Authentication and access control

This article introduces authentication and access control in Azure Databricks. For information about securing access to your data, see Data governance with Unity Catalog.

For more information on how to best configure user and groups in Azure Databricks, see Identity best practices.

Single sign-on

Single sign-on in the form of Microsoft Entra ID (formerly Azure Active Directory)-backed login is available in Azure Databricks account and workspaces by default. You use Microsoft Entra ID single sign-on for both the account console and workspaces. You can enable multi-factor authentication via Microsoft Entra ID.

Azure Databricks also supports Microsoft Entra ID conditional access, which allows administrators to control where and when users are permitted to sign in to Azure Databricks. See Conditional access.

Sync users and groups from Microsoft Entra ID using SCIM provisioning

You can use SCIM, or System for Cross-domain Identity Management, an open standard that allows you to automate user provisioning, to sync users and groups automatically from Microsoft Entra ID to your Azure Databricks account. SCIM streamlines onboarding a new employee or team by using Microsoft Entra ID to create users and groups in Azure Databricks and give them the proper level of access. When a user leaves your organization or no longer needs access to Azure Databricks, admins can terminate the user in Microsoft Entra ID, and that user’s account is also removed from Azure Databricks. This ensures a consistent offboarding process and prevents unauthorized users from accessing sensitive data. For more information, see Sync users and groups from Microsoft Entra ID.

Secure API authentication

Azure Databricks personal access tokens are one of the most well-supported types of credentials for resources and operations at the Azure Databricks workspace level. In order to secure API authentication, workspace admins can control which users, service principals, and groups can create and use Azure Databricks personal access tokens.

For more information, see Manage access to Azure Databricks automation.

Workspace admins can also review Azure Databricks personal access tokens, delete tokens, and set the maximum lifetime of new tokens for their workspace. See Monitor and manage personal access tokens.

For more information on authenticating to Azure Databricks automation, see Authentication for Azure Databricks automation - overview.

Access control overview

In Azure Databricks, there are different access control systems for different securable objects. The table below shows which access control system governs which type of securable object.

Securable object Access control system
Workspace-level securable objects Access control lists
Account-level securable objects Account role based access control
Data securable objects Unity Catalog

Azure Databricks also provides admin roles and entitlements that are assigned directly to users, service principals, and groups.

For information about securing data, see Data governance with Unity Catalog.

Access control lists

In Azure Databricks, you can use access control lists (ACLs) to configure permission to access workspace objects such as notebooks and SQL Warehouses. All workspace admin users can manage access control lists, as can users who have been given delegated permissions to manage access control lists. For more information on access control lists, see Access control lists.

Account role based access control

You can use account role based access control to configure permission to use account-level objects such as service principals and groups. Account roles are defined once, in your account, and apply across all workspaces. All account admin users can manage account roles, as can users who have been given delegated permissions to manage them, such as group managers and service principal managers.

Follow these articles for more information on account roles on specific account-level objects:

Databricks admin roles

In addition to access control on securable objects, there are built-in roles on the Azure Databricks platform. Users, service principals, and groups can be assigned roles.

There are two main levels of admin privileges available on the Azure Databricks platform:

  • Account admins: Manage the Azure Databricks account, including enabling Unity Catalog, user provisioning, and account-level identity management.

  • Workspace admins: Manage workspace identities, access control, settings, and features for individual workspaces in the account.

Additionally, users can be assigned these feature-specific admin roles, which have narrower sets of privileges:

  • Marketplace admins: Manage their account’s Databricks Marketplace provider profile, including creating and managing Marketplace listings.
  • Metastore admins: Manage privileges and ownership for all securable objects within a Unity Catalog metastore, such as who can create catalogs or query a table.

Users can also be assigned to be workspace users. A workspace user has the ability to log in to a workspace, where they can be granted workspace-level permissions.

For more information, see Setting up single sign-on (SSO).

Workspace entitlements

An entitlement is a property that allows a user, service principal, or group to interact with Azure Databricks in a specified way. Workspace admins assign entitlements to users, service principals, and groups at the workspace-level. For more information, see Manage entitlements.