topic Re: Issue with updating email with SCIM Provisioning in Administration & Architecture

Issue with updating email with SCIM Provisioning

ma10 — Fri, 30 Aug 2024 10:14:56 GMT

Hi all,

For our set-up we have configured SCIM provisioning using Entra ID, group assignment on Azure is dealt with by IdentityIQ Sailpoint, and have enabled SSO for Databricks. It has/is working fine apart from one scenario. The original email assigned to an account on Entra ID has been updated from user.A@company.org to user.B@company.org, due to a name change.

The email update has been reflected everywhere (Azure, IIQ) so is referring to user.b@. However, Databricks is still trying to match to the original email user.a@. We have revoked access completely to everything and still face the same issue?

Has anyone dealt with this before, or have any ideas of how to deal with the issue?

Re: Issue with updating email with SCIM Provisioning

Ismael-K — Wed, 29 Jan 2025 17:28:20 GMT

Currently, the email address is an immutable attribute in the Databricks application. To request a change to this behavior, you can submit a feature enhancement. In the interim, you can also submit a support case for a potential workaround.

Re: Issue with updating email with SCIM Provisioning

VasylS — Mon, 04 Aug 2025 14:10:16 GMT

Hi Ismael-K

Is there any workarounds for this scenario?
I have exact same problem when the user changed his e-mail in Azure EntraID from UserA@BranchA.company.com to UserA@BranchB.company.com
I've deleted the user with the old email from the accounts console in accounts.azuredatabricks.net but now, when in the accounts console I searching user with a new email UserA@BranchB.company.com I cannot find it, although it remains in Azure EntraID

Re: Issue with updating email with SCIM Provisioning

VasylS — Thu, 07 Aug 2025 13:45:08 GMT

For anyone who will face this issue in the future:

In order to fix this issue (user changed his email), you need:
1) Because email is an immutable attribute - check in Databricks account console, affected user's account, and if it has an old email - delete the user with the old email.
2) Determine the correct Enterprise application SCIM Connector (if you have multiple).
3) Stop and restart synchronization of the SCIM Connector
Check synchronization logs and that user appeared back in Databricks account console.

No need to make any changes with user account in Azure EntraID.

Re: Issue with updating email with SCIM Provisioning

dbx_user — Thu, 30 Oct 2025 23:43:58 GMT

I believe we have tried this move before, and the result was that the user was ignored from future SCIM provisioning runs. We had to manually use the API to add the user back in and are now hooked into manually updating this users user groups through the API.

Has this functionality changed?
The docs still say that this is the expected functionality. Dot point 3 under provisioning tips here: Configure SCIM provisioning using Microsoft Entra ID (Azure Active Directory) | Databricks on AWS

Re: Issue with updating email with SCIM Provisioning

Vasyl_S — Fri, 31 Oct 2025 13:41:02 GMT

@dbx_user wrote:
I believe we have tried this move before, and the result was that the user was ignored from future SCIM provisioning runs. We had to manually use the API to add the user back in and are now hooked into manually updating this users user groups through the API.

Has this functionality changed?
The docs still say that this is the expected functionality. Dot point 3 under provisioning tips here: Configure SCIM provisioning using Microsoft Entra ID (Azure Active Directory) | Databricks on AWS

@dbx_user "The removed user will not be synced again using Microsoft Entra ID provisioning, even if they remain in the enterprise application."

Well, after stopping and resuming sync in the Enterprise application, the deleted user was synced again.

Re: Issue with updating email with SCIM Provisioning

nayan_wylde — Fri, 31 Oct 2025 17:09:09 GMT

The other option is to raise a ticket with Databricks Accounts team. Our Databricks team worked on the backend and the new email was synced.

Re: Issue with updating email with SCIM Provisioning

dbx_user2 — Thu, 06 Nov 2025 23:15:26 GMT

Ok right, thankyou for that, this was recently? I think it was about a year ago when we first saw this.

Did you have to delete the user with the API or could you still delete from console? Our SCIM set up has the user as 'SCIM managed' so we can only make alterations to the user with SCIM api.

Re: Issue with updating email with SCIM Provisioning

Vasyl_S — Fri, 07 Nov 2025 10:54:17 GMT

I've deleted the user from the Databricks account console. We had multiple occurrences of this one (user changed e-mail) 2 months ago and 1 week ago.