topic Re: Automatic Identity Management with Nested Groups and API Access in Administration & Architecture

Automatic Identity Management with Nested Groups and API Access

RikL — Mon, 30 Mar 2026 12:59:48 GMT

Hi all,

I’m exploring Automatic Identity Management for synchronizing nested groups in Azure Databricks. According to the documentation, this feature supports nested groups: Automatic Identity Management

However, the same article notes that groups synced this way cannot be managed via the API or Terraform: Nested Groups and Service Principals through API/Terraform

I’m wondering: Is there any plan to allow API/terraform management for these automatically synced nested groups in the future?

My goal is to automatically sync child groups from a provisioned parent group and manage them immediately via the API, so that the provisioning step isn’t required every time a new child group is created.

If there are any workarounds or best practices to automate this workflow, I’d love to hear them as well!

Thanks in advance,

Rik

Re: Automatic Identity Management with Nested Groups and API Access

emma_s — Mon, 30 Mar 2026 16:39:46 GMT

Hi, I've just had a look internally and there is some discussion about making this functionality available but I can't give you a definitive idea of when this might be.

In terms of workarounds the best one I can find is to use Tarracurl to make raw API calls to the IAMV2 APis. Code snippet below:

data "http" "resolve_group" { url = "https://accounts.azuredatabricks.net/api/2.0/identity/accounts/${var.databricks_account_id}/groups/resolveByExternalId" method = "POST" request_headers = { Authorization = "Bearer ${var.databricks_token}" Content-Type = "application/json" } request_body = jsonencode({ external_id = var.group_external_id # include other fields if your IdP / endpoint requires them }) } locals { resolved_group = jsondecode(data.http.resolve_group.response_body) # adjust to actual response schema: resolved_group_id = try(local.resolved_group.group.id, null) }

You would need to get the individual Entra IDs of the subgroups, though, but I'd imagine you could use an Entra ID TF provider to do this and then pass these into the code above.

I hope this helps.

Thanks,

Emma

Re: Automatic Identity Management with Nested Groups and API Access

RikL — Mon, 30 Mar 2026 20:27:48 GMT

Hi Emma,

Thanks for the quick response and great to hear that this topic is being discussed. The code snippet provides an interesting insight but does not quite cover what we are trying to do. Even though I included Terraform in the original post, our main focus is with API management . Ideally, subgroups of a provisioned parent group are automatically usable in e.g. bundles (within the 'grants' block) and show up when listing groups and querying the members of the provisioned parent group (currently an empty list is returned); preferably without the need of the external id altogether. If this is currently impossible, that is fine, of course. Then we will just provision them directly and keep an eye out for any future changes.

Best,

Rik