Edit

Share via

Microsoft Entra Application Provisioning to Azure Databricks with Private Link Workspace

  • Article

The Microsoft Entra provisioning service supports a SCIM 2.0 client that can be used to automatically provision users into cloud or on-premises applications. This article outlines how you can use the Microsoft Entra provisioning service to provision users into Azure Databricks workspaces with no public access.

Diagram that shows SCIM architecture.

Prerequisites

  • A Microsoft Entra tenant with Microsoft Entra ID Governance and Microsoft Entra ID P1 or Premium P2 (or EMS E3 or E5). To find the right license for your requirements, see Compare generally available features of Microsoft Entra ID.
  • Administrator role for installing the agent. This task is a one-time effort and should be an account with at least the Hybrid Identity Administrator role.
  • Administrator role for configuring the application in the cloud Application Administrator, Cloud Application Administrator, or Application Owner.
  • A computer with at least 3 GB of RAM, to host a provisioning agent. The computer should have Windows Server 2016 or a later version of Windows Server, with connectivity to the target application, and with outbound connectivity to login.microsoftonline.com, other Microsoft Online Services and Azure domains. An example is a Windows Server 2016 virtual machine hosted in Azure IaaS or behind a proxy.

Download, install, and configure the Microsoft Entra Connect Provisioning Agent Package

If you have already downloaded the provisioning agent and configured it for another on-premises application, then continue reading in the next section.

  1. Sign in to the Microsoft Entra admin center as at least a Hybrid Identity Administrator.

  2. Browse to Identity > Hybrid management > Microsoft Entra Connect > Cloud sync.

    Screenshot of new UX screen.

  3. On the left, select Agent.

  4. Select Download on-premises agent, and select Accept terms & download.

Note

Please use different provisioning agents for on-premises application provisioning and Microsoft Entra Connect cloud sync / HR-driven provisioning. All three scenarios should not be managed on the same agent.

  1. Open the provisioning agent installer, agree to the terms of service, and select next.
  2. When the provisioning agent wizard opens, continue to the Select Extension tab and select On-premises application provisioning when prompted for the extension you want to enable.
  3. The provisioning agent uses the operating system's web browser to display a popup window for you to authenticate to Microsoft Entra ID, and potentially also your organization's identity provider. If you're using Internet Explorer as the browser on Windows Server, then you may need to add Microsoft web sites to your browser's trusted site list to allow JavaScript to run correctly.
  4. Provide credentials for a Microsoft Entra administrator when you're prompted to authorize. The user is required to have at least the Hybrid Identity Administrator role.
  5. Select Confirm to confirm the setting. Once installation is successful, you can select Exit, and also close the Provisioning Agent Package installer.

Provisioning to SCIM-enabled Workspace

Once the agent is installed, no further configuration is necessary on-premises, and all provisioning configurations are then managed.

  1. Sign in to the Microsoft Entra admin center as at least a Cloud Application Administrator.

  2. Browse to Identity > Applications > Enterprise applications > New application.

  3. Add the On-premises SCIM app from the gallery.

  4. From the left hand menu, navigate to the Provisioning option and select Get started.

  5. Select Automatic from the dropdown list and expand the On-Premises Connectivity option.

  6. Select the agent that you installed from the dropdown list and select Assign Agent(s).

  7. Now either wait 10 minutes or restart the Microsoft Entra Connect Provisioning Agent before proceeding to the next step & testing the connection.

  8. In the Tenant URL field, provide the SCIM endpoint URL for your application. The URL is typically unique to each target application and must be resolvable by DNS. An example for a scenario where the agent is installed on the same host as the application is https://localhost:8585/scim

    Screenshot that shows assigning an agent.

  9. Create an Admin Token in Azure Databricks User Settings Console and enter the same in the Secret Token field

  10. Select Test Connection, and save the credentials. The application SCIM endpoint must be actively listening for inbound provisioning requests, otherwise the test fails. Use the steps here if you run into connectivity issues.

Note

If the test connection fails, you will see the request made. Please note that while the URL in the test connection error message is truncated, the actual request sent to the application contains the entire URL provided above.

  1. Configure any attribute mappings or scoping rules required for your application.
  2. Add users to scope by assigning users and groups to the application.
  3. Test provisioning a few users on demand.
  4. Add more users into scope by assigning them to your application.
  5. Go to the Provisioning pane, and select Start provisioning.
  6. Monitor using the provisioning logs.

The following video provides an overview of on-premises provisioning.

More requirements

  • Ensure your SCIM implementation meets the Microsoft Entra SCIM requirements.
    Microsoft Entra ID offers open-source reference code that developers can use to bootstrap their SCIM implementation.
  • Support the /schemas endpoint to reduce configuration required.

Next steps