Access storage with Azure Active Directory

Register an Azure Active Directory application

Registering an Azure AD applicationand assigning appropriate permissions will create a service principal that can access Azure Data Lake Storage Gen2 or Blob Storage resources.

To register an Azure AD application, you must have theApplicationAdministratorrole or theApplication.ReadWrite.Allpermission in Azure Active Directory.

1. In the Azure portal, go to theAzure Active Directoryservice.

2. UnderManage, clickApp Registrations.

3. Click+ New registration. Enter a name for the application and clickRegister.

4. ClickCertificates & Secrets.

5. Click+ New client secret.

6. Add a description for the secret and clickAdd.

7. Copy and save the value for the new secret.

8. In the application registration overview, copy and save theApplication (client) IDandDirectory (tenant) ID.

Databricks recommends storing these credentials usingsecrets.

Assign roles

You control access to storage resources by assigning roles to an Azure AD application registration associated with the storage account. This example assigns theStorage Blob Data Contributorto an Azure storage account. You may need to assign other roles depending on specific requirements.

To assign roles on a storage account you must be an Owner or a user with the User Access Administrator Azure RBAC role on the storage account.

1. In the Azure portal, go to theStorage accountsservice.

2. Select an Azure storage account to use with this application registration.

3. ClickAccess Control (IAM).

4. Click+ Addand selectAdd role assignmentfrom the dropdown menu.

5. Set theSelectfield to the Azure AD application name and setRoletoStorage Blob Data Contributor.

6. ClickSave.