Provision users and groups from AAD to Azure Databricks (part 2)

by Jan 18, 2023

Assign and Provision users and groups in the Enterprise Application

In the previous blog you learned how to configure the Enterprise Application. In this blog, you will learn how to assign and Provision Users and Groups.

Once the Users and groups are assigned to the Enterprise application you can provision the Users and groups to your Azure Databricks account or Azure Databricks Workspace.

Add users and groups

Click on the Add user/group in the Enterprise application on the left pane to add the required users and groups.

Azure Databricks SCIM Users and Groups

License warning Enterprise Application

When you see above message, that means that you don’t have a Premium Azure Active Directory edition account. Don’t worry, you can still provision users, for Groups you to need a Premium edition.

Note: If you have existing Azure Databricks workspaces, in case you sync on Account Level, make sure that you add all existing users and groups in those workspaces to the above Enterprise application.

Start the provisioning

The last step is to provision the users and the groups. The provision will automatically sync the assigned users and groups to your Azure Databricks account.

Go back to the provisioning option on the left pane.

Mappings

Enable the user and group sync option in the mappings section.

Mapping detail to Provision users and groups in the Enterprise Application

Settings

Set the scope to Sync only assigned users and groups, otherwise all your users in your Azure Active Directory will be synced, which is not necessary

The next step is, set the Provisioning Status toggle to on.

Setting details to Provision users and groups in the Enterprise Application

After a few minutes your users will be synced.

There are 2 more options which we can set:

Notification Email: Send an email notification when a failure occurs

Prevent accidental deletion: Set a threshold for Accidental deletion more on how this works can be found here.

Checking the Provisioning Logs

Once the provision of the users and groups has been done, you can check the details in the provision logs.
Click on the left side provisioning:
Log details in the Enterprise Application
The details of the provisioning should be visible now, good to know that the interval of syncing is fixed to 40 minutes.
 
Click on the View provisioning logs to see a detailed overview of the sync.
Log overview in the Enterprise Application

Tips and tricks for Provisioning

  • The interval of syncing is fixed and set to 40 minutes, the initial one is directly started.
  • The username or email address of an Azure Databricks workspace user cannot be updated.
  • The admin group cannot be used as Group name.
  • Groups cannot be renamed in Azure Databricks or in the Azure Active Directory.
  • Nested groups or service principals cannot be synced.
  • More tips and tricks can be found here.

In my next blog I will explain how to Create a metastore in your Azure Databricks account to assign an Azure Databricks Workspace.

Other Blog post in this serie:

  1. Configure the Enterprise Application(SCIM) for Azure Databricks Account Level provisioning
  2. Assign and Provision users and groups in the Enterprise Application(SCIM)
  3. Creating a metastore in your Azure Databricks account to assign an Azure Databricks Workspace
  4. Assign Users and groups to an Azure Databricks Workspace and define the correct entitlements
  5. Add Service Principals to your Azure Databricks account using the account console
  6. Configure the Enterprise Application(SCIM) for Azure Databricks Workspace provisioning

Feel free to leave a comment

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

eighteen + eight =

This site uses Akismet to reduce spam. Learn how your comment data is processed.