Share via

Configure workspace-level SCIM provisioning using Microsoft Entra ID (legacy)

  • Article

Important

This documentation has been retired and might not be updated. Workspace-level SCIM provisioning is legacy. Databricks recommends that you use account-level SCIM provisioning, see Sync users and groups from Microsoft Entra ID.

Important

This feature is in Public Preview.

If you have any workspaces not enabled for identity federation, you should provision users, service principals, and groups directly to those workspaces. This section describes how to do this.

In the following examples, replace <databricks-instance> with the workspace URL of your Azure Databricks deployment.

Requirements

  • Your Azure Databricks account must have the Premium plan.
  • You must have the Cloud Application Administrator role in Microsoft Entra ID.
  • Your Microsoft Entra ID account must be a Premium edition account to provision groups. Provisioning users is available for any Microsoft Entra ID edition.
  • You must be an Azure Databricks workspace admin.

Step 1: Create the enterprise application and connect it to the Azure Databricks SCIM API

To set up provisioning directly to Azure Databricks workspaces using Microsoft Entra ID, you create an enterprise application for each Azure Databricks workspace.

These instructions tell you how to create an enterprise application in the Azure portal and use that application for provisioning.

  1. As a workspace admin, log in to your Azure Databricks workspace.

  2. Generate a personal access token and copy it. You provide this token to Microsoft Entra ID in a subsequent step.

    Important

    Generate this token as an Azure Databricks workspace admin who is not managed by the Microsoft Entra ID enterprise application. If the Azure Databricks admin user who owns the personal access token is deprovisioned using Microsoft Entra ID, the SCIM provisioning application will be disabled.

  3. In your Azure portal, go to Microsoft Entra ID > Enterprise Applications.

  4. Click + New Application above the application list. Under Add from the gallery, search for and select Azure Databricks SCIM Provisioning Connector.

  5. Enter a Name for the application and click Add. Use a name that will help administrators find it, like <workspace-name>-provisioning.

  6. Under the Manage menu, click Provisioning.

  7. Set Provisioning Mode to Automatic.

  8. Enter the SCIM API endpoint URL. Append /api/2.0/preview/scim to your workspace URL:

    https://<databricks-instance>/api/2.0/preview/scim

    Replace <databricks-instance> with the workspace URL of your Azure Databricks deployment. See Get identifiers for workspace objects.

  9. Set Secret Token to the Azure Databricks personal access token that you generated in step 1.

  10. Click Test Connection and wait for the message that confirms that the credentials are authorized to enable provisioning.

  11. Optionally, enter a notification email to receive notifications of critical errors with SCIM provisioning.

  12. Click Save.

Step 2: Assign users and groups to the application

Note

Microsoft Entra ID does not support the automatic provisioning of service principals to Azure Databricks. You can add service principals your Azure Databricks workspace following Manage service principals in your workspace.

Microsoft Entra ID does not support the automatic provisioning of nested groups to Azure Databricks. Microsoft Entra ID can only read and provision users that are immediate members of the explicitly assigned group. As a workaround, explicitly assign (or otherwise scope in) the groups that contain the users who need to be provisioned. For more information, see this FAQ.

  1. Go to Manage > Properties.
  2. Set Assignment required to Yes. Databricks recommends this option, which syncs only users and groups assigned to the enterprise application.
  3. Go to Manage > Provisioning.
  4. To start synchronizing Microsoft Entra ID users and groups to Azure Databricks, set the Provisioning Status toggle to On.
  5. Click Save.
  6. Go to Manage > Users and groups.
  7. Click Add user/group, select the users and groups, and click the Assign button.
  8. Wait a few minutes and check that the users and groups exist in your Azure Databricks account.

In the future, users and groups that you add and assign are automatically provisioned when Microsoft Entra ID schedules the next sync.

Important

Do not assign the Azure Databricks workspace admin whose personal access token was used to configure the Azure Databricks SCIM Provisioning Connector application.