Azure data bricks bicep module redeployment deleting properties.authorizations

Question

Azure data bricks bicep module redeployment deleting properties.authorizations

Smriti, Smriti 65

I am trying to redeploy bicep module for Azure DataBricks and on each redeploy it deletes the Service principle which is in properties.authorizations configuration in ADB. However, i have not included properties.authorizations in my bicep template. I am not sure which Service principle it is because there is no such Service principle in Active directory. Testing in different environments, I found out that this Service principal object id is same for all the ADBs in dev, stg and prd irrespective of their tenant.

User's image

Please suggest what this Service principle is and what is its use.

Amira Bedhiafi 33,631 Reputation points Volunteer Moderator

2023-10-03T14:53:45.0033333+00:00

If the Bicep template does not define properties.authorizations, then upon redeployment, Azure will try to match the resource to the template's definitions. This could result in removal of any configurations not defined in the template.
Smriti, Smriti 65 Reputation points

2023-10-03T16:45:10.2866667+00:00

but what is this service principle for. I can see the same object id and owner role in every ADB instance that I have in my lab environment. Even i deployed an ADb instance in some different tenant and I found the same Object Id in ARM template. Is this something for ADB only that AD manages on its end. I want to know the purpose of it. And I can add this service principle in my bicep template but can i use some other Service Principle for it?
Smriti, Smriti 65 Reputation points

2023-10-04T18:26:45.16+00:00

Hello,

Can you please help me through this. I need to figure out what this object ID is for and what it does in the ADB. What's its relevance. Whether I should add it in my bicep template for Azure databricks and what would be its impact on my existing ADB .

Thanks in advance.
Smriti, Smriti 65 Reputation points

2023-10-06T17:31:24.5866667+00:00

Thanks for the information!
Bhargava-MSFT 31,261 Reputation points Microsoft Employee Moderator

2023-10-06T17:42:39.9766667+00:00

Thank you, Smriti, Smriti

If you don't have any further questions, please consider accepting the answer by hitting the Accept answer and up-vote as it helps the community look for answers to similar questions.
Smriti, Smriti 65 Reputation points

2023-10-07T07:41:13.19+00:00

Lastly, Should I include this is my bicep or is it safe to ignore the what-if noise.
Smriti, Smriti 65 Reputation points

2023-10-07T18:29:29.1966667+00:00

So if i don't include this service principle in my bicep template, will redeploying the template affect ADB instance or it'll automatically assign this service principle again?
Smriti, Smriti 65 Reputation points

2023-10-07T18:31:09.93+00:00

If i don't include this service principle in my bicep template, will redeploying the template affect ADB instance or it'll automatically assign this service principle again?
Bhargava-MSFT 31,261 Reputation points Microsoft Employee Moderator

2023-10-09T18:06:43.32+00:00

Hello Smriti, Smriti,

If you don’t include the service principal in your Bicep template, redeploying the template will not affect the Azure Databricks instance. The default service principal will be automatically assigned. This is because the service principal is a managed identity used by the workspace provider to perform operations on behalf of the workspace. Azure will use the default one if it’s not specified in the template.

Please note that any custom roles or permissions assigned to the previous service principal will not be automatically applied to the new one. You would need to manually assign these roles or permissions.

I hope this helps.
Smriti, Smriti 65 Reputation points

2023-10-09T18:51:12.67+00:00

Thanks a lot

Accepted answer

0 additional answers

Your answer

Amira Bedhiafi 33,631 Reputation points Volunteer Moderator

2023-10-03T14:53:45.0033333+00:00

If the Bicep template does not define properties.authorizations, then upon redeployment, Azure will try to match the resource to the template's definitions. This could result in removal of any configurations not defined in the template.
Smriti, Smriti 65 Reputation points

2023-10-03T16:45:10.2866667+00:00

but what is this service principle for. I can see the same object id and owner role in every ADB instance that I have in my lab environment. Even i deployed an ADb instance in some different tenant and I found the same Object Id in ARM template. Is this something for ADB only that AD manages on its end. I want to know the purpose of it. And I can add this service principle in my bicep template but can i use some other Service Principle for it?
Smriti, Smriti 65 Reputation points

2023-10-04T18:26:45.16+00:00

Hello,

Can you please help me through this. I need to figure out what this object ID is for and what it does in the ADB. What's its relevance. Whether I should add it in my bicep template for Azure databricks and what would be its impact on my existing ADB .

Thanks in advance.
Smriti, Smriti 65 Reputation points

2023-10-06T17:31:24.5866667+00:00

Thanks for the information!
Bhargava-MSFT 31,261 Reputation points Microsoft Employee Moderator

2023-10-06T17:42:39.9766667+00:00

Thank you, Smriti, Smriti

If you don't have any further questions, please consider accepting the answer by hitting the Accept answer and up-vote as it helps the community look for answers to similar questions.
Smriti, Smriti 65 Reputation points

2023-10-07T07:41:13.19+00:00

Lastly, Should I include this is my bicep or is it safe to ignore the what-if noise.
Smriti, Smriti 65 Reputation points

2023-10-07T18:29:29.1966667+00:00

So if i don't include this service principle in my bicep template, will redeploying the template affect ADB instance or it'll automatically assign this service principle again?
Smriti, Smriti 65 Reputation points

2023-10-07T18:31:09.93+00:00

If i don't include this service principle in my bicep template, will redeploying the template affect ADB instance or it'll automatically assign this service principle again?
Bhargava-MSFT 31,261 Reputation points Microsoft Employee Moderator

2023-10-09T18:06:43.32+00:00

Hello Smriti, Smriti,

If you don’t include the service principal in your Bicep template, redeploying the template will not affect the Azure Databricks instance. The default service principal will be automatically assigned. This is because the service principal is a managed identity used by the workspace provider to perform operations on behalf of the workspace. Azure will use the default one if it’s not specified in the template.

Please note that any custom roles or permissions assigned to the previous service principal will not be automatically applied to the new one. You would need to manually assign these roles or permissions.

I hope this helps.
Smriti, Smriti 65 Reputation points

2023-10-09T18:51:12.67+00:00

Thanks a lot

Answer 1

Hello Smriti, Smriti,

The service principal you see in the ARM template is the default service principal used by the workspace provider. This is a managed identity that performs operations on behalf of the workspace.

The service principal is used to grant access to the workspace provider to the Azure resources that are required for the workspace. The service principal has the same object ID and owner role for all the workspaces in your subscription, but it may differ across different tenants or subscriptions.

You can use a custom service principal instead of the default one if you want to have more control over the permissions and roles of the workspace provider.

Using the properties, you can specify a custom service principal in your bicep template authorizations configuration

fo that, you will need to create an Azure service principal in your Azure account first. Please see the below document.

https://learn.microsoft.com/en-us/azure/databricks/administration-guide/users-groups/service-principals

Share via

Azure data bricks bicep module redeployment deleting properties.authorizations

0 additional answers

Your answer