End of life for Databricks-managed passwords

Databricks-managed passwords reached end of life on July 10, 2024. Starting on July 10, 2024, you can no longer use Databricks-managed passwords to authenticate to the Databricks UI or APIs, known as basic authentication.

How do I log in to Databricks?

Depending on your account configuration, you can log in to Databricks with single sign-on, external accounts, or email and a one-time passcode.

When single sign-on is not configured, you can log in to Databricks using your email or one of the account providers selected by your account admin. When you login with a one-time passcode, Databricks sends a unique code to your email address. You must retrieve this code from your email and enter it on the login page to verify your identity. For more information, see Sign-in with email or external accounts.

Login with email

How do I authenticate to Databricks APIs?

Starting on July 10, 2024, you can no longer use Databricks-managed passwords to authenticate to the Databricks APIs, known as basic authentication. Automation using basic authentication will fail. You must use either OAuth authentication (recommended) or personal access tokens.

How do I authenticate to Databricks from BI tools?

Starting on July 10, 2024, you can no longer use a username and password to authenticate to Databricks from BI tools. Depending on your account configuration, you can use single sign-on or personal access tokens to authenticate to Databricks from BI tools. For example, to authentication from Tableau and Power BI, see Connect Tableau and Databricks and Connect Power BI to Databricks.

SSO flow chart

How do I migrate my account off of passwords?

The steps you take to migrate off of passwords differ depending on whether your users are in a centralized identity provider or not. As an account admin, use the following flow chart to help you plan your migration:

SSO flow chart

Users are in a centralized identity provider

  1. Configure single sign-on in your account.

    1. Enable unified login for all workspaces. If your account was created after June 21, 2023 or you did not configure SSO before December 12, 2024, unified login is already enabled. See Configure SSO in Databricks.

    2. Configure emergency access to prevent lockouts. Emergency access allows specified users to sign into Databricks using a password and multi-factor authentication. See Emergency access to prevent lockouts.

    3. Enforce multi-factor authentication from your identity provider.

  2. Migrate API authentication from basic authentication. To generate a list of workspace users using basic authentication, see How do I audit basic authentication usage?.

    Use OAuth authentication (recommended) or personal access tokens.

    See Authenticate access to Databricks with a service principal using OAuth (OAuth M2M).

Users have different email domains

  1. Use one-time passcodes or allow users to log in with existing Google or Microsoft accounts. See Sign-in with email or external accounts.

    No action is required to migrate to one-time passcodes. Users will receive a unique code via email to log in.

  2. Migrate API authentication from basic authentication. To generate a list of workspace users using basic authentication, see How do I audit basic authentication usage?.

    Use OAuth authentication (recommended) or personal access tokens.

    See Authenticate access to Databricks with a service principal using OAuth (OAuth M2M).

How do I audit basic authentication usage?

As a workspace admin, can use the following notebook to generate a list of workspace users who use basic authentication.

Query audit logs for password-based API logins

Open notebook in new tab