Enable admin protection for “No isolation shared” clusters on your account
Account admins can prevent internal credentials from being automatically generated for Azure Databricks workspace admins on No Isolation Shared clusters. No Isolation Shared clusters are clusters that have the Access mode dropdown set to No isolation shared.
Important
The clusters UI recently changed. The No Isolation Shared access mode setting for a cluster previously appeared as the Standard cluster mode. If you used the High Concurrency cluster mode without additional security settings such as table access control (Table ACLs) or credential passthrough, the same settings are used as with Standard cluster mode. The account-level admin setting that this article discusses applies to both the No Isolation Shared access mode and its equivalent legacy cluster modes. For a comparison of the old UI and new UI cluster types, see Clusters UI changes and cluster access modes.
The admin protection for No Isolation Shared clusters on your account helps protect admin accounts from sharing internal credentials in an environment that is shared with other users. Enabling this setting may impact workloads that are run by admins. See Limitations.
No Isolation Shared clusters run arbitrary code from multiple users in the same shared environment, similar to what happens on a cloud Virtual Machine that is shared across multiple users. Data or internal credentials provisioned to that environment might be accessible to any code running within that environment. To call Azure Databricks APIs for normal operations, access tokens are provisioned on behalf of users to these clusters. When a higher-privileged user, such as a workspace administrator, runs commands on a cluster, their higher-privileged token is visible in the same environment.
You can determine which clusters in a workspace have cluster types that are affected by this setting. See Find all your No Isolation Shared clusters (including equivalent legacy cluster modes).
In addition to this account-level setting, there is a workspace-level setting called Enforce User Isolation. Account admins can enable it to prevent creating or starting a “No isolation shared” cluster access type or its equivalent legacy cluster types.
Enable the account-level admin protection setting
As an account admin, log in to the Account Console.
Important
If no users in your Microsoft Entra ID tenant have yet logged in to the account console, you or another user in your tenant must log in as the first account admin. To do this, you must be a Microsoft Entra ID Global Administrator, but only when you first log in to the Azure Databricks Account Console. Upon first login, you become an Azure Databricks account admin and no longer need the Microsoft Entra ID Global Administrator role to access the Azure Databricks account. As the first account admin, you can assign users in the Microsoft Entra ID tenant as additional account admins (who can themselves assign more account admins). Additional account admins do not require specific roles in Microsoft Entra ID. See Manage users, service principals, and groups.
Click Settings .
Click the Feature enablement tab.
Under Enable Admin Protection for “No Isolation Shared” Clusters, click the setting to enable or disable this feature.
- If the feature is enabled, Azure Databricks prevents automatic generation of Databricks API internal credentials for Databricks workspace admins on No Isolation Shared clusters.
- Changes may take up to two minutes to take effect on all workspaces.
Limitations
When used with No Isolation Shared clusters or the equivalent legacy cluster modes, the following Azure Databricks features do not work if you enable admin protection for No Isolation Shared clusters on your account:
- Machine Learning Runtime workloads.
- Workspace files.
- dbutils Secrets utility.
- dbutils Notebook utility.
- Delta Lake operations by admins that create, modify, or update data.
Other features might not work for admin users on this cluster type because these features rely on automatically generated internal credentials.
In those cases, Azure Databricks recommends that admins do one of the following:
- Use a different cluster type than “No isolation shared” or its equivalent legacy cluster types.
- Create a non-admin user when using No Isolation Shared clusters.
Find all your No Isolation Shared clusters (including equivalent legacy cluster modes)
You can determine which clusters in a workspace are affected by this account-level setting.
Import the following notebook into all your workspaces and run the notebook.