🛡️ Azure Databricks Personal Access Tokens (PATs) are not restricted and expirable🟢⚪

Contextual name: 🛡️ Databricks Personal Access Tokens (PATs) are not restricted and expirable🟢⚪
ID: /ce/ca/azure/databricks/personal-access-tokens
Tags:
- ⚪ Impossible policy
- 🟢 Policy with categories
- 🟢 Policy with type
Policy Type: COMPLIANCE_POLICY
Policy Categories: SECURITY

Description

Description

Databricks personal access tokens (PATs) provide API-based authentication for users and applications. By default, users can generate API tokens without expiration, leading to potential security risks if tokens are leaked, improperly stored, or not rotated regularly.

To mitigate these risks, administrators should:

Restrict token creation to approved users and service principals.

Enforce expiration policies to prevent long-lived tokens.

Monitor token usage and revoke unused or compromised tokens.

Rationale

Restricting usage and enforcing expiry for personal access tokens reduces exposure to long-lived tokens, minimizes the risk of API abuse if compromised, and aligns with security best practices through controlled issuance and enforced expiry.

Impact

If revoked improperly, applications relying on these tokens may fail, requiring a remediation plan for token rotation. Increased administrative effort is required to track and manage API tokens effectively.

Audit

Azure Databricks administrators can monitor and revoke personal access tokens within their workspace. Detailed instructions are available in the "Monitor and Revoke Personal Access Tokens" section of the Microsoft documentation: https://learn.microsoft.com/en-us/azure/databricks/admin/access-control/tokens. To evaluate token usage, use the provided notebook that lists PATs not rotated or updated in the last 90 days, which helps identify tokens that may require revocation. This process is detailed here: https://docs.azure.cn/en-us/databricks/security/auth/oauth-pat-usage. Implementing diagnostic logging provides a comprehensive reference of audit log services and events and helps track activities related to personal access tokens. More information is available in the diagnostic log reference section: https://docs.azure.cn/en-us/databricks/security/auth/oauth-pat-usage.

... see more

Remediation

Open File

Remediation

From Azure Portal

Disable personal access tokens:

If your workspace does not require PATs, you can disable them entirely to prevent their use.

Navigate to the Azure Databricks workspace.

Click the Settings icon and select Admin Console.

Go to the Advanced tab.

Under Personal Access Tokens, set the toggle to Disabled.

Databricks CLI:
databricks workspace-conf set-status --json '{"enableTokens": "false"}'
Control who can create and use personal access tokens:

Define which users or groups are authorized to create and use PATs.

Navigate to the Azure Databricks workspace.

Click the Settings icon and select Admin Console.

Go to the Advanced tab.

Click Personal Access Tokens, then Permissions.

Assign the appropriate permissions (e.g., No Permissions, Can Use, Can Manage) to users or groups.

Set maximum lifetime for new personal access tokens:

Limit the validity period of new tokens to reduce potential misuse.

Databricks CLI:
databricks workspace-conf set-status --json '{"maxTokenLifetimeDays": "90"}'

... [see more](remediation.md)

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 CIS Azure v5.0.0 → 💼 2.1.6 Ensure that usage is restricted and expiry is enforced for Databricks personal access tokens (Manual)			1		no data
💼 Cloudaware Framework → 💼 Secure Access			75		no data

Description​

Description​

Rationale​

Impact​

Audit​

Remediation​

Remediation​

From Azure Portal​

policy.yaml​

Linked Framework Sections​

Description

Description

Rationale

Impact

Audit

Remediation

Remediation

From Azure Portal

policy.yaml

Linked Framework Sections