https://community.databricks.com/t5/administration-architecture/leverage-azure-pim-with-databricks-with-contributor-role/m-p/44040#M377 <P>Thanks - think we were originally overthinking this.</P><P><SPAN>We determined we were doing this correctly, the user just needed to switch to 'groups' within PIM to request elevation of permissions. &nbsp;The larger issue is actually the 40 min user provisioning cycle as DataBricks does not pick up the change until this runs. &nbsp;This may be an option long-term, but the User Provisioning delay is making this a no go for our team.</SPAN></P><P>&nbsp;</P><P>&nbsp;</P> Thu, 07 Sep 2023 18:38:39 GMT SmileyVille 2023-09-07T18:38:39Z https://community.databricks.com/t5/administration-architecture/leverage-azure-pim-with-databricks-with-contributor-role/m-p/43846#M373 <P>We are trying to leverage Azure PIM. &nbsp;This works great for most things, however; we've run into a snag. &nbsp;We want to limit the contributor role to a group and only at the resource group level, not subscription. &nbsp;We wish to elevate via PIM. &nbsp;This will then allow the user access within DataBricks.</P><P>&nbsp;</P><P>#1 issue - We have to enable PIM at the group level as it doesn't show up for group members within PIM and can't assign a contributor level group within the PIM application in Azure. &nbsp;So an admin has to enable PIM for the user to activate at the group level. &nbsp;We've also tried to do this scenario leveraging the Managed Application Contributor role as well.</P><P>&nbsp;</P><P>#2 - Delay - We are using the SCIM connector for User Provisioning leveraging Azure AD Groups. &nbsp;This connects to the unity catalog and are able to assign the groups within the Workspace. &nbsp;The issue - after you elevate the users permission in the contributor group at the resource level, you have to wait for 40 minutes for user provisioning to run or stop/start it. &nbsp;Until then, the user remains in an 'inactive' state within DataBricks.</P><P>&nbsp;</P><P>We feel we are missing a more fluid way to grant these rights and leverage PIM. &nbsp;Suggestions?</P><P>&nbsp;</P><P>Thanks in advance.</P> Wed, 06 Sep 2023 16:03:28 GMT https://community.databricks.com/t5/administration-architecture/leverage-azure-pim-with-databricks-with-contributor-role/m-p/43846#M373 SmileyVille 2023-09-06T16:03:28Z https://community.databricks.com/t5/administration-architecture/leverage-azure-pim-with-databricks-with-contributor-role/m-p/44040#M377 <P>Thanks - think we were originally overthinking this.</P><P><SPAN>We determined we were doing this correctly, the user just needed to switch to 'groups' within PIM to request elevation of permissions. &nbsp;The larger issue is actually the 40 min user provisioning cycle as DataBricks does not pick up the change until this runs. &nbsp;This may be an option long-term, but the User Provisioning delay is making this a no go for our team.</SPAN></P><P>&nbsp;</P><P>&nbsp;</P> Thu, 07 Sep 2023 18:38:39 GMT https://community.databricks.com/t5/administration-architecture/leverage-azure-pim-with-databricks-with-contributor-role/m-p/44040#M377 SmileyVille 2023-09-07T18:38:39Z https://community.databricks.com/t5/administration-architecture/leverage-azure-pim-with-databricks-with-contributor-role/m-p/92244#M1938 <P>Did you find a solution to 20-40min delay?</P> Mon, 30 Sep 2024 03:35:02 GMT https://community.databricks.com/t5/administration-architecture/leverage-azure-pim-with-databricks-with-contributor-role/m-p/92244#M1938 sharadapakala 2024-09-30T03:35:02Z https://community.databricks.com/t5/administration-architecture/leverage-azure-pim-with-databricks-with-contributor-role/m-p/113841#M3189 <P>Never did, so we scrapped PIM with Databricks for now.</P> Thu, 27 Mar 2025 20:27:38 GMT https://community.databricks.com/t5/administration-architecture/leverage-azure-pim-with-databricks-with-contributor-role/m-p/113841#M3189 SmileyVille 2025-03-27T20:27:38Z