.

Mechanism string casing

Sample Privacera Manager YAML uses azure_oauth. The connector treats azure_oauth and AZURE_OAUTH (and similar casing) as the same value.

Prerequisites

Step 1: Create or locate a service principal in Azure

  1. Sign in to the Microsoft Azure portal.
  2. Navigate to Microsoft Entra ID (formerly Azure Active Directory).
  3. Select App registrations.
  4. Click New registration (or select an existing app).
  5. Provide:
    • Name: databricks-oauth-sp (or your preferred name).
    • Supported account types: Single tenant (recommended).
  6. Click Register.

Step 2: Copy the Azure OAuth credentials

After registration, open the Overview tab and copy:

Field Use as
Application (client) ID OAuth2ClientId
Directory (tenant) ID AzureTenantId

Step 3: Create a client secret

  1. In the registered application, go to Certificates & secrets.
  2. Click New client secret.
  3. Add a description and choose an expiration period.
  4. Click Add.
  5. Copy the Value immediately.
Field Use as
Client secret value OAuth2Secret

Client secret visibility

This value is shown only once—store it securely.

Step 4: Add the service principal to Azure Databricks

  1. Open your Azure Databricks workspace.
  2. Navigate to SettingsIdentity and accessService principals.
  3. Click Add service principal.
  4. Enter the Client ID.
  5. Grant appropriate permissions, for example:
    • Access to SQL warehouses
    • Unity Catalog privileges
    • Workspace access

Step 5: Grant required Unity Catalog permissions

After configuring the Azure service principal in Databricks, grant the Unity Catalog privileges the connector needs to access metadata and enforce policies. These permissions allow the service principal to read catalogs, schemas, and tables required by the connector.

Run the following SQL statements in a Databricks SQL workspace or using an account with sufficient privileges.

Grant catalog-level access

SQL
1
2
GRANT USE CATALOG ON CATALOG <catalog_name> TO `<client_id>`;
GRANT MANAGE ON CATALOG <catalog_name> TO `<client_id>`;

Replace placeholders

  • Replace <catalog_name> with your Unity Catalog object names.
  • Replace <client_id> with the Entra application (client) ID of the service principal (the same value you use as CONNECTOR_DATABRICKS_UNITY_CATALOG_OAUTH_CLIENT_ID).

Setup

Replace <server-hostname>, <http-path>, <AZURE_CLIENT_ID>, <AZURE_CLIENT_SECRET_VALUE>, and <AZURE_TENANT_ID> with real values.

To enable Azure AD OAuth, update the connector variables in Privacera Manager.

  1. SSH to the instance where Privacera Manager is installed.

  2. Open the connector vars file (replace instance1 if you use another instance name):

    Bash
    1
    vi ~/privacera/privacera-manager/config/custom-vars/connectors/databricks-unity-catalog/instance1/vars.connector.databricks.unity.catalog.yml

  3. Set Azure AD OAuth as follows:

    YAML
    1
2
3
4
5
    CONNECTOR_DATABRICKS_UNITY_CATALOG_JDBC_URL: "jdbc:databricks://<server-hostname>:443/default;transportMode=http;ssl=1;AuthMech=11;Auth_Flow=1;httpPath=<http-path>;"
CONNECTOR_DATABRICKS_UNITY_CATALOG_AUTH_MECHANISM: "azure_oauth"
CONNECTOR_DATABRICKS_UNITY_CATALOG_OAUTH_CLIENT_ID: "<AZURE_CLIENT_ID>"
CONNECTOR_DATABRICKS_UNITY_CATALOG_OAUTH_CLIENT_SECRET: "<AZURE_CLIENT_SECRET_VALUE>"
CONNECTOR_DATABRICKS_UNITY_CATALOG_AZURE_OAUTH_TENANT_ID: "<AZURE_TENANT_ID>"

    Treat CONNECTOR_DATABRICKS_UNITY_CATALOG_OAUTH_CLIENT_SECRET like other sensitive connector secrets: use your secrets manager or include it in your deployment’s encrypted connector properties list (for example CONNECTOR_ENCRYPT_PROPS_LIST or the mechanism your environment uses for CONNECTOR_* secrets).

  4. After the properties are configured, update the Privacera Manager platform:

    Step 1 - Setup which generates the helm charts. This step usually takes few minutes.

    Bash
    1
2
    cd ~/privacera/privacera-manager
./privacera-manager.sh setup
    Step 2 - Apply the Privacera Manager helm charts.
    Bash
    1
2
    cd ~/privacera/privacera-manager
./pm_with_helm.sh upgrade
    Step 3 - (Optional) Post-installation step which generates Plugin tar ball, updates Route 53 DNS and so on. This step is not required if you are updating only connector properties.

    Bash
    1
2
    cd ~/privacera/privacera-manager
./privacera-manager.sh post-install

  1. In the PrivaceraCloud portal, navigate to SettingsApplications.

  2. On the Connected Applications screen, select Databricks Unity Catalog.

  3. Click the pen icon or the Account Name to modify the settings.

  4. On the Edit Application screen, go to Access Management.

  5. Under the BASIC tab

    • Update the value for JDBC Authentication Mechanism as azure_oauth.

    • Update the value for Databricks JDBC url with the following format:

      Bash
      jdbc:databricks://<server-hostname>:443/default;transportMode=http;ssl=1;AuthMech=11;Auth_Flow=1;httpPath=<http-path>;

    • Make sure the value for Databricks personal access token is empty.

    • Add the values for OAuth Client ID and OAuth Client Secret (Entra Application (client) ID and client secret value for Azure AD).

  6. For Directory (tenant) ID, open the ADVANCE tab.

    • Under Add New Custom Properties, add the following property, for example:
    Text Only
    1
    ranger.policysync.connector.0.azure.oauth.tenant.id=<AZURE_TENANT_ID>

    Replace <AZURE_TENANT_ID> with your Entra Directory (tenant) ID (UUID). Replace 0 with your connector index when you use multiple connectors.

  7. Click SAVE to apply the changes.

Troubleshooting

  • 401 / invalid_client — Wrong client ID, secret, or tenant; confirm the Entra app and secret expiry.
  • Insufficient privileges — The application lacks required Databricks or Azure permissions for PolicySync.
  • Wrong modeoauth vs azure_oauth mismatch with the credential source, or missing CONNECTOR_DATABRICKS_UNITY_CATALOG_AZURE_OAUTH_TENANT_ID for azure_oauth.