Configure workspace-level SCIM provisioning using Microsoft Entra ID (legacy)

Important

This documentation has been retired and might not be updated. Workspace-level SCIM provisioning is legacy. Databricks recommends that you use account-level SCIM provisioning, see Sync users and groups from your identity provider.

Preview

This feature is in Public Preview.

If you have any workspaces not enabled for identity federation, you should provision users, service principals, and groups directly to those workspaces. This section describes how to do this.

In the following examples, replace <databricks-instance> with the workspace URL of your Databricks deployment.

Requirements

  • Your Databricks account must have the Premium plan.

  • You must have the Cloud Application Administrator role in Microsoft Entra ID.

  • Your Microsoft Entra ID account must be a Premium edition account to provision groups. Provisioning users is available for any Microsoft Entra ID edition.

  • You must be a Databricks workspace admin.

Step 1: Create the enterprise application and connect it to the Databricks SCIM API

To set up provisioning directly to Databricks workspaces using Microsoft Entra ID, you create an enterprise application for each Databricks workspace.

These instructions tell you how to create an enterprise application in the Azure portal and use that application for provisioning.

  1. As a workspace admin, log in to your Databricks workspace.

  2. Generate a personal access token and copy it. You provide this token to Microsoft Entra ID in a subsequent step.

    Important

    Generate this token as a Databricks workspace admin who is not managed by the Microsoft Entra ID enterprise application. If the Databricks admin user who owns the personal access token is deprovisioned using Microsoft Entra ID, the SCIM provisioning application will be disabled.

  3. In your Azure portal, go to Microsoft Entra ID > Enterprise Applications.

  4. Click + New Application above the application list. Under Add from the gallery, search for and select Azure Databricks SCIM Provisioning Connector.

  5. Enter a Name for the application and click Add. Use a name that will help administrators find it, like <workspace-name>-provisioning.

  6. Under the Manage menu, click Provisioning.

  7. Set Provisioning Mode to Automatic.

  8. Enter the SCIM API endpoint URL. Append /api/2.0/preview/scim to your workspace URL:

    https://<databricks-instance>/api/2.0/preview/scim

    Replace <databricks-instance> with the workspace URL of your Databricks deployment. See Get identifiers for workspace objects.

  9. Set Secret Token to the Databricks personal access token that you generated in step 1.

  10. Click Test Connection and wait for the message that confirms that the credentials are authorized to enable provisioning.

  11. Optionally, enter a notification email to receive notifications of critical errors with SCIM provisioning.

  12. Click Save.

Step 2: Assign users and groups to the application

  1. Go to Manage > Properties.

  2. Set Assignment required to Yes. Databricks recommends this option, which syncs only users and groups assigned to the enterprise application.

  3. Go to Manage > Provisioning.

  4. To start synchronizing Microsoft Entra ID users and groups to Databricks, set the Provisioning Status toggle to On.

  5. Click Save.

  6. Go to Manage > Users and groups.

  7. Click Add user/group, select the users and groups, and click the Assign button.

  8. Wait a few minutes and check that the users and groups exist in your Databricks account.

In the future, users and groups that you add and assign are automatically provisioned when Microsoft Entra ID schedules the next sync.

Important

Do not assign the Databricks workspace admin whose personal access token was used to configure the Azure Databricks SCIM Provisioning Connector application.