Registering an application with Microsoft Entra ID (formerly Azure Active Directory) creates a service principal you can use to provide access to Azure storage accounts.
You can then configure access to these service principals using credentials stored with secrets. Databricks recommends using <entra-service-principal>s scoped to clusters or SQL warehouses to configure data access. See Connect to Azure Data Lake Storage Gen2 and Blob Storage and Enable data access configuration.
Registering a Microsoft Entra ID (formerly Azure Active Directory) application and assigning appropriate permissions will create a service principal that can access Azure Data Lake Storage Gen2 or Blob Storage resources.
To register a Microsoft Entra ID application, you must have the
Application Administrator role or the
Application.ReadWrite.All permission in Microsoft Entra ID.
In the Azure portal, go to the Microsoft Entra ID service.
Under Manage, click App Registrations.
Click + New registration. Enter a name for the application and click Register.
Click Certificates & Secrets.
Click + New client secret.
Add a description for the secret and click Add.
Copy and save the value for the new secret.
In the application registration overview, copy and save the Application (client) ID and Directory (tenant) ID.
You control access to storage resources by assigning roles to a Microsoft Entra ID application registration associated with the storage account. You might need to assign other roles depending on specific requirements.
To assign roles on a storage account you must have the Owner or User Access Administrator Azure RBAC role on the storage account.
In the Azure portal, go to the Storage accounts service.
Select an Azure storage account to use with this application registration.
Click Access Control (IAM).
Click + Add and select Add role assignment from the dropdown menu.
Set the Select field to the Microsoft Entra ID application name and set Role to Storage Blob Data Contributor.