<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: When setting up unity catalog a storage account was created with security risk in Administration &amp; Architecture</title>
    <link>https://community.databricks.com/t5/administration-architecture/when-setting-up-unity-catalog-a-storage-account-was-created-with/m-p/132983#M4094</link>
    <description>&lt;P&gt;Hi&amp;nbsp;&lt;a href="https://community.databricks.com/t5/user/viewprofilepage/user-id/186415"&gt;@howardgagan&lt;/a&gt;&amp;nbsp;,&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;Each Azure Databricks workspace has an associated Azure storage account in a managed resource group known as the&amp;nbsp;&lt;/SPAN&gt;&lt;STRONG&gt;&lt;EM&gt;workspace storage account&lt;/EM&gt;&lt;/STRONG&gt;&lt;SPAN&gt;.&lt;BR /&gt;This storage account includes workspace system data (job output, system settings, and logs), DBFS root etc.&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;Good news is that you don't need to and even you shouldn't store your data on that managed storage account. The recommendation is to use Unity Catalog with your own storage account (and here you have full control how to configure it)&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;You can try to improve your security risk score by enabling firewall support for this workspace storage account. You can read how to do this at below link:&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;&lt;A href="https://learn.microsoft.com/en-us/azure/databricks/security/network/storage/firewall-support" target="_blank"&gt;Enable firewall support for your workspace storage account - Azure Databricks | Microsoft Learn&lt;/A&gt;&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;In case of preventing shared access key support&amp;nbsp; - here you need to ignore this risk assessment, because you can't change any setting within managed resource group&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
    <pubDate>Wed, 24 Sep 2025 20:21:35 GMT</pubDate>
    <dc:creator>szymon_dybczak</dc:creator>
    <dc:date>2025-09-24T20:21:35Z</dc:date>
    <item>
      <title>When setting up unity catalog a storage account was created with security risk</title>
      <link>https://community.databricks.com/t5/administration-architecture/when-setting-up-unity-catalog-a-storage-account-was-created-with/m-p/132945#M4090</link>
      <description>&lt;P&gt;When i set up databricks unity catalog, i think it automatically set up a storage account. I'm getting recommendations from Azure that this storage account has high risk associated with it.&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="howardgagan_0-1758720263881.png" style="width: 400px;"&gt;&lt;img src="https://community.databricks.com/t5/image/serverpage/image-id/20209i99E7B288B623A589/image-size/medium?v=v2&amp;amp;px=400" role="button" title="howardgagan_0-1758720263881.png" alt="howardgagan_0-1758720263881.png" /&gt;&lt;/span&gt;&lt;/P&gt;&lt;P&gt;The problem is this resource has a deny assignment on preventing me making any changes. Is this something that is added at creation from databricks? Is so should the high risk level recommendation be ignored?&lt;/P&gt;&lt;P&gt;Have anyone dealt with this situation, what the best steps to take here?&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Wed, 24 Sep 2025 13:40:58 GMT</pubDate>
      <guid>https://community.databricks.com/t5/administration-architecture/when-setting-up-unity-catalog-a-storage-account-was-created-with/m-p/132945#M4090</guid>
      <dc:creator>howardgagan</dc:creator>
      <dc:date>2025-09-24T13:40:58Z</dc:date>
    </item>
    <item>
      <title>Re: When setting up unity catalog a storage account was created with security risk</title>
      <link>https://community.databricks.com/t5/administration-architecture/when-setting-up-unity-catalog-a-storage-account-was-created-with/m-p/132958#M4093</link>
      <description>&lt;P&gt;It is a recommendation. Azure advises not to use SAS keys to connect to the strorage. The recommendation is to use Managed Identity or SPN to access the storage and SPN keys to be used in keyvault. But with UC the connection is made using Azure Databricks storage connector which is similar to managed identity.&lt;/P&gt;</description>
      <pubDate>Wed, 24 Sep 2025 16:21:50 GMT</pubDate>
      <guid>https://community.databricks.com/t5/administration-architecture/when-setting-up-unity-catalog-a-storage-account-was-created-with/m-p/132958#M4093</guid>
      <dc:creator>nayan_wylde</dc:creator>
      <dc:date>2025-09-24T16:21:50Z</dc:date>
    </item>
    <item>
      <title>Re: When setting up unity catalog a storage account was created with security risk</title>
      <link>https://community.databricks.com/t5/administration-architecture/when-setting-up-unity-catalog-a-storage-account-was-created-with/m-p/132983#M4094</link>
      <description>&lt;P&gt;Hi&amp;nbsp;&lt;a href="https://community.databricks.com/t5/user/viewprofilepage/user-id/186415"&gt;@howardgagan&lt;/a&gt;&amp;nbsp;,&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;Each Azure Databricks workspace has an associated Azure storage account in a managed resource group known as the&amp;nbsp;&lt;/SPAN&gt;&lt;STRONG&gt;&lt;EM&gt;workspace storage account&lt;/EM&gt;&lt;/STRONG&gt;&lt;SPAN&gt;.&lt;BR /&gt;This storage account includes workspace system data (job output, system settings, and logs), DBFS root etc.&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;Good news is that you don't need to and even you shouldn't store your data on that managed storage account. The recommendation is to use Unity Catalog with your own storage account (and here you have full control how to configure it)&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;You can try to improve your security risk score by enabling firewall support for this workspace storage account. You can read how to do this at below link:&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;&lt;A href="https://learn.microsoft.com/en-us/azure/databricks/security/network/storage/firewall-support" target="_blank"&gt;Enable firewall support for your workspace storage account - Azure Databricks | Microsoft Learn&lt;/A&gt;&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;In case of preventing shared access key support&amp;nbsp; - here you need to ignore this risk assessment, because you can't change any setting within managed resource group&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Wed, 24 Sep 2025 20:21:35 GMT</pubDate>
      <guid>https://community.databricks.com/t5/administration-architecture/when-setting-up-unity-catalog-a-storage-account-was-created-with/m-p/132983#M4094</guid>
      <dc:creator>szymon_dybczak</dc:creator>
      <dc:date>2025-09-24T20:21:35Z</dc:date>
    </item>
  </channel>
</rss>

