What Is Azure-Identity Library
Azure Identity library provides Microsoft Entra ID (AAD) token authentication support across the Azure SDK. It provides set of of methods which can be used for Microsoft Entra ID authentication via token generation.
I will give an example how you can implement this in Databricks as well as from python script.
import azure-identity
from azure-identity import ClientSecretCredential, DefaultAzureCredential
tenant_id = 'your_tenant_id'
client_id = 'service_principal_id'
client_secret = 'service_principal_secret'
credential = ClientSecretCredential(tenant_id,client_id,client_secret)
token = credential.get_token(scope_name).token
scope_name can vary, for example below are some scopes:
https://database.windows.net/.default
Refers to default set of permissions for the Azure SQL resources like Azure SQL server, Synapse analytics
https://api.fabric.microsoft.com/.default
This refers to default set of permissions for the fabric REST API
https://graph.microsoft.com/.default
And it is similar for Microsoft Graph
A scope represents the permission a client application requests for access to a resource and in AAD scopes are used in OAuth 2.0 and OpenID connect protocols to define the access granted to the application for a resource.
Now once a token is generated it can be used in the downstream application for example calling the REST APIs to perform tasks, create SQL connection to perform Synapse/SQL DB DDL or DML operation from Databricks and so on.
Benefits Of Using Azure-Identity library:
It allows detailed scopes like .default, user.read
Handles token caching and renewal automatically
Fully support system assigned and user assigned managed identity, for example to authenticate with Azure KV using a managed identity
What Is ADAL
ADAL or Azure Active Directory Authentication Library is used to authenticate Microsoft Entra entities and request tokens from Microsoft Entra ID. It serves the same purpose as Azure-Identity library.
However ADAL requires more boilerplate code and manual token handling. It does pretty much same job but with limited options. And ADAL is deprecated, Microsoft also advises to use MSAL(Microsoft Authentication Library) or higher level libraries.
Code snippet for Databricks notebook and python scripts:
import adal
authority = "https://login.windows.net/mytenantid"
scope = "https://database.windows.net"
client_id = 'service_principal_id'
client_secret = 'service_principal_secret'
context = adal.AuthenticationContext(authority)
token = context.acquire_token_with_client_credentials(scope,client_id,client_secret)
access_token = token["accesstoken"]
Conclusion:
ADAL and Azure-Identity both supports OAuth2.0 but ADAL lacks support for modern features like granular scopes and managed identity. Azure-Identity supports both System Assigned and User Assigned Managed Identities
In the aspect of scope granularity ADAL only provides resource-level permission (e.g. database.windows.net) while Azure-Identity provides more granular scopes such as (e.g. database.windows.net/.default or User.Read)
Azure-Identity automatically handles token caching and renewal while ADAL requires explicit handling for caching and renewal
ADAL is deprecated so no new features and updates but Azure-Identity is actively developed and maintained