Use Genie In every single place with Enterprise OAuth

Intro

Democratizing knowledge begins with making insights straightforward and safe to entry. With Databricks Genie, customers can now discuss to their knowledge straight from the instruments they already use: Groups, Slack, Confluence, or customized internet apps. Whether or not you’re utilizing our native Copilot Studio/Foundry integrations or constructing with the Genie Dialog APIs/SDK, Genie can now deliver natural-language analytics into on a regular basis workflows. Behind the scenes, OAuth might be utilized to securely authenticate every person and implement knowledge entry permissions.

Beforehand, we noticed clients like The AA and Casas Bahia independently construct their very own Genie integrations into Microsoft Groups and inside apps. Our strong extensibility suite now makes this expertise simpler, quicker and extra scalable.

On this weblog, we’ll stroll by way of two frequent methods to roll out Genie with enterprise OAuth throughout your group:

• Convey Genie into Microsoft Groups with our Copilot Studio integration
• Embed Genie into your customized internet apps with Genie Dialog APIs

Convey Genie into Microsoft Groups

Advert-hoc knowledge questions come up on a regular basis throughout group conversations. With Databricks Genie’s native Copilot Studio integration, your customers can now get solutions the second questions come up straight in Microsoft Groups. To leverage this integration, observe the steps under:

Pre-requisites

• Guarantee that you’ve a goal Genie area that’s curated in accordance with our finest practices to ship the very best high quality.
• Finish customers/service principals should have entry to the goal Genie area (no less than CAN VIEW), SELECT privileges on the area’s Unity Catalog knowledge, and CAN USE permission on the area’s SQL compute. Finish customers can optionally be assigned the Shopper Entry entitlement for streamlined “read-only” expertise.

Step 1: Join Azure Databricks to Energy Platform

Step one in enabling Genie in Microsoft Groups is to Join Azure Databricks to Energy Platform (documentation). In your Microsoft Energy Apps, click on Connections and choose Azure Databricks, or Databricks if you happen to use AWS/GCP. Configure the next fields:

• To make sure every finish person authenticates into Databricks with their very own id, choose OAuth because the Authentication Kind.
• For Server Hostname and HTTP Path, go to the workspace the place your goal Genie area is. Choose a SQL warehouse and open Connection Particulars to retrieve this data (doesn’t have to be the identical SQL warehouse because the one connected to your Genie area).

Step 2: Join Genie areas to your Copilot Studio agent

Subsequent, you’ll join your Genie area to Copilot Studio (documentation). Our integration handles all the API and MCP logic so the connection might be made in only a few clicks.

In Copilot Studio, click on Brokers. Choose “Create clean agent” to construct a brand new standalone agent for a Genie area. If you wish to deliver Genie into an present agent framework, you may also select an present Copilot Studio agent so as to add your Genie area to.

In your new agent, click on ‘Instruments’, click on “Add a device”. Choose Azure Databricks Genie (or Databricks Genie for AWS/GCP) underneath the MCP part.

Now, you may choose your required Genie area and configure the connection particulars:

• Credentials to make use of: Choose “Finish person credentials” to make sure that every utility person will sign-in with their very own id and knowledge entry permissions. This ensures if an utility person doesn’t have entry to the Genie area or the tables, they received’t have the ability to retrieve knowledge insights from Genie.
• Choose “Maker offered credentials” in order for you end-users to authenticate utilizing a single shared id (both a service principal—really helpful—or your personal id).
• IMPORTANT: Guarantee your goal Genie area has a transparent title and outline that outlines its context, key ideas, and limitations. This can assist your Copilot Studio agent successfully orchestrate requests.

Step 3: Allow Connection Parameter Sharing

Whenever you select “Finish person credentials,” every particular person should signal into Databricks with their very own account. To make this less complicated, we recommend sharing Connection parameters (as described within the Microsoft documentation), so customers don’t have to supply that data themselves. In follow, this merely means offering the server hostname and HTTP path, which ensures they authenticate to the precise Databricks workspace linked to the Genie area linked in your Copilot Studio agent.

• Open the Settings web page of your Copilot Studio Agent.
• Open Connection Settings and guarantee Azure Databricks reveals a Related standing.
  
• Subsequent click on See Particulars, and permit permission to share parameters within the Connection parameters tab.
  

Step 4: Convey Your Agent into Groups

Now that you’ve a Copilot Studio Agent that’s linked to your Genie area, you may publish it to Groups.

• Make sure that your agent has a transparent Identify and Description.
• We additionally advocate:
  • Choosing a reasoning mannequin (e.g. GPT-5 Reasoning, Claude Sonnet 4.5) for efficient polling and use of Genie.
  • Including customized agent directions to tailor the expertise (e.g. reply formatting and latency preferences).
    
• After reviewing your Copilot Studio agent, click on Publish. Then in Channels, choose Groups as your required channel.
  

You’re all set! Genie is now reside in Microsoft Groups, delivering ruled knowledge insights the moment questions come up.

To see how finish customers are leveraging Genie in Microsoft Groups, see our buyer tales.

Bringing Genie to Customized Net Purposes

Many organizations additionally need to embed Genie straight of their customized internet apps, so customers can ask questions within the instruments they already use—for instance, retailer managers might ask ad-hoc questions on their stock straight of their present gross sales terminal. With Genie Dialog APIs and Databricks OAuth, that is now attainable.

Earlier than constructing an integration between your internet app and Genie, it’s vital to resolve what OAuth sample you’ll use: Consumer-to-Machine (U2M), Machine-to-Machine (M2M), or an On-Behalf-Of (OBO) mannequin. Every method aligns with a distinct sort of utility use case:

• Consumer-to-Machine (U2M) – Greatest when every finish person wants ruled, customized knowledge entry. On this mannequin, a person indicators in with their company id (e.g. SSO), Genie receives a user-specific OAuth token, and queries are run with that person’s permissions. Instance use case: a Gross sales Copilot the place gross sales reps chat with a single underlying Genie area and may solely see knowledge insights from their very own offers.
• Machine-to-Machine (M2M) – Greatest to be used circumstances that need all customers to have the identical knowledge entry and less complicated governance. This mannequin lets a service principal authenticate and concern an related OAuth token to Genie, which is then used to run queries underneath the service principal’s permissions. Instance use case: a “Firm KPIs” chatbot the place any worker can ask about company-wide KPI metrics and obtain the identical shared insights.
• On-Behalf-Of (OBO) – Greatest for apps that want per-user knowledge governance however behind a central backend. On this mannequin, your utility would first authenticate into Databricks after which name Genie APIs “on-behalf-of” the top person with their knowledge permissions utilized. Instance use case: a finance analytics portal the place customers chat to a unified chatbot that leverages Genie, and every person solely sees the information they’re licensed for.

For the remainder of this weblog, we’ll concentrate on the primary sample for integrating with Genie: the OAuth U2M movement utilizing Databricks’ built-in OAuth assist.

NOTE: Databricks additionally helps OAuth token federation, which you should use to usher in tokens issued by your personal id supplier and mix them with any of the strategies described above for Genie entry.

Pre-requisites

• Guarantee that you’ve a goal Genie area that’s curated in accordance with our finest practices to ship the very best high quality.
• Finish customers/service principals should have entry to the goal Genie area (no less than CAN VIEW), SELECT privileges on the area’s Unity Catalog knowledge, and CAN USE permission on the area’s SQL compute. Finish customers can optionally be assigned the Shopper Entry entitlement for streamlined “read-only” expertise.
  

Step 1: Register an OAuth utility

To securely join your customized internet app to Genie, begin by registering it in your Databricks account. This step permits Databricks to securely concern user-scoped tokens in your app in later steps. Try the product documentation to be taught extra.

Within the Databricks Account Console, add a brand new OAuth connection and configure the next:

• Utility Identify: a human-readable title proven to customers throughout sign-in
• Redirect URLs: a number of URLs the place Databricks is allowed to ship customers after authentication. These should precisely match the URLs your app will use in later steps.
• Entry scopes: grant entry to All APIs so your app can name the Genie Dialog APIs on behalf of customers.
  

After saving this connection, Databricks will generate the next:

• Shopper ID: public identifier in your app
• Shopper Secret: personal credential in your backend

Retailer these credentials securely in your backend—they are going to be required to change authorization codes for entry tokens and authenticate calls to the Genie Dialog APIs.

Step 2: Direct customers to Databricks to authenticate and grant entry

The following step is to verify your app directs finish customers to Databricks to allow them to sign up and approve your app to speak to Genie on their behalf. After a profitable login and approval, Databricks will redirect the person to your app with a brief lived authorization code.

This authorization code is proof that the person efficiently authenticated into Databricks, and the person has permitted your app’s requested entry. Your app’s backend will use this authorization code within the subsequent step to acquire entry tokens.

To start out, generate PKCE and state values for every sign-in to guard your internet utility:

• Generate a code_verifier and an identical code_challenge in accordance with the OAuth PKCE commonplace utilizing SHA-256 and Base64 URL encoding. This step prevents authorization codes from being stolen and reused (see code examples in documentation).
• Create a random state string and ensure to retailer it in a cookie or session. This ensures that authorization codes are generated for actual finish person periods.

Subsequent, your frontend ought to assemble an authorization URL utilizing the Databricks OAuth endpoint:

Embrace the next kind parameters to determine your utility in your customers:

• <databricks-instance>: Your Databricks occasion with the workspace occasion title (e.g. dbc-a1b2345c-d6e7.cloud.databricks.com)
• <client_id>: the shopper ID out of your registered OAuth utility within the earlier step
• <redirect-url>: the identical redirect URL as specified within the earlier step
• <state>: – ​​Any plain-text string to validate the response
• <code-challenge>: PKCE code problem derived from the code_verifier

After a person indicators into their Databricks account, they are going to be redirected to the redirect_url with question parameters: https://<redirect_url>/oauth/callback?code=<authorization_code>&state=<state>

Your callback handler ought to learn the authorization_code and state from the question string. Confirm the state worth matches what was saved in cookies or internet periods. If it doesn’t discard the authorization_code. With the returned authorization_code, your utility can now change them for entry tokens.

Step 3: Trade authorization codes for tokens and handle them securely

The authorization code retrieved within the earlier step can’t be used to name APIs straight—it have to be exchanged for entry tokens in your backend which can be wanted to securely discuss to Genie. For extra data please discuss with our product documentation).

Beneath is a Python instance for exchanging authorization codes for entry and refresh tokens (see particulars in OAuth SDK documentation):

Embrace the next parameters:

• <databricks-instance>: your Databricks occasion with the workspace occasion title
• <client_id>: the shopper ID out of your registered OAuth utility within the earlier step
• <client_secret>: the shopper secret in your app generated from Step 1
• <redirect-url>: the identical redirect URL as laid out in Step 1
• <code-verifier>: the verifier generated in Step 2

It’s vital to avoid wasting the next values from the outcome object to your app’s database:

• access_token: used to name Genie Dialog APIs
• refresh_token: used to acquire new entry tokens with out forcing the person to re-login
• expires_in: an expiration time for the entry token
• expires_at: a timestamp for when the entry token is not legitimate

To securely handle entry tokens, it’s additionally vital that your app tracks expiration instances and makes use of the refresh tokens to acquire new entry tokens when wanted. The code instance under abstracts refresh logic away to all the time return a sound person entry token:

Step 4: Route Consumer Prompts to Genie Dialog APIs

Now that your utility has user-scoped Databricks entry tokens, it will probably submit prompts to a Genie area on behalf of the signed-in person. We advocate making a backend API router in your internet utility to guard the Databricks entry tokens from the browser and to centralize observability, error dealing with, and charge limiting. The code examples under leverage FastAPI and Genie’s SDK for less complicated logic.

• First, use the person’s entry token to create a scoped WorkspaceClient. This WorkspaceClient will then have the ability to name the Genie SDK. Code instance:

• Subsequent, expose application-owned HTTP endpoints that translate into Genie SDK calls within the backend. This ensures that every one Genie SDK calls are finished inside your server and entry tokens are by no means despatched to the browser.
  • For instance, that is the way to construct an HTTP endpoint for beginning a brand new Genie dialog:

• Proceed including extra API routers for the Genie actions that you really want your app to assist. The important features to incorporate are:

After these steps, your customized internet app will likely be securely built-in with Genie, letting customers ask natural-language questions and retrieve ruled insights straight within the instruments they already use.

Entry Genie In every single place

Genie is designed to satisfy customers wherever they work. On this weblog, we coated how organizations securely embed Genie’s conversational analytics capabilities into Microsoft Groups and customized apps with OAuth authentication.

By bringing Genie all over the place your groups ask questions, you shorten the trail from query to perception—and from perception to motion. Begin constructing Genie areas and bringing them to your customers at the moment. As all the time, attain out to your Databricks account groups for questions and suggestions.