...
LHO deployment scripts create and configure an App Registration in your Azure portal Microsoft Azure portal App Registrations for Azure AD Single Sign-On and as the application identity for calling downstream Databricks APIs for background telemetry data analysis
LHO requires an administrator rights when running deployment scripts.
Configurations done automatically by the deployment scripts:
Creates an Azure AD App Registration that will be used as a Service Principal for Azure AD Single Sign-On
this service principal is of type system-assigned managed identity (learn more at “Managed Identities Types”)
Creates an App Registration in your Azure portal Microsoft Azure portal App Registrations
sets a name for the Service Principal. This name will be used later to assign roles
Sets the redirect uri to
https://{FQDN}/login/oauth2/code/azurewhereFQDNis the url the LHO Application is published withCreates a secret (Certificates & Secrets tab) named
msft-provider-auth-secret, also known asclient secretin Azure Key Vault sets the LHO secret
msft-provider-auth-secretto <value-of-msft-provider-auth-secret>. The Azure Key Vault instance was already created by the LHO deployment script with the name specified during deployment process.
Enables ID Tokens in the Authentication tab
sets
clientId,tenantIdas public variables for LHO.envfile (3)
you can find the created Service Principal by searching in Microsoft Azure portal App Registrations with the
clientIdexposed in the LHO Workspace Settings
...
💰Consumption Data Authentication
...
LHO Agent has access to the configuration of a Databricks entity (e.g. Workflow, Job) and in that configuration can be found the Secrete Scope container where credentials are stored. Any entity has access to Databricks Secrets service.
...
What permissions are required for the telemetry agent
...
to read/write data from/to Azure Tables? (7)
The LHO Agent stores telemetry data in the Azure Tables of the configured Azure Storage account and sends events (e.g. spark job completed finished events) to Azure Queue configured on the Storage Account that also saves the telemetry data.
The LHO App dequeues events from this Queue and triggers the analysis when the Databricks job or DLT update is complete.
The access to cloud storage via Access Key can be disabled the the LHO App configured to use Service Principal to access cloud storage. The LHO Service Principal requires the Storage Queue Data Contributor and Storage Table Data Contributor roles at the Storage Account level used by LHO Agent. This allows the LHO App to read data from the Storage Account’s Queue and the LHO Agent to write data to this queue. (8)
Storage Queue Data Contributor and Storage Table Data Contributor roles must be granted manually to the LHO Service Principal on the Storage Account used by LHO AgentService Principal of the LHO App that uses Azure Blob Storage service must be configured manually by the administrator with the role of Storage Table Data Contributor at the storage account level.
The telemetry collector agent is using Databricks Secrets to retrieve the client secret of the Service Principal that will be used to access cloud storage.
How does the telemetry agent communicate with the LHO App for realtime telemetry data analysis? (8)
The LHO Agent stores telemetry data in the cloud storage and sends events (e.g. job finished events) to an Azure Queue configured in the same Storage Account used for saving the telemetry data.
The LHO App dequeues events from this Queue and triggers the analysis when the Databricks job or DLT update is complete.
The LHO Service Principal requires Storage Queue Data Contributor role at the queue level.
...
📍 Public Workspaces
How do I expose Subscriptions and Workspaces to users from other AD tenants?
...