Azure Databricks - Connection Guide

Dodeca connects to Azure Databricks using a server-side JDBC connection authenticated with an OAuth 2.0 access token obtained via an Azure Entra ID app registration. No client-based SQL connector is required to connect and interact with a Databricks data warehouse, but a Microsoft Authorization connection is required in order to authorize the user.

Two authentication approaches are supported:

  • Delegated authentication (recommended) — Each Dodeca user signs in interactively with their own Entra ID account. The access token represents the individual user’s identity, and Databricks enforces that user’s own permissions. This is the preferred approach because it provides per-user auditability and eliminates shared credentials.

  • Service principal with client secret — A shared Entra ID service principal authenticates non-interactively using a client secret. All Dodeca users access Databricks under the service principal’s identity and permissions. Use this approach when interactive sign-in is not appropriate, such as for automated or scheduled processes.

Prerequisites

The following must be in place before configuring the connection in Dodeca regardless of which authentication approach is used:

  • The Microsoft Authorization connector must be downloaded, imported into the Dodeca tenant, and the Dodeca application restarted before a Microsoft Authorization connection can be created. The connector module is available from the Applied OLAP downloads page.

  • The Databricks JDBC driver JAR (e.g., databricks-jdbc-3.4.1.jar) must be placed in the Dodeca server’s JDBC driver directory and the server must be configured to load it. The driver is available from the Databricks JDBC download page.

  • The Dodeca server’s JVM must be started with the following argument to satisfy an Apache Arrow Java compatibility requirement of the Databricks JDBC driver:

    --add-opens java.base/java.nio=org.apache.arrow.memory.core,ALL-UNNAMED

  • The Azure Databricks SQL warehouse (or cluster) HTTP path must be known. This is available in the Databricks workspace under SQL Warehouses > [Your Warehouse] > Connection details.

  • The Databricks workspace hostname must be known (e.g., adb-1234567890123456.7.azuredatabricks.net).

In delegated authentication, each Dodeca user signs in to Entra ID with their own credentials. The resulting access token identifies that individual user to Databricks, so Databricks permissions, row-level security, and audit logs all reflect the end user’s identity rather than a shared account.

Step A-1: Register an Application in Azure Entra ID

  1. Sign in to the Azure portal as a user with permission to create app registrations.

  2. Navigate to Azure Active Directory (Entra ID) > App registrations and select New registration.

  3. Provide a name for the application (e.g., Dodeca Databricks) and select the appropriate supported account type for your organization.

  4. Under Redirect URI, select Public client/native (mobile & desktop) as the platform and enter https://sso.appliedolap.com/oauth/nativeclient as the URI. Select Register.

  5. After registration, note the following values from the Overview page:

    • Application (client) ID — used as the ClientID in Dodeca.

    • Directory (tenant) ID — used as the TenantID in Dodeca.

  6. Navigate to Authentication. Under Advanced settings, set Allow public client flows to Yes.

  7. Under API Permissions, select Add a permission and choose AzureDatabricks from the list of APIs my organization uses and select user_impersonation.

  8. After adding the required permissions, grant admin consent on behalf of the organization.

Note: Do not create a client secret. The delegated flow uses interactive sign-in and does not require one.

Step A-2: Add Users to Azure Databricks

Each Dodeca user who will access Databricks must exist as a user in the Databricks workspace and have appropriate Unity Catalog permissions. Databricks can sync users from Entra ID via SCIM provisioning, or they can be added manually.

  1. In the Databricks workspace, navigate to Access Control and confirm that users have been added to the workspace.

  2. Grant each user (or a group they belong to) the appropriate Unity Catalog privileges:

    GRANT USE CATALOG ON CATALOG <catalog_name> TO `<user@example.com>`;
GRANT USE SCHEMA ON SCHEMA <catalog_name>.<schema_name> TO `<user@example.com>`;
GRANT SELECT ON SCHEMA <catalog_name>.<schema_name> TO `<user@example.com>`;

Step A-3: Configure a Microsoft Authorization Connection in Dodeca

In the Connections Metadata Editor, select the New button and choose the type MicrosoftConnection. Configure the following properties:

Property Value

TenantID

The Azure tenant (directory) ID noted in Step A-1.

ClientID

The application (client) ID of the Entra ID app registration.

RedirectURI

https://sso.appliedolap.com/oauth/nativeclient

The redirect URI associated with the Entra ID app registration.

Scopes

2ff814a6-3304-4ab8-85cb-cd0e6f879c1d/.default

This scope targets the Azure Databricks service. The .default suffix requests the full set of permissions configured for the app registration.

When a Dodeca user first connects, they will be prompted to sign in to their Entra ID account through a browser window. Subsequent connections can reuse the cached token.

Use the Test Connection button to confirm that an access token can be obtained. The browser sign-in form will appear during the test.

Note: The scope prefix 2ff814a6-3304-4ab8-85cb-cd0e6f879c1d is the Azure-managed application ID for the Azure Databricks service and is the same across all Azure tenants.

Option B: Service Principal with Client Secret

In this approach, a dedicated Entra ID service principal authenticates non-interactively using a client secret. All Dodeca users share the service principal’s Databricks identity and permissions. No interactive sign-in occurs.

Step B-1: Create a Service Principal in Azure Entra ID

  1. Sign in to the Azure portal as a user with permission to create app registrations.

  2. Navigate to Azure Active Directory (Entra ID) > App registrations and select New registration.

  3. Provide a name for the application (e.g., Dodeca Databricks Service Principal) and select the appropriate supported account type. Leave the redirect URI blank. Select Register.

  4. After registration, note the following values from the Overview page:

    • Application (client) ID — used as the ClientID in Dodeca.

    • Directory (tenant) ID — used as the TenantID in Dodeca.

  5. Navigate to Certificates & secrets and select New client secret. Enter a description and choose an expiration period, then select Add.

  6. Copy the secret Value immediately — it is only displayed once. This value is used as the ClientSecret in Dodeca.

For more information on service principals, see the Azure Databricks service principals documentation.

Step B-2: Add the Service Principal to Azure Databricks

  1. In the Databricks workspace, navigate to Settings > Identity and access > Service principals.

  2. Select Add service principal and enter the Application ID (client ID) of the Entra ID app registration created in Step B-1.

  3. Assign the service principal to the appropriate groups or grant it individual workspace entitlements as required.

  4. Grant the service principal the appropriate Unity Catalog privileges:

    GRANT USE CATALOG ON CATALOG <catalog_name> TO `<application_id>`;
GRANT USE SCHEMA ON SCHEMA <catalog_name>.<schema_name> TO `<application_id>`;
GRANT SELECT ON SCHEMA <catalog_name>.<schema_name> TO `<application_id>`;

    Replace <application_id> with the service principal’s application (client) ID.

Step B-3: Configure a Microsoft Authorization Connection in Dodeca

In the Connections Metadata Editor, select the New button and choose the type MicrosoftConnection. Configure the following properties:

Property Value

TenantID

The Azure tenant (directory) ID noted in Step B-1.

ClientID

The application (client) ID of the Entra ID app registration.

ClientSecret

The client secret value created in Step B-1.

Note: This value should be retained on a privileged system and provided as an environment variable or environment-based token rather than retained in the connection metadata.

Scopes

2ff814a6-3304-4ab8-85cb-cd0e6f879c1d/.default

This scope targets the Azure Databricks service. The .default suffix requests the full set of permissions configured for the app registration.

The presence of ClientSecret causes Dodeca to use the confidential client (client credentials) flow automatically. No interactive sign-in occurs.

Use the Test Connection button to confirm that an access token can be obtained from Entra ID.

Note: The scope prefix 2ff814a6-3304-4ab8-85cb-cd0e6f879c1d is the Azure-managed application ID for the Azure Databricks service and is the same across all Azure tenants.

Configure the SQL Connection in Dodeca

This step is the same regardless of which authentication approach is used. The SQL Connection defines the JDBC connection URL and how the OAuth token from the Microsoft Authorization connection is passed to the Databricks JDBC driver.

In the SQL Connections Metadata Editor, select the New button and configure the following properties:

Property Value

ConnectionMethod

ServerBased

DriverClass

com.databricks.client.jdbc.Driver

ConnectionURL

The Databricks JDBC connection URL, without the access token parameter. See the format below.

CredentialsPolicy

OAuthToken

OAuthConnectionID

The ID of the Microsoft Authorization connection configured in Step A-3 or B-3.

OAuthConnectionStringProperty

Auth_AccessToken

Connection URL Format

The ConnectionURL property should contain the Databricks JDBC connection URL excluding the Auth_AccessToken parameter. Dodeca appends the access token to the URL automatically at connection time.

jdbc:databricks://<server-hostname>:443/default;transportMode=http;ssl=1;httpPath=<http-path>;AuthMech=11;Auth_Flow=0;

Replace the placeholders with your workspace-specific values:

  • <server-hostname> — the Databricks workspace hostname (e.g., adb-1234567890123456.7.azuredatabricks.net).

  • <http-path> — the HTTP path of your SQL warehouse (e.g., /sql/1.0/warehouses/abcdef1234567890).

The Azure Databricks <server-hostname> and <http-path>, as well as a fully-formed example JDBC connection URL can be found in the Databricks workspace under SQL Warehouses > [Your Warehouse] > Connection details.

The AuthMech=11 parameter instructs the JDBC driver to use OAuth 2.0 token authentication. The Auth_Flow=0 parameter specifies the token passthrough flow, in which the caller (Dodeca) supplies the token directly.

Complete Example

jdbc:databricks://adb-1234567890123456.7.azuredatabricks.net:443/default;transportMode=http;ssl=1;httpPath=/sql/1.0/warehouses/abcdef1234567890;AuthMech=11;Auth_Flow=0;

Once the properties are configured, use the Test Connection button to confirm that Dodeca can connect to Databricks. For delegated connections, the Entra ID sign-in form will appear during the test.

Using the Databricks Connection

After the SQL Connection is configured and tested, it can be used in any SQL Passthrough DataSet or SQL-capable view in Dodeca. Select the Databricks SQL Connection in the SQLConnectionID property of the data set or view to direct queries to Databricks.