Erwin | Data & Intelligence
  • Home
  • FMD Framework
  • Speaker Profile
  • About
  • Contact
Select Page
Provision users and groups from AAD to Azure Databricks (part 5)

Provision users and groups from AAD to Azure Databricks (part 5)

by Erwin | Jan 24, 2023 | Azure Databricks

Azure

by Erwin | Jan 24, 2023

Add Service principals to your Azure Databricks account using the account console

In the previous blog, you assigned Users and Groups to an Azure Databricks Workspace. In this blog, you will learn how to assign Service Principals to an Azure Databricks Workspace and define the correct entitlements.

As a security best practice, Databricks recommends using an Azure AD service principal and its Azure AD token instead of your Azure Databricks user or your Databricks personal access token for your workspace user to give CI/CD platforms access to Azure Databricks resources. More details can be found in the following link Service principals for CI/CD

To add a service principal to the account using the account console:

  1. As an account admin, log in to the account console.add-sp-account
  2. Click User management.
  3. On the Service principals tab, click Add service principal. Click here to create a new service principal.
  4. Enter a name for the service principal.
  5. Under UUID, enter the Application (client) ID for the service principal.
  6. Click Add.

Assign Service Principal to Azure Databricks Workspace

Log in to your Workspace, in case you're still logged in, in your account console, you can open the workspace directly from Data setting icon, on the left side.

Once the Workspace is open, select the admin console in the upper right corner.

Select Service Principals.

Add Service Principals.

add-sp-workspace add-sp-workspace-select

Select the Service Principal you want to add one by one.

The Service Principal is now visible and you can assign the correct entitlements to the Service Principal.

configire-sp

Once the Service Principal has been added, the service principal will also be visible in your Azure Databricks account.

Workspaces

Click on the correct Workspace, permissions and you can see that the Service Principal is now visible here as well. If needed you can change the role from beying a regular user to a full admin

In my next  blog, you will how to configure the Enterprise Application(SCIM) for Azure Databricks Workspace provisioning.

Other Blog post in this serie:

  1. Configure the Enterprise Application(SCIM) for Azure Databricks Account Level provisioning
  2. Assign and Provision users and groups in the Enterprise Application(SCIM)
  3. Creating a metastore in your Azure Databricks account to assign an Azure Databricks Workspace
  4. Assign Users and groups to an Azure Databricks Workspace and define the correct entitlements
  5. Add Service Principals to your Azure Databricks account using the account console
  6. Configure the Enterprise Application(SCIM) for Azure Databricks Workspace provisioning

 

Latest Posts

  • Rayfin
    My first experience: Building a Fabric App
  • Fabric Metadata‑Driven Framework (FMD)
    FMD Release Highlights – May 2026
  • Fabric Metadata‑Driven Framework (FMD)
    FMD Release Highlights – April 2026
  • Fabric Enterprise ready
    Microsoft Fabric Becomes Enterprise‑Grade in the AI Era
  • Fabric Metadata‑Driven Framework (FMD)
    FMD Release Highlights – March 2026

Categories

  • Azure (49)
  • Azure Databricks (9)
  • Divers (9)
  • Domoticz (1)
  • Events (38)
  • FMD Framework (9)
  • Microsoft Fabric (16)
  • Microsoft Fabric Content HUB (9)
  • Microsoft Purview (19)
  • Power BI (1)
  • SQL Server (3)
  • Sql Server Management Studio (2)

Feel free to leave a comment

Provision users and groups from AAD to Azure Databricks (part 4)

Provision users and groups from AAD to Azure Databricks (part 4)

by Erwin | Jan 23, 2023 | Azure Databricks

Azure

by Erwin | Jan 23, 2023

Assign Users and groups to Azure Databricks Workspace

In the previous blog, you created the metastore in your Azure Databricks account to assign an Azure Databricks Workspace. In this blog, you will learn how to assign Users and Groups to an Azure Databricks Workspace and define the correct entitlements.

You need to assign the synced groups to your Azure Databricks workspace, this needs to be done for every workspace. That's one of the reasons to create groups of users for every environment.

SG_DATABRICKS_USERS_DVLM: for the users which are allowed to use the Development environment.

SG_DATABRICKS_USERS_PROD: for the users which are allowed to use the Production environment.

SG_DATABRICKS_ACCOUNT_ADMIN: for the users which needs to be assigned the Account Admin role.

You can add the users in both groups, but this way you are already prepared for the future if you still want to separate the users from each other in a later stage.

Azure Databricks Workspace

Log in to your Workspace, in case you're still logged in, in your account console, you can open the workspace directly from Data setting icon, on the left side.

Once the Workspace is open, select the admin console in the upper right corner.

Select Groups

adb-admin-console

Select add Group.

adb-admin-console-add

Select the groups you want to add one by one.

adb-admin-console-group-add

 

The groups are now visible and you can assign the correct entitlements to the group.

adb-admin-console-entitlement

Workspace access:

  • When granted to a user or service principal, they can access the Data Science & Engineering and Databricks Machine Learning persona-based environments.
  • Can’t be removed from workspace admins.

adb-admin-console-entitlement-enable

Databricks SQL access:

  • When granted to a user or service principal, they can access Databricks SQL.

Allow unrestricted cluster creation:

  • When granted to a user or service principal, they can create clusters. You can restrict access to existing clusters using cluster-level permissions.
  • Can’t be removed from workspace admins

 

Account admins are synced by default to all workspaces.

User added through a group do have separate icon displayed.

add-user-group

Please note that Databricks recommends that you assign group permissions to workspaces, instead assigning workspace permissions to users individually.

In my next blog I will explain how to Add Service Principals to your Azure Databricks account using the account console.

Other Blog post in this serie:

  1. Configure the Enterprise Application(SCIM) for Azure Databricks Account Level provisioning
  2. Assign and Provision users and groups in the Enterprise Application(SCIM)
  3. Creating a metastore in your Azure Databricks account to assign an Azure Databricks Workspace
  4. Assign Users and groups to an Azure Databricks Workspace and define the correct entitlements
  5. Add Service Principals to your Azure Databricks account using the account console
  6. Configure the Enterprise Application(SCIM) for Azure Databricks Workspace provisioning

Latest Posts

  • Rayfin
    My first experience: Building a Fabric App
  • Fabric Metadata‑Driven Framework (FMD)
    FMD Release Highlights – May 2026
  • Fabric Metadata‑Driven Framework (FMD)
    FMD Release Highlights – April 2026
  • Fabric Enterprise ready
    Microsoft Fabric Becomes Enterprise‑Grade in the AI Era
  • Fabric Metadata‑Driven Framework (FMD)
    FMD Release Highlights – March 2026

Categories

  • Azure (49)
  • Azure Databricks (9)
  • Divers (9)
  • Domoticz (1)
  • Events (38)
  • FMD Framework (9)
  • Microsoft Fabric (16)
  • Microsoft Fabric Content HUB (9)
  • Microsoft Purview (19)
  • Power BI (1)
  • SQL Server (3)
  • Sql Server Management Studio (2)

Feel free to leave a comment

Provision users and groups from AAD to Azure Databricks (part 3)

Provision users and groups from AAD to Azure Databricks (part 3)

by Erwin | Jan 19, 2023 | Azure Databricks

Azure

by Erwin | Jan 19, 2023

Creating a metastore in your Azure Databricks account

In the previous blog you learned how to sync and assign users and groups to the Enterprise Application. In this blog, you will learn how to create a metastore and assign it to Azure Databricks workspaces to. This is a prerequisite to be able to assign users and groups to the Azure Databricks workspaces.

In the situation below we're creating a metastore that is accessed using a managed identity, which is recommended situation.

Before you can create a Metastore, you need to create an Azure Databricks access connector, which is a first-party Azure resource that lets you connect a system-assigned managed identity to an Azure Databricks account.

Requirements :

  • You need to have an Azure Databricks account with a Premium Plan.
  • You must be an Azure Databricks account admin.
  • You must have an Azure Data Lake Storage Gen2 storage account(must be in the same region as your Azure Databricks Workspace).

Azure Databricks access connector

Log in to the Azure Portal as a Contributor or as an Owner of a resource group

adb-connector

Search for the Access Connector for Azure Databricks in the Marketplace and click on create.

Configure the Connector

adb-connector-create

  • Subscription: Select the subscription where you want to create the access connector in.
  • Resource group: This should be a resource group in the same region as the storage account that you will connect to.
  • Name: The name of the connector.
  • Region: Same region as the storage account that you will connect to.

Click Review + create.
When you see the Validation Passed message, click Create.

Grant the managed identity access to the storage account

  • Log in to your Azure Data Lake Storage Gen2 account as an Owner or a user with the User Access Administrator Azure RBAC role on the storage account.
  • Go to Access Control (IAM), click + Add, and select Add role assignment.
  • Select the Storage Blob Data Contributor role and click Next.
  • Under Assign access to, select Managed identity.
  • Click +Select Members, and select Access connector for Azure Databricks.
  • Search for your connector name, select it, and click Review and Assign.

mi-assign

Create the Metastore

Login to the Azure Databricks account console.

Click on the left side, click on the data setting icon.

Click on the "Create a Metastore" button.

 

create-metastore

  • Name for the metastore.
  • Region where the metastore will be deployed., this must be the same region as the workspaces, storage and access connector.
  • ADLS Gen 2 path: Enter the path to the storage container that you will use as root storage for the metastore.
  • Access Connector ID: Enter the Azure Databricks access connector’s resource ID, can be found on the main page of the access connector.

Click on the Create to create the Metastore.

If you see the following error, you forgot to assign the managed identity access to the storage account. You can Force Create the metastore and assign the managed identity afterwards.

access-violation

 

Assign Workspace to Metastore

The last steps is to assign the Workspaces to the Metastore. Click on the right side Assign to workspace.

You will only see all workspaces which have not been assigned earlier. Select the correct workspace and click on assign.

Enable the Unity Catalog and your workspaces are connected.

In my next blog I will explain how to Assign Users and groups to an Azure Databricks Workspace and define the correct entitlements.

Other Blog post in this serie:

  1. Configure the Enterprise Application(SCIM) for Azure Databricks Account Level provisioning
  2. Assign and Provision users and groups in the Enterprise Application(SCIM)
  3. Creating a metastore in your Azure Databricks account to assign an Azure Databricks Workspace
  4. Assign Users and groups to an Azure Databricks Workspace and define the correct entitlements
  5. Add Service Principals to your Azure Databricks account using the account console
  6. Configure the Enterprise Application(SCIM) for Azure Databricks Workspace provisioning

Latest Posts

  • Rayfin
    My first experience: Building a Fabric App
  • Fabric Metadata‑Driven Framework (FMD)
    FMD Release Highlights – May 2026
  • Fabric Metadata‑Driven Framework (FMD)
    FMD Release Highlights – April 2026
  • Fabric Enterprise ready
    Microsoft Fabric Becomes Enterprise‑Grade in the AI Era
  • Fabric Metadata‑Driven Framework (FMD)
    FMD Release Highlights – March 2026

Categories

  • Azure (49)
  • Azure Databricks (9)
  • Divers (9)
  • Domoticz (1)
  • Events (38)
  • FMD Framework (9)
  • Microsoft Fabric (16)
  • Microsoft Fabric Content HUB (9)
  • Microsoft Purview (19)
  • Power BI (1)
  • SQL Server (3)
  • Sql Server Management Studio (2)

Feel free to leave a comment

Provision users and groups from AAD to Azure Databricks (part 2)

Provision users and groups from AAD to Azure Databricks (part 2)

by Erwin | Jan 18, 2023 | Azure Databricks

Azure

by Erwin | Jan 18, 2023

Assign and Provision users and groups in the Enterprise Application

In the previous blog you learned how to configure the Enterprise Application. In this blog, you will learn how to assign and Provision Users and Groups.

Once the Users and groups are assigned to the Enterprise application you can provision the Users and groups to your Azure Databricks account or Azure Databricks Workspace.

Add users and groups

Click on the Add user/group in the Enterprise application on the left pane to add the required users and groups.

Azure Databricks SCIM Users and Groups

License warning Enterprise Application

When you see above message, that means that you don't have a Premium Azure Active Directory edition account. Don't worry, you can still provision users, for Groups you to need a Premium edition.

Note: If you have existing Azure Databricks workspaces, in case you sync on Account Level, make sure that you add all existing users and groups in those workspaces to the above Enterprise application.

Start the provisioning

The last step is to provision the users and the groups. The provision will automatically sync the assigned users and groups to your Azure Databricks account.

Go back to the provisioning option on the left pane.

Mappings

Enable the user and group sync option in the mappings section.

Mapping detail to Provision users and groups in the Enterprise Application

Settings

Set the scope to Sync only assigned users and groups, otherwise all your users in your Azure Active Directory will be synced, which is not necessary

The next step is, set the Provisioning Status toggle to on.

Setting details to Provision users and groups in the Enterprise Application

After a few minutes your users will be synced.

There are 2 more options which we can set:

Notification Email: Send an email notification when a failure occurs

Prevent accidental deletion: Set a threshold for Accidental deletion more on how this works can be found here.

Checking the Provisioning Logs

Once the provision of the users and groups has been done, you can check the details in the provision logs.
Click on the left side provisioning:
Log details in the Enterprise Application
The details of the provisioning should be visible now, good to know that the interval of syncing is fixed to 40 minutes.
 
Click on the View provisioning logs to see a detailed overview of the sync.
Log overview in the Enterprise Application

Tips and tricks for Provisioning

  • The interval of syncing is fixed and set to 40 minutes, the initial one is directly started.
  • The username or email address of an Azure Databricks workspace user cannot be updated.
  • The admin group cannot be used as Group name.
  • Groups cannot be renamed in Azure Databricks or in the Azure Active Directory.
  • Nested groups or service principals cannot be synced.
  • More tips and tricks can be found here.

In my next blog I will explain how to Create a metastore in your Azure Databricks account to assign an Azure Databricks Workspace.

Other Blog post in this serie:

  1. Configure the Enterprise Application(SCIM) for Azure Databricks Account Level provisioning
  2. Assign and Provision users and groups in the Enterprise Application(SCIM)
  3. Creating a metastore in your Azure Databricks account to assign an Azure Databricks Workspace
  4. Assign Users and groups to an Azure Databricks Workspace and define the correct entitlements
  5. Add Service Principals to your Azure Databricks account using the account console
  6. Configure the Enterprise Application(SCIM) for Azure Databricks Workspace provisioning

Latest Posts

  • Rayfin
    My first experience: Building a Fabric App
  • Fabric Metadata‑Driven Framework (FMD)
    FMD Release Highlights – May 2026
  • Fabric Metadata‑Driven Framework (FMD)
    FMD Release Highlights – April 2026
  • Fabric Enterprise ready
    Microsoft Fabric Becomes Enterprise‑Grade in the AI Era
  • Fabric Metadata‑Driven Framework (FMD)
    FMD Release Highlights – March 2026

Categories

  • Azure (49)
  • Azure Databricks (9)
  • Divers (9)
  • Domoticz (1)
  • Events (38)
  • FMD Framework (9)
  • Microsoft Fabric (16)
  • Microsoft Fabric Content HUB (9)
  • Microsoft Purview (19)
  • Power BI (1)
  • SQL Server (3)
  • Sql Server Management Studio (2)

Feel free to leave a comment

Provision users and groups from AAD to Azure Databricks (part 1)

Provision users and groups from AAD to Azure Databricks (part 1)

by Erwin | Jan 17, 2023 | Azure Databricks

Azure

by Erwin | Jan 17, 2023

Blog Serie: Provisioning identities from Azure Active Directory to Azure Databricks.

Instead of adding users and groups manual to your Azure Databricks environment, you can also sync them automatically from your Azure Active Directory to your Azure Databricks account with SCIM. This is one of the recommendations from Databricks.

Other advantages are:

  • Stream less onboarding of new employees or teams in Azure Databricks.
  • Users can be easily deleted from the Azure Databricks workspaces through the Azure Active Directory. This ensures a consistent offboarding process and prevents unauthorized users from accessing sensitive data.

Their are a couple of important requirements to have in place before we can start, you need to have or be:

  • Azure Databricks account with a Premium Plan.
  • Azure Databricks account admin to provision users to your Azure Databricks account using SCIM.
  • Azure Databricks workspace admin to provision users to an Azure Databricks workspace using SCIM.
  • Azure Active Directory account must be a Premium edition account to be able to provision groups.
  • Provisioning of users is available for all Azure Active Directory editions (including the Azure AD Free)

Blog Serie

This blog post series contains the following topics, which I will post in the next few days:

  1. Configure the Enterprise Application(SCIM) for Azure Databricks Account Level provisioning
  2. Assign and Provision users and groups in the Enterprise Application(SCIM)
  3. Creating a metastore in your Azure Databricks account to assign an Azure Databricks Workspace
  4. Assign Users and groups to an Azure Databricks Workspace and define the correct entitlements
  5. Add Service Principals to your Azure Databricks account using the account console
  6. Configure the Enterprise Application(SCIM) for Azure Databricks Workspace provisioning

There are 2 different options to provision users and groups to Azure Databricks using Azure Active Directory (AAD) at the Azure Databricks account level or at the Azure Databricks workspace level. This post is related to the Azure Databricks Account Level.

Configure the Enterprise Application(SCIM) for Azure Databricks Account Level provisioning

Azure Databricks account level

Before you start login to the Azure Databricks account console.

Make sure that you're an Azure Databricks account admin. If you're not an account admin, check who is an account admin( you see this on the main page of the user Management option). Ask the Account admin to grant you access, they can do this by clicking on the account name.

Once you're Account Admin, click on the left side, click on the user setting icon(red).

adb-user-settings

 

 

 

 

 

 

 

Click on User Provisioning and click on set-up user provisioning.

Enable-user-prv-add-adb

Create-token-scim

Copy the SCIM token and the Account SCIM URL and store them in an Azure Key Vault. We need these settings later to configure the Enterprise Application.

Configure the Enterprise Application

In the Azure portal, go to Azure Active Directory > Enterprise Applications.

Click on new application and search for the "Azure Databricks SCIM Provisioning Connector"

app-scim-adb

Click on the app:

app-scim-adb-create

Enter a Name for the application, I used Azure Databricks SCIM AzureDataBricksWestEurope

Click on Create and wait until the application is created.

app-scim-adb-configure

Click on Provisioning and set Provisioning Mode to Automatic.

app-scim-adb-configure-automatics

Set the Tenant URL to the Account SCIM URL that we saved earlier in our Key Vault.

Set Secret Token to the Azure Databricks SCIM token that we generated and saved earlier in our Key Vault.

Click on Test Connection so see if everything is configured correctly.

In my next blog I will explain how to Assign and Provision users and groups in the Enterprise Application(SCIM).

Latest Posts

  • Rayfin
    My first experience: Building a Fabric App
  • Fabric Metadata‑Driven Framework (FMD)
    FMD Release Highlights – May 2026
  • Fabric Metadata‑Driven Framework (FMD)
    FMD Release Highlights – April 2026
  • Fabric Enterprise ready
    Microsoft Fabric Becomes Enterprise‑Grade in the AI Era
  • Fabric Metadata‑Driven Framework (FMD)
    FMD Release Highlights – March 2026

Categories

  • Azure (49)
  • Azure Databricks (9)
  • Divers (9)
  • Domoticz (1)
  • Events (38)
  • FMD Framework (9)
  • Microsoft Fabric (16)
  • Microsoft Fabric Content HUB (9)
  • Microsoft Purview (19)
  • Power BI (1)
  • SQL Server (3)
  • Sql Server Management Studio (2)

Feel free to leave a comment

« Older Entries
Next Entries »

Categories

  • Azure (49)
  • Azure Databricks (9)
  • Divers (9)
  • Domoticz (1)
  • Events (38)
  • FMD Framework (9)
  • Microsoft Fabric (16)
  • Microsoft Fabric Content HUB (9)
  • Microsoft Purview (19)
  • Power BI (1)
  • SQL Server (3)
  • Sql Server Management Studio (2)
Adding an RSS feed to this site’s homepage is not supported, as it could lead to a loop that slows down your site. Try using another block, like the Latest Posts block, to list posts from the site.
  • RSS

Designed by Elegant Themes | Powered by WordPress