Azure Synapse Analytics
An Azure analytics service that brings together data integration, enterprise data warehousing, and big data analytics. Previously known as Azure SQL Data Warehouse.
5,306 questions
Unable to generate MSI token from Synapse while writing data to ServiceBus and EventHub
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(217.60000000000002, 41%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERS%3C/text%3E%3C/svg%3E)
Ravi Shankar Gupta
0
Reputation points Microsoft Employee
only the services for which Audience is available in list are allowed to generate a token using MsSparkUtils credential service. But there are other services like ServiceBus and EventHub for which there is no mention in documentation on how to generate MSI token using spark scala jar.
I am really trying to find a resolution for this.
Without this MSI cant be used to authenticate these services.
{count} votes
-
Vinodh247 32,281 Reputation points MVP2025-03-21T09:43:02.5266667+00:00 Hi ,
Thanks for reaching out to Microsoft Q&A.
yes, this is a known limitation with Synapse Spark and
MsSparkUtils.The
MsSparkUtils.credentials.getToken()method in Synapse is limited to a predefined list of Azure services (like Azure SQL, Storage, etc.). Currently, Azure Service Bus and Event Hub are not included in that list of supportedaudiencevalues.Docs Reference The
audienceparameter must match one of the supported services (e.g.,https://storage.azure.com/,https://database.windows.net/).Workaround Options:
- Use a Custom Token Provider with MI (Outside
MsSparkUtils)
If you're running in a Synapse Spark pool with Managed Identity enabled, you can still obtain a token using the Azure Identity SDK via a custom JAR:
import com.azure.identity.DefaultAzureCredentialBuilder import com.azure.core.credential.TokenRequestContext val credential = new DefaultAzureCredentialBuilder().build() val requestContext = new TokenRequestContext().addScopes("https://servicebus.azure.net/.default") val accessToken = credential.getToken(requestContext).block() val token = accessToken.getToken- This gives you a valid token to use with Service Bus or Event Hub.
- You’ll need to bring in Maven dependencies like:
-
com.azure:azure-identity -
com.azure:azure-core
-
- Use Connection String (Not Ideal but Works)
If MSI isn’t feasible and you’re blocked, fallback to a connection string in a keyvault backed Spark config (yes, not ideal security-wise, but a practical workaround).
To sum up:
- You cannot get MSI tokens for ServiceBus/EventHub using
MsSparkUtils.credentials.getToken(). - Instead, use the Azure Identity SDK with
DefaultAzureCredentialto manually fetch the token in Spark. - Or, temporarily use a connection string from keyvault if MSI is blocked.
Please feel free to click the 'Upvote' (Thumbs-up) button and 'Accept as Answer'. This helps the community by allowing others with similar queries to easily find the solution.
- Use a Custom Token Provider with MI (Outside
-
Vinodh247 32,281 Reputation points MVP
2025-03-22T05:18:59.4433333+00:00 Please 'Accept as Answer' and click the 'Upvote'(Thumbs-up) button if the reply was helpful. This will help us to close this thread.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(195.2, 50%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVR%3C/text%3E%3C/svg%3E)
Venkat Reddy Navari 1,110 Reputation points Microsoft External Staff2025-03-24T09:26:53.9566667+00:00 Ravi Shankar Gupta Following up to see if the above answer was helpful. If this answers your query, do click
Accept AnswerandYesfor was this answer helpful. And, if you have any further query do let us know. -
Ravi Shankar Gupta 0 Reputation points Microsoft Employee
2025-03-26T10:43:26.6633333+00:00 The answer provided is not working . I tried using the approach but getting this error.
2025-03-26 10:37:55,516 INFO ChainedTokenCredential [Driver]: Azure Identity => Attempted credential EnvironmentCredential is unavailable. 2025-03-26 10:37:56,594 INFO ChainedTokenCredential [ForkJoinPool.commonPool-worker-3]: Azure Identity => Attempted credential ManagedIdentityCredential is unavailable. 2025-03-26 10:37:56,638 INFO ChainedTokenCredential [ForkJoinPool.commonPool-worker-3]: Azure Identity => Attempted credential SharedTokenCacheCredential is unavailable. 2025-03-26 10:37:56,643 INFO ChainedTokenCredential [ForkJoinPool.commonPool-worker-3]: Azure Identity => Attempted credential IntelliJCredential is unavailable. 2025-03-26 10:37:56,735 INFO ChainedTokenCredential [ForkJoinPool.commonPool-worker-3]: Azure Identity => Attempted credential AzureCliCredential is unavailable. 2025-03-26 10:37:56,765 INFO ChainedTokenCredential [ForkJoinPool.commonPool-worker-5]: Azure Identity => Attempted credential AzurePowerShellCredential is unavailable.There is no issue with MSI as the same setup is working perfectly fine with HDInsight cluster.
-
Ravi Shankar Gupta 0 Reputation points Microsoft Employee
2025-03-26T10:44:15.0766667+00:00 Sample code used:
TokenCredential credential = new DefaultAzureCredentialBuilder() .managedIdentityClientId(MSI_CLIENT_ID).build(); //https://servicebus.azure.net/.default TokenRequestContext requestContext = new TokenRequestContext().addScopes("https://servicebus.azure.net/.default"); AccessToken accessToken = credential.getToken(requestContext).block(); -
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(185.6, 57.00000000000001%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDR%3C/text%3E%3C/svg%3E)
Dileep Raj Narayan Thumula 0 Reputation points Microsoft External Staff2025-03-27T16:58:14.0833333+00:00 @ Ravi Shankar Gupta Can you try using the Azure Identity SDK with
DefaultAzureCredentialto manually fetch the token in Spark. -
Ravi Shankar Gupta 0 Reputation points Microsoft Employee
2025-03-28T04:21:04.1566667+00:00 Hi @Dileep Raj Narayan Thumula , I also tried that but its not able to fetch the credential.
-
Vinodh247 32,281 Reputation points MVP
2025-03-28T06:56:20.0166667+00:00 - By default, DefaultAzureCredential tries 6 to7 different credential mechanisms in a standard environment order. In Synapse, many of them show up as “unavailable” if environment variables or MSI endpoints aren’t being detected the same way as on an HDInsight cluster.
- MICredential is more direct and is usually the recommended approach in Synapse when you know you have a managed identity.
- If it still claims “ManagedIdentityCredential is unavailable”, it’s almost always one of:
- The identity isn’t truly enabled on the Spark pool / workspace.
- A user-assigned identity is missing the
.clientId(...). - The JAR / dependencies are not properly referenced, leading to fallback errors.
- The Spark session can’t hit the metadata service or token endpoint due to a networking restriction.
this should clarifiy how to troubleshoot the “credential is unavailable” error. Once resolved, you should be able to fetch a token for
https://servicebus.azure.net/.defaultorhttps://eventhubs.azure.net/.defaultand use that token for your Event Hub / Service Bus authentication. -
Ravi Shankar Gupta 0 Reputation points Microsoft Employee
2025-04-02T06:50:31.1033333+00:00 Still not working. I believe ServiceBus is not supported in Synapse as there is no Linked service also available for the same.
-
Dileep Raj Narayan Thumula 0 Reputation points Microsoft External Staff
2025-04-07T11:09:49.44+00:00 @Ravi shankar Gupta Use the Azure Identity SDK to get the token instead.
Key Steps:
- Use
DefaultAzureCredentialfrom the SDK. - Set the correct scope:
- For Service Bus:
"https://servicebus.azure.net/.default"- For Event Hubs:
"https://eventhubs.azure.net/.default"
- For Event Hubs:
- For Service Bus:
- Make sure:
- Managed Identity is enabled for your Synapse workspace.
- It has the necessary RBAC permissions.
- Network access to Azure AD is allowed.
- Use
-
Dileep Raj Narayan Thumula 0 Reputation points Microsoft External Staff
2025-04-23T12:25:39.0933333+00:00 hello @Ravi shankar Gupta
We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
Sign in to comment
Sign in to answer