Service Principal authentication within Azure Data Factory v2

4 Comments / Azure / By

It might be necessary to exploit Service Principal authentication within Azure Data Factory v2 if you want to run an ADF activity that requires user’s permission to perform an action, and you want that user not be related to any person’s email. For example if you want to exploit Data Factory API to block a trigger, you can create a Web Activity, make the POST call, but then it wouldn’t work without an appropriately authorized Service Principal.

To do that it’s important first of all to enable the ServicePrincipal as “ADF Contributor” from within the resource group. This means you need to go to the Resource Group page within the Azure Portal, look for the Service Principal and make it a Data Factory Contributor.

This is the service principal used

Take note of the APPLICATION_ID and of the AUTHENTICATION_KEY (
see here how to generate it if you don’t have one yet)
We’ll need both later

  1. Now let’s go the the resource group containing the Data Factory where you need to use the service principal
  2. Select Access control (IAM) from the left pane
  3. Click on add, Role Assignments
  4. In the Right panel “Add role assignment” select as role: Data Factory Contributor
  5. Select your Service Principal (in my case MyServicePrincipalLuca)
  6. Click on Save

Now your Service Principal is enabled to contribute to the Data Factory of your resource group.

Let’s go to Azure Data Factory to create a pipeline with a web activity: here we will need the AUTHENTICATION_KEY (or Client_secret) we have generated before and the APPLICATION_ID (or Client_Id) of the Service Principal:

Properties of the web activity
  • URL: https://login.microsoftonline.com/<SUBSCRIPTION_ID>/oauth2/token
  • METHOD: POST
  • HEADERS (to enter manually): Content-Type = application/x-www-form-urlencoded
  • BODY(without the double quotes) : “grant_type=client_credentials&client_id=<APPLICATION_ID>&client_secret=<AUTHENTICATION_KEY>&resource=https://management.azure.com”

At this point we can test the the web activity called LOGIN, to see if the Service Principal is properly authenticated within Azure Data Factory.

A way to use the authenticated Service Principal is by making another web activity which takes the access_token output from the login web activity we have just created. In this article you can find a full explained example on how to achieve this.


4 thoughts on “Service Principal authentication within Azure Data Factory v2”

Leave a Comment

Your email address will not be published. Required fields are marked *