topic Re: How to make an Entra group available for GRANT commands inside a workspace? in Administration & Architecture

How to make an Entra group available for GRANT commands inside a workspace?

mzs — Mon, 20 Apr 2026 20:51:44 GMT

We're using Azure Databricks and automatic identity management. Users and groups sync over automatically.

If I want to grant permissions to an Entra group to a schema, I can't just run something like this in a workspace notebook:

GRANT USE SCHEMA ON SCHEMA xxx.yyy TO `Example Entra Group`;

It can't find the group. If I go to workspace settings -> security -> groups -> add group, and start typing the name of the group, it populates in a dropdown. If I click on the group it found, the browser makes a GraphQL call to "GetOrCreateIdpGroup". Once that's happened, I can cancel out of the "add group" dialog, and my GRANT query above starts working.

How can I do this programmatically using the API? Ideally at the workspace level.

I'd like to automate the assignment of groups to schemas using a job and service principal. I don't particularly care if the groups are in Entra or Databricks, but I'm trying to avoid using Databricks account-level APIs as they don't have fine-grained permissions: whatever process or job is creating a group in the Databricks account would need full admin privileges at the account level. I figured I could create the groups in Entra instead, because apps in Entra can be given access just to create groups. The group seems like it syncs over, but I can't use it in a GRANT command in a workspace until I go through the "add group" workspace UI above.

Re: How to make an Entra group available for GRANT commands inside a workspace?

Ashwin_DSA — Mon, 20 Apr 2026 21:27:07 GMT

Hi @mzs,

To make sure we suggest the right option, can you share a bit more about your setup?

Cloud & workspace type: Are you on Azure Databricks, and is the workspace identity-federated (Unity Catalog enabled)?
Identity sync: Are you using Automatic Identity Management (AIM) with Entra, SCIM, or both?
How are you managing groups today? Terraform, REST API, or just SQL GRANT from notebooks?
What principal is running the automation? (service principal vs. user; workspace-admin vs. limited role)

Re: How to make an Entra group available for GRANT commands inside a workspace?

mzs — Mon, 20 Apr 2026 21:37:46 GMT

Hi Ashwin, yes, it's Azure Databricks, Unity Catalog is enabled, and automatic identity management is enabled. We are not using SCIM.

I'm looking for ways to automate group creation using a fairly limited-privilege service principal. Either using the REST API from outside Databricks, or maybe a job running as a service principal inside Databricks that I could then trigger from outside. If I do it inside Databricks, I figure I could use GRANT and/or the REST API with WorkspaceClient() and the default credentials available to the job.

This would be using a service principal, probably one that we'd create at either the account or workspace level in Databricks. I would give it the minimum privileges possible to do what it needs to do: create a schema and assign a group to the schema.

But I was testing GRANT manually in the SQL Editor as an Entra user with workspace admin privileges.