Blog Serie: Provision users and groups from AAD to Azure Databricks

by Erwin | Jan 26, 2023 | Azure, Azure Databricks

Month: January 2023

by Erwin | Jan 26, 2023

Blog Series

This blog post series contains topics on how to Provision users and groups from Azure Active Directory to Azure Databricks using the Enterprise Application(SCIM). This is a summary of the all the blogs I posted the last couple of days. I am very happy with all the feedback and tips I have received about this blog series. Thank you.

Key Takeaways

There are 2 different options to provision users and groups to Azure Databricks using Azure Active Directory (AAD) at the Azure Databricks account level or at the Azure Databricks workspace level.

Azure Databricks account level

Azure Databricks workspace level

Databricks recommends using SCIM provisioning to sync users and groups automatically from Azure Active Directory to your Azure Databricks account.

Preview

Update 23-02: Azure Databricks account level is out of preview. Azure Databricks workspace level is still in preview

We can define 3 different identities:
• Users: User identities recognized by Azure Databricks and represented by email addresses.
• Service principals: Identities for use with jobs, automated tools, and systems such as scripts, apps, and CI/CD platforms.
• Groups: Groups simplify identity management, making it easier to assign access to workspaces, data, and other securable objects.

As you can read in the various blog posts, the setup of Account-Level provisioning is a bit more work, but it will provide you with many more benefits now and in the future. If you only use 1 Azure Databricks Workspace, then I would simply apply the Workspace-Level Provisioning. The most important thing is that you set up SCIM so that users are not added manually in the Azure Databricks. Adding Service Principals is much easier with the Account Level Setup.

Metastore

Only one Metastore per Region can be created, pay close attention to where you create it(samen or separate Subscription/Resource Group) and whether the Metastore should be part of the Data Management Landing Zone.

User, Service Principals and Groups

Users with the Contributor or Owner role on the workspace resource in Azure are automatically added as workspace administrators.
Azure Active Directory does not support the automatic provisioning of service principals to Azure Databricks.
User removed manually from an Azure Databricks workspace will no be synced again using the Azure Active Directory provisioning.
The sync is running every 40 minutes
Updates of Username or email address needs to be done in the AAD.
Nested groups are not supported by Azure Active Directory automatic provisioning.

Scoping Filters

My colleague Pim Jacobs gave me a tip that you can also use Scoping Filters. A scoping filter allows you to include or exclude any users who have an attribute that matches a specific value. For example you only want to sync a subset of users in a group to Databricks based on a specific attribute you have defined in your AAD(only users in the department Advanced Analytics).

Documentation

For the blog series I partly used the documentation below. The documentation is fairly scattered, from that idea I started this blog series.

Configure SCIM provisioning using Microsoft Azure Active Directory - Azure Databricks | Microsoft Learn

Manage users, service principals, and groups - Azure Databricks | Microsoft Learn

Manage users - Azure Databricks | Microsoft Learn

Manage groups - Azure Databricks | Microsoft Learn

Manage service principals - Azure Databricks | Microsoft Learn

Sync users and groups from Azure Active Directory - Azure Databricks | Microsoft Learn

Create a Unity Catalog metastore - Azure Databricks | Microsoft Learn

Latest Posts

Categories

Feel free to leave a comment

Provision users and groups from AAD to Azure Databricks (part 6)

by Erwin | Jan 25, 2023 | Azure Databricks

Month: January 2023

by Erwin | Jan 25, 2023

Configure the Enterprise Application(SCIM) for Azure Databricks Workspace provisioning

In one of my previous blogs, I explained how to setup the Enterprise Application for Azure Databricks account level provisioning. This blog is related to the Azure Databricks Workspace Level. This is a slightly different setup hence a separate blog.

Preview

Provision identities to your Azure Databricks workspace is still in preview

Steps to configure

Login to the Azure Databricks Workspace as a workspace admin.

Generate a personal acces token and store it in a save location(Azure Key Vault)

Configure the Enterprise Application

In the Azure portal, go to Azure Active Directory > Enterprise Applications.

Click on new application and search for the "Azure Databricks SCIM Provisioning Connector"

Click on the app:

Enter a Name for the application, I used Azure Databricks SCIM MyAzureDatabricksWorkspace

Click on Create and wait until the application is created.

Click on Provisioning and set Provisioning Mode to Automatic.

Set the Tenant URL to https://<databricks-instance>/api/2.0/preview/scim

Set Secret Token to the Azure Databricks token that we generated and saved earlier in our Key Vault.

Click on Test Connection so see if everything is configured correctly.

You can learn how to assign and sync users in the following blogs as this is a similar approach to setting up at the account level.

Add Service principal to your Azure Databricks workspace

As a security best practice, Databricks recommends using an Azure AD service principal and its Azure AD token instead of your Azure Databricks user or your Databricks personal access token for your workspace user to give CI/CD platforms access to Azure Databricks resources. More details can be found in the following link Service principals for CI/CD

To add a service principal using Postman:

Create a new HTTP request (File > New > HTTP Request).
In the HTTP verb drop-down list, select POST.
Enter in the request URL https://DATABRICKS ID.azuredatabricks.net/api/2.0/preview/scim/v2/ServicePrincipals
On the Authorization tab, in the Type list, select Bearer Token.
For Token, enter your Databricks personal access token for your workspace user.
On the Headers tab, add the Key and Value pair of Content-Type and application/scim+json
On the Body tab, select raw and JSON.
add

{

  "displayName": "sp-edk-databricks-dvlm-deployment",

  "applicationId": "xxxxx",

  "entitlements": [

    {

      "value": "allow-cluster-create"

    }

  ],

  "schemas": [

    "urn:ietf:params:scim:schemas:core:2.0:ServicePrincipal"

  ],

  "active": true

}

Click on send and the Service Principal is added to the Databricks Workspace and is ready for further usage. You can find the Service Principals in the admin console, groups, users.

When you use Postman I advise you to work with Environments and variables, this makes the reusing of scripts a lot easier. In this blog I have not done that for simplicity.

This was my last blog in the series, I hope you enjoyed reading these blogs. A summary of these blogs can be found below. If there are any questions or ambiguities, I would of course be happy to hear and answer them.

Other Blog post in this serie:

Latest Posts

Categories

Feel free to leave a comment

Provision users and groups from AAD to Azure Databricks (part 5)

by Erwin | Jan 24, 2023 | Azure Databricks

Month: January 2023

by Erwin | Jan 24, 2023

Add Service principals to your Azure Databricks account using the account console

In the previous blog, you assigned Users and Groups to an Azure Databricks Workspace. In this blog, you will learn how to assign Service Principals to an Azure Databricks Workspace and define the correct entitlements.

As a security best practice, Databricks recommends using an Azure AD service principal and its Azure AD token instead of your Azure Databricks user or your Databricks personal access token for your workspace user to give CI/CD platforms access to Azure Databricks resources. More details can be found in the following link Service principals for CI/CD

To add a service principal to the account using the account console:

As an account admin, log in to the account console.
Click User management.
On the Service principals tab, click Add service principal. Click here to create a new service principal.
Enter a name for the service principal.
Under UUID, enter the Application (client) ID for the service principal.
Click Add.

Assign Service Principal to Azure Databricks Workspace

Log in to your Workspace, in case you're still logged in, in your account console, you can open the workspace directly from Data setting icon, on the left side.

Once the Workspace is open, select the admin console in the upper right corner.

Select Service Principals.

Add Service Principals.

Select the Service Principal you want to add one by one.

The Service Principal is now visible and you can assign the correct entitlements to the Service Principal.

Once the Service Principal has been added, the service principal will also be visible in your Azure Databricks account.

Workspaces

Click on the correct Workspace, permissions and you can see that the Service Principal is now visible here as well. If needed you can change the role from beying a regular user to a full admin

In my next blog, you will how to configure the Enterprise Application(SCIM) for Azure Databricks Workspace provisioning.

Other Blog post in this serie:

Latest Posts

Categories

Feel free to leave a comment

Provision users and groups from AAD to Azure Databricks (part 4)

by Erwin | Jan 23, 2023 | Azure Databricks

Month: January 2023

by Erwin | Jan 23, 2023

Assign Users and groups to Azure Databricks Workspace

In the previous blog, you created the metastore in your Azure Databricks account to assign an Azure Databricks Workspace. In this blog, you will learn how to assign Users and Groups to an Azure Databricks Workspace and define the correct entitlements.

You need to assign the synced groups to your Azure Databricks workspace, this needs to be done for every workspace. That's one of the reasons to create groups of users for every environment.

SG_DATABRICKS_USERS_DVLM: for the users which are allowed to use the Development environment.

SG_DATABRICKS_USERS_PROD: for the users which are allowed to use the Production environment.

SG_DATABRICKS_ACCOUNT_ADMIN: for the users which needs to be assigned the Account Admin role.

You can add the users in both groups, but this way you are already prepared for the future if you still want to separate the users from each other in a later stage.

Azure Databricks Workspace

Log in to your Workspace, in case you're still logged in, in your account console, you can open the workspace directly from Data setting icon, on the left side.

Once the Workspace is open, select the admin console in the upper right corner.

Select Groups

Select add Group.

Select the groups you want to add one by one.

The groups are now visible and you can assign the correct entitlements to the group.

Workspace access:

When granted to a user or service principal, they can access the Data Science & Engineering and Databricks Machine Learning persona-based environments.
Can’t be removed from workspace admins.

Databricks SQL access:

When granted to a user or service principal, they can access Databricks SQL.

Allow unrestricted cluster creation:

When granted to a user or service principal, they can create clusters. You can restrict access to existing clusters using cluster-level permissions.
Can’t be removed from workspace admins

Account admins are synced by default to all workspaces.

User added through a group do have separate icon displayed.

Please note that Databricks recommends that you assign group permissions to workspaces, instead assigning workspace permissions to users individually.

In my next blog I will explain how to Add Service Principals to your Azure Databricks account using the account console.

Other Blog post in this serie:

Latest Posts

Categories

Feel free to leave a comment

Provision users and groups from AAD to Azure Databricks (part 3)

by Erwin | Jan 19, 2023 | Azure Databricks

Month: January 2023

by Erwin | Jan 19, 2023

Creating a metastore in your Azure Databricks account

In the previous blog you learned how to sync and assign users and groups to the Enterprise Application. In this blog, you will learn how to create a metastore and assign it to Azure Databricks workspaces to. This is a prerequisite to be able to assign users and groups to the Azure Databricks workspaces.

In the situation below we're creating a metastore that is accessed using a managed identity, which is recommended situation.

Before you can create a Metastore, you need to create an Azure Databricks access connector, which is a first-party Azure resource that lets you connect a system-assigned managed identity to an Azure Databricks account.

Requirements :

You need to have an Azure Databricks account with a Premium Plan.
You must be an Azure Databricks account admin.
You must have an Azure Data Lake Storage Gen2 storage account(must be in the same region as your Azure Databricks Workspace).

Azure Databricks access connector

Log in to the Azure Portal as a Contributor or as an Owner of a resource group

Search for the Access Connector for Azure Databricks in the Marketplace and click on create.

Configure the Connector

Subscription: Select the subscription where you want to create the access connector in.
Resource group: This should be a resource group in the same region as the storage account that you will connect to.
Name: The name of the connector.
Region: Same region as the storage account that you will connect to.

Click Review + create.
When you see the Validation Passed message, click Create.

Grant the managed identity access to the storage account

Log in to your Azure Data Lake Storage Gen2 account as an Owner or a user with the User Access Administrator Azure RBAC role on the storage account.
Go to Access Control (IAM), click + Add, and select Add role assignment.
Select the Storage Blob Data Contributor role and click Next.
Under Assign access to, select Managed identity.
Click +Select Members, and select Access connector for Azure Databricks.
Search for your connector name, select it, and click Review and Assign.

Create the Metastore

Login to the Azure Databricks account console.

Click on the left side, click on the data setting icon.

Click on the "Create a Metastore" button.

Name for the metastore.
Region where the metastore will be deployed., this must be the same region as the workspaces, storage and access connector.
ADLS Gen 2 path: Enter the path to the storage container that you will use as root storage for the metastore.
Access Connector ID: Enter the Azure Databricks access connector’s resource ID, can be found on the main page of the access connector.

Click on the Create to create the Metastore.

If you see the following error, you forgot to assign the managed identity access to the storage account. You can Force Create the metastore and assign the managed identity afterwards.

Assign Workspace to Metastore

The last steps is to assign the Workspaces to the Metastore. Click on the right side Assign to workspace.

You will only see all workspaces which have not been assigned earlier. Select the correct workspace and click on assign.

Enable the Unity Catalog and your workspaces are connected.

In my next blog I will explain how to Assign Users and groups to an Azure Databricks Workspace and define the correct entitlements.

Other Blog post in this serie: