Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Important
This feature is in Public Preview.
This article describes how to configure Azure Databricks to sync users, service principals, and groups from Microsoft Entra ID using automatic identity management.
Automatic identity management overview
Automatic identity management enables you to seamlessly add users, service principals, and groups from Microsoft Entra ID into Azure Databricks without configuring an application in Microsoft Entra ID. When automatic identity management is enabled, you can directly search in identity federated workspaces for Microsoft Entra ID users, service principals, and groups and add them to your workspace. Databricks uses Microsoft Entra ID as the source of record, so any changes to group memberships are respected in Azure Databricks.
Users can also share dashboards with any user, service principal, or group in Microsoft Entra ID. Those users are automatically added to the Azure Databricks account upon login. They are not added as members to the workspace that the dashboard is in. Members of Microsoft Entra ID who do not have access to the workspace are granted access to a view-only copy of a dashboard published with embedded credentials. For more information on dashboard sharing, see Share a dashboard.
Automatic identity management is not supported in non-identity federated workspaces. For more information on identity federation, see Enable identity federation.
User and group statuses
When automatic identity management is enabled, users, service principals, and groups from Microsoft Entra ID are visible in the account console and the workspace admin settings page. Their status reflects their activity and state between Microsoft Entra ID and Azure Databricks:
| Status | Meaning |
|---|---|
| Inactive: No usage | Identity in Microsoft Entra ID that has not logged into Azure Databricks yet. |
| Active | Identity is active in Azure Databricks. |
| Active: Removed From EntraID | Previously active in Azure Databricks and has been removed from Microsoft Entra ID. |
| Deactivated | Identity has been deactivated in Microsoft Entra ID. |
Deactivated users and users removed from Microsoft Entra ID cannot log in to Azure Databricks or authenticate to Azure Databricks APIs. As a security best practice, we recommend revoking personal access tokens for Deactivated and Active: Removed From EntraID users.
Groups and service principals that are managed using automatic identity management are shown as External in Azure Databricks. External identities cannot be updated using the Azure Databricks UI.
Automatic identity management vs SCIM provisioning
When automatic identity management is enabled, all users, groups, and group memberships sync from Microsoft Entra ID to Azure Databricks so SCIM provisioning is not necessary. If you keep the SCIM enterprise application running in parallel, the SCIM application continues to manage users and groups configured in the Microsoft Entra ID enterprise application. It does not manage Microsoft Entra ID identities that were not added using SCIM provisoning.
Databricks recommends using automatic identity management. The table below compares features of automatic identity management with the features of SCIM provisioning.
| Features | Automatic identity management | SCIM provisioning |
|---|---|---|
| Sync users | ✓ | ✓ |
| Sync groups | ✓ | ✓ (Direct members only) |
| Sync nested groups | ✓ | |
| Sync service principals | ✓ | |
| Configure and manage Microsoft Entra ID application | ✓ | |
| Requires Microsoft Entra ID Premium edition | ✓ | |
| Requires Microsoft Entra ID Cloud Application Administrator role | ✓ | |
| Requires identity federation | ✓ |
Azure Databricks external Id and Microsoft Entra ID object Id
Azure Databricks uses the Microsoft Entra ID ObjectId as the authoritative link for syncing identities and group memberships, and automatically updates the externalId field to match the ObjectId in a daily reoccurring flow. In some cases, mismatches or duplicate identities might still occur, especially if a user, service principal, or group is added to Azure Databricks through both automatic identity management and another method, such as SCIM provisioning. In these situations, you might see duplicate entries, with one listing with the status of Inactive: no usage. The user is not inactive and can log in Azure Databricks.
You can merge these duplicate identities by providing their external ID in Azure Databricks. Use the Account Users, Account Service Principals, or Account Groups API to update the principal to add their Microsoft Entra ID objectId in the externalId field.
Because the externalId can update over time, Azure Databricks strongly recommends that you do not use custom workflows that depend on the externalId field.
Enable automatic identity management
Account admins can enable automatic identity management, using the Previews page.
- As an account admin, log in to the account console.
- In the sidebar, click Previews.
- Toggle Automatic identity management to On.
After your account is enabled, to add and remove users, service principals, and groups from Microsoft Entra ID, follow the instructions below:
When automatic identity management is enabled, account admins can disable it, using the Previews page. When disabled, users, service principals, and groups previously provisioned remain in Azure Databricks but no longer synchronize with Microsoft Entra ID. You can remove or deactivate these users in the account console.
Audit user logins
You can query the system.access.audit table to audit which users have logged in to the workspace. For example:
SELECT
DISTINCT user_identity.email
FROM
system.access.audit
WHERE
action_name = "aadBrowserLogin"
For more information on the system.access.audit table, see Audit log system table reference.