Intro
Democratizing knowledge begins with making insights simple and safe to entry. With Databricks Genie, customers can now speak to their knowledge straight from the instruments they already use: Groups, Slack, Confluence, or customized net apps. Whether or not you’re utilizing our native Copilot Studio/Foundry integrations or constructing with the Genie Dialog APIs/SDK, Genie can now convey natural-language analytics into on a regular basis workflows. Behind the scenes, OAuth might be utilized to securely authenticate every consumer and implement knowledge entry permissions.
Beforehand, we noticed clients like The AA and Casas Bahia independently construct their very own Genie integrations into Microsoft Groups and inside apps. Our sturdy extensibility suite now makes this expertise simpler, quicker and extra scalable.
On this weblog, we’ll stroll by means of two widespread methods to roll out Genie with enterprise OAuth throughout your group:
- Carry Genie into Microsoft Groups with our Copilot Studio integration
- Embed Genie into your customized net apps with Genie Dialog APIs
Carry Genie into Microsoft Groups
Advert-hoc knowledge questions come up on a regular basis throughout group conversations. With Databricks Genie’s native Copilot Studio integration, your customers can now get solutions the second questions come up straight in Microsoft Groups. To leverage this integration, comply with the steps under:
Pre-requisites
- Guarantee that you’ve got a goal Genie house that’s curated based on our finest practices to ship the very best high quality.
- Finish customers/service principals should have entry to the goal Genie house (at the very least CAN VIEW), SELECT privileges on the house’s Unity Catalog knowledge, and CAN USE permission on the house’s SQL compute. Finish customers can optionally be assigned the Client Entry entitlement for streamlined “read-only” expertise.
Step 1: Join Azure Databricks to Energy Platform
Step one in enabling Genie in Microsoft Groups is to Join Azure Databricks to Energy Platform (documentation). In your Microsoft Energy Apps, click on Connections and choose Azure Databricks, or Databricks should you use AWS/GCP. Configure the next fields:
- To make sure every finish consumer authenticates into Databricks with their very own id, choose OAuth because the Authentication Sort.
- For Server Hostname and HTTP Path, go to the workspace the place your goal Genie house is. Choose a SQL warehouse and open Connection Particulars to retrieve this data (doesn’t must be the identical SQL warehouse because the one connected to your Genie house).
Step 2: Join Genie areas to your Copilot Studio agent
Subsequent, you’ll join your Genie house to Copilot Studio (documentation). Our integration handles all the API and MCP logic so the connection might be made in just some clicks.
In Copilot Studio, click on Brokers. Choose “Create clean agent” to construct a brand new standalone agent for a Genie house. If you wish to convey Genie into an current agent framework, you too can select an current Copilot Studio agent so as to add your Genie house to.
In your new agent, click on ‘Instruments’, click on “Add a device”. Choose Azure Databricks Genie (or Databricks Genie for AWS/GCP) below the MCP part.
Now, you’ll be able to choose your required Genie house and configure the connection particulars:
- Credentials to make use of: Choose “Finish consumer credentials” to make sure that every utility consumer will sign-in with their very own id and knowledge entry permissions. This ensures if an utility consumer doesn’t have entry to the Genie house or the tables, they received’t be capable of retrieve knowledge insights from Genie.
- Choose “Maker offered credentials” if you’d like end-users to authenticate utilizing a single shared id (both a service principal—really useful—or your personal id).
- IMPORTANT: Guarantee your goal Genie house has a transparent title and outline that outlines its context, key ideas, and limitations. This can assist your Copilot Studio agent successfully orchestrate requests.
Step 3: Allow Connection Parameter Sharing
Whenever you select “Finish consumer credentials,” every individual should signal into Databricks with their very own account. To make this less complicated, we advise sharing Connection parameters (as described within the Microsoft documentation), so customers don’t have to offer that data themselves. In follow, this merely means offering the server hostname and HTTP path, which ensures they authenticate to the precise Databricks workspace linked to the Genie house related in your Copilot Studio agent.
- Open the Settings web page of your Copilot Studio Agent.
- Open Connection Settings and guarantee Azure Databricks reveals a Related standing.
- Subsequent click on See Particulars, and permit permission to share parameters within the Connection parameters tab.
Step 4: Carry Your Agent into Groups
Now that you’ve got a Copilot Studio Agent that’s related to your Genie house, you’ll be able to publish it to Groups.
- Be sure that your agent has a transparent Title and Description.
- We additionally advocate:
- Choosing a reasoning mannequin (e.g. GPT-5 Reasoning, Claude Sonnet 4.5) for efficient polling and use of Genie.
- Including customized agent directions to tailor the expertise (e.g. reply formatting and latency preferences).
- After reviewing your Copilot Studio agent, click on Publish. Then in Channels, choose Groups as your required channel.
You’re all set! Genie is now stay in Microsoft Groups, delivering ruled knowledge insights the moment questions come up.
To see how finish customers are leveraging Genie in Microsoft Groups, see our buyer tales.
Bringing Genie to Customized Internet Purposes
Many organizations additionally wish to embed Genie straight of their customized net apps, so customers can ask questions within the instruments they already use—for instance, retailer managers might ask ad-hoc questions on their stock straight of their current gross sales terminal. With Genie Dialog APIs and Databricks OAuth, that is now doable.
Earlier than constructing an integration between your net app and Genie, it’s vital to resolve what OAuth sample you’ll use: Consumer-to-Machine (U2M), Machine-to-Machine (M2M), or an On-Behalf-Of (OBO) mannequin. Every method aligns with a distinct kind of utility use case:
- Consumer-to-Machine (U2M) – Greatest when every finish consumer wants ruled, customized knowledge entry. On this mannequin, a consumer indicators in with their company id (e.g. SSO), Genie receives a user-specific OAuth token, and queries are run with that consumer’s permissions. Instance use case: a Gross sales Copilot the place gross sales reps chat with a single underlying Genie house and will solely see knowledge insights from their very own offers.
- Machine-to-Machine (M2M) – Greatest to be used circumstances that need all customers to have the identical knowledge entry and less complicated governance. This mannequin lets a service principal authenticate and problem an related OAuth token to Genie, which is then used to run queries below the service principal’s permissions. Instance use case: a “Firm KPIs” chatbot the place any worker can ask about company-wide KPI metrics and obtain the identical shared insights.
- On-Behalf-Of (OBO) – Greatest for apps that want per-user knowledge governance however behind a central backend. On this mannequin, your utility would first authenticate into Databricks after which name Genie APIs “on-behalf-of” the top consumer with their knowledge permissions utilized. Instance use case: a finance analytics portal the place customers chat to a unified chatbot that leverages Genie, and every consumer solely sees the info they’re approved for.
For the remainder of this weblog, we’ll deal with the primary sample for integrating with Genie: the OAuth U2M circulate utilizing Databricks’ built-in OAuth assist.
NOTE: Databricks additionally helps OAuth token federation, which you need to use to herald tokens issued by your personal id supplier and mix them with any of the strategies described above for Genie entry.
Pre-requisites
- Guarantee that you’ve got a goal Genie house that’s curated based on our finest practices to ship the very best high quality.
- Finish customers/service principals should have entry to the goal Genie house (at the very least CAN VIEW), SELECT privileges on the house’s Unity Catalog knowledge, and CAN USE permission on the house’s SQL compute. Finish customers can optionally be assigned the Client Entry entitlement for streamlined “read-only” expertise.
Step 1: Register an OAuth utility
To securely join your customized net app to Genie, begin by registering it in your Databricks account. This step permits Databricks to securely problem user-scoped tokens to your app in later steps. Take a look at the product documentation to study extra.
Within the Databricks Account Console, add a brand new OAuth connection and configure the next:
- Utility Title: a human-readable identify proven to customers throughout sign-in
- Redirect URLs: a number of URLs the place Databricks is allowed to ship customers after authentication. These should precisely match the URLs your app will use in later steps.
- Entry scopes: grant entry to All APIs so your app can name the Genie Dialog APIs on behalf of customers.
After saving this connection, Databricks will generate the next:
- Consumer ID: public identifier to your app
- Consumer Secret: personal credential to your backend
Retailer these credentials securely in your backend—they are going to be required to change authorization codes for entry tokens and authenticate calls to the Genie Dialog APIs.
Step 2: Direct customers to Databricks to authenticate and grant entry
The subsequent step is to ensure your app directs finish customers to Databricks to allow them to register and approve your app to speak to Genie on their behalf. After a profitable login and approval, Databricks will redirect the consumer to your app with a brief lived authorization code.
This authorization code is proof that the consumer efficiently authenticated into Databricks, and the consumer has accredited your app’s requested entry. Your app’s backend will use this authorization code within the subsequent step to acquire entry tokens.
To start out, generate PKCE and state values for every sign-in to guard your net utility:
- Generate a code_verifier and an identical code_challenge based on the OAuth PKCE normal utilizing SHA-256 and Base64 URL encoding. This step prevents authorization codes from being stolen and reused (see code examples in documentation).
- Create a random state string and ensure to retailer it in a cookie or session. This ensures that authorization codes are generated for actual finish consumer classes.
Subsequent, your frontend ought to assemble an authorization URL utilizing the Databricks OAuth endpoint:
Embrace the next type parameters to determine your utility to your customers:
: Your Databricks occasion with the workspace occasion identify (e.g. dbc-a1b2345c-d6e7.cloud.databricks.com) : the consumer ID out of your registered OAuth utility within the earlier step : the identical redirect URL as specified within the earlier step : – Any plain-text string to validate the response : PKCE code problem derived from the code_verifier
After a consumer indicators into their Databricks account, they are going to be redirected to the redirect_url with question parameters: https://
Your callback handler ought to learn the authorization_code and state from the question string. Confirm the state worth matches what was saved in cookies or net classes. If it doesn’t discard the authorization_code. With the returned authorization_code, your utility can now change them for entry tokens.
Step 3: Alternate authorization codes for tokens and handle them securely
The authorization code retrieved within the earlier step can’t be used to name APIs straight—it should be exchanged for entry tokens in your backend which are wanted to securely speak to Genie. For extra data please consult with our product documentation).
Beneath is a Python instance for exchanging authorization codes for entry and refresh tokens (see particulars in OAuth SDK documentation):
Embrace the next parameters:
: your Databricks occasion with the workspace occasion identify : the consumer ID out of your registered OAuth utility within the earlier step : the consumer secret to your app generated from Step 1 : the identical redirect URL as laid out in Step 1 : the verifier generated in Step 2
It’s vital to save lots of the next values from the end result object to your app’s database:
- access_token: used to name Genie Dialog APIs
- refresh_token: used to acquire new entry tokens with out forcing the consumer to re-login
- expires_in: an expiration time for the entry token
- expires_at: a timestamp for when the entry token is not legitimate
To securely handle entry tokens, it’s additionally vital that your app tracks expiration instances and makes use of the refresh tokens to acquire new entry tokens when wanted. The code instance under abstracts refresh logic away to at all times return a legitimate consumer entry token:
Step 4: Route Consumer Prompts to Genie Dialog APIs
Now that your utility has user-scoped Databricks entry tokens, it might submit prompts to a Genie house on behalf of the signed-in consumer. We advocate making a backend API router to your net utility to guard the Databricks entry tokens from the browser and to centralize observability, error dealing with, and price limiting. The code examples under leverage FastAPI and Genie’s SDK for easier logic.
- First, use the consumer’s entry token to create a scoped WorkspaceClient. This WorkspaceClient will then be capable of name the Genie SDK. Code instance:
- Subsequent, expose application-owned HTTP endpoints that translate into Genie SDK calls within the backend. This ensures that every one Genie SDK calls are achieved inside your server and entry tokens are by no means despatched to the browser.
- For instance, that is tips on how to construct an HTTP endpoint for beginning a brand new Genie dialog:
- Proceed including further API routers for the Genie actions that you really want your app to assist. The important features to incorporate are:
After these steps, your customized net app shall be securely built-in with Genie, letting customers ask natural-language questions and retrieve ruled insights straight within the instruments they already use.
Entry Genie In every single place
Genie is designed to satisfy customers wherever they work. On this weblog, we lined how organizations securely embed Genie’s conversational analytics capabilities into Microsoft Groups and customized apps with OAuth authentication.
By bringing Genie in all places your groups ask questions, you shorten the trail from query to perception—and from perception to motion. Begin constructing Genie areas and bringing them to your customers at this time. As at all times, attain out to your Databricks account groups for questions and suggestions.
