Azure Databricks administration introduction

This article provides an introduction to Azure Databricks administrator privileges and responsibilities.

Required Azure admin permissions

To manage your Azure Databricks service, you need the following Azure admin permissions:

• A user with the Azure Contributor or Owner role who can view and make changes to your Azure Databricks service, Azure subscription, and diagnostic logging configurations.
• Azure Active Directory administrators with permission to enable Azure Active Directory conditional access.
• To create Azure Databricks workspaces, you need to meet one of the following requirements:
  • You must be an Azure Contributor or Owner.
  • The Microsoft.ManagedIdentity resource provider must be registered in your subscription. See Register resource provider in the Azure documentation.

Databricks admin types

There are two levels of admins available in Azure Databricks:

• Account admins: Manage the Azure Databricks account, including enabling Unity Catalog, user provisioning, and account-level identity management.

• Workspace admins: Manage workspace identities, access control, settings, and features for individual workspaces in the account.

What are account admins?

Account admins have privileges over the entire Azure Databricks account. As an account admin, you can manage account settings, set up user provisioning, create metastores for Unity Catalog enablement, and manage identities across all workspaces in the account.

Account admins can also delegate the account admin and workspace admin roles to any other user.

Establish your first account admin

If you haven’t enabled Unity Catalog, your Azure Databricks account doesn’t have any account admins yet and you won’t have access to the account console. To establish your first account admin, you’ll need to engage someone who has the Azure AD Global Administrator role. For security purposes, only someone with the Azure AD Global Administrator role has permissions to assign the first account admin role. After completing these steps, you can remove the Global Administrator from the Azure Databricks account.

The Global Administrator should use the following instructions:

1. Sign into your Azure Portal with your Global Admin credentials.
2. Go to accounts.azuredatabricks.net and sign in with Azure AD. Azure Databricks automatically creates an account admin role for you.
3. Click User management.
4. Find and click the username of the user you want to delegate the account admin role to.
5. On the Roles tab, turn on Account admin.

Once another user has the account admin role, the Azure AD Global Administrator no longer needs to be involved. The new account admin can remove the Global Administrator from the Azure Databricks account and assign other users the account admin role.

Access the account console

The account console is where account admins manage their Azure Databricks account.

Account admins can access the account console at https://accounts.azuredatabricks.net.

Account users who are not account admins can only access the account from https://accounts.azuredatabricks.net. Upon logging in, the account console opens to a list of their workspaces.

Note

If you are in multiple Azure Active Directory tenants, the account console URL will bring you to the Azure Databricks account console in your default tenant. To access the account console of a different tenant, access the account console from within a workspace in your preferred tenant.

Account admins can also access the account console from within a workspace:

1. Click your email address at the top of the Databricks workspace UI.
2. Select Manage Account.

Account admin responsibilities

As an account admin, your responsibilities include:

• Enabling Unity Catalog
• Managing identities
• Managing account-level settings

Enable Unity Catalog

An account admin is needed to enable Unity Catalog in your account. The process involves creating a Unity Catalog metastore, which can only be done by an account admin.

For instructions on enabling Unity Catalog, see Get started using Unity Catalog.

Manage identities

Account admins should sync their identity provider with Azure Databricks if applicable. See Sync users and groups from Azure Active Directory.

If you’ve enabled Unity Catalog for at least one workspace in your account, identities (users, groups, and service principals) should be managed in the account console. Account admins can grant permissions and assign workspaces to these identities.

For more information, see Manage users and groups.

Manage account settings

Account admins can manage aspects of their Azure Databricks account from the account console using the Settings section. This includes enabling new features across the account and configuring IP access lists.

What are workspace admins?

Workspace admins have admin privileges within a single workspace. They can manage workspace-level identities, regulate compute use, and enable and delegate role-based access control (Premium plan and above only).

Access the admin settings

Workspace admins are the only users who have access to the workspace’s admin settings page. As a workspace admin, you can access admin settings by clicking your username in the top bar of the Azure Databricks workspace and selecting Admin Settings.

Workspace admin responsibilities

As a workspace admin, your responsibilities include:

• Managing identities in your workspace
• Creating and managing compute resources
• Managing workspace features and settings

Manage identities in your workspace

If your workspace is enabled for Unity Catalog, identities should be added to the account. Workspace admins can assign account users, groups, and service principals to their workspace. For more information on adding and removing identities in a workspace, see Manage users, service principals, and groups.

Note

Databricks Academy has a free course on Identity Administration.

Create and manage compute resources

Workspace admins can create SQL warehouses (a compute resource that lets you run SQL commands on data objects within Databricks SQL) and clusters for their workspace users. For instructions on creating SQL warehouses, see Configure SQL warehouses.

It is also the workspace admin’s job to regulate how compute resources are used in their workspace. Workspace admins have the following tools:

• Limit workspace users’ cluster creation options with cluster policies.
• Enforce consistent cluster configurations by configuring global init scripts.
• Learn which compute resources have Unity Catalog access.

Note

Databricks Academy has a free course on Compute Resources Administration.

Manage workspaces features and settings

Workspace admins are responsible for managing select workspace behavior and settings, including:

• Enabling access control for workspace objects (Requires Premium plan or above. See Upgrade plan.
• Managing Databricks SQL settings.

For information on other available workspace settings, see Managing workspace settings.

Note

Databricks Academy has a free course on Databricks Workspace Administration and Security.

Additional resources

Databricks Academy has a free self-paced learning path for platform administrators. Before you can access the course, you first need to register for Databricks Academy if you haven’t already.

You can also sign up to attend a live platform administration training.