cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Data Governance
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Unity Catalog Setup: Why must the first Azure Databricks account admin must be an Azure Active Directory Global Administrator at the time that they first log in to the Azure Databricks account console?

Go to solution
Matt101122
Contributor

‎11-29-2022 07:28 AM

We are attempting to setup Unity Catalog and our security team is requesting justification on why this level of access is required. Why must the first Azure Databricks account admin must be an Azure Active Directory Global Administrator at the time that they first log in to the Azure Databricks account console?

1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
LandanG
Honored Contributor
Honored Contributor

‎11-29-2022 08:44 AM

Hi @Matthew Dalesio​ 

From our eng. team:

"The high privileged is only used to make sure only highly privileged users get access to Databricks account admin role as this is a highly-privileged role and they can make anyone else an account admin. This is only checked at the time of bootstrapping first login and we only check whether the user is a global admin in their tenant. Databricks itself is not getting any access to the organization’s Azure resources. Because this is such a highly-privileged role, we only granted Azure global admins the default Databricks account-admin role."

We don't do anything other than to call the graph API to check the global admin's token claim and verify if he/she is indeed the global administrator on Azure and flip the switch for them to become account admins on Databricks - it is a super user role and it is required to ensure that there are no privilege escalations

Hope that answers the question. Basically just a matter of security

View solution in original post

2 REPLIES 2

Go to solution
LandanG
Honored Contributor
Honored Contributor

‎11-29-2022 08:44 AM

Hi @Matthew Dalesio​ 

From our eng. team:

"The high privileged is only used to make sure only highly privileged users get access to Databricks account admin role as this is a highly-privileged role and they can make anyone else an account admin. This is only checked at the time of bootstrapping first login and we only check whether the user is a global admin in their tenant. Databricks itself is not getting any access to the organization’s Azure resources. Because this is such a highly-privileged role, we only granted Azure global admins the default Databricks account-admin role."

We don't do anything other than to call the graph API to check the global admin's token claim and verify if he/she is indeed the global administrator on Azure and flip the switch for them to become account admins on Databricks - it is a super user role and it is required to ensure that there are no privilege escalations

Hope that answers the question. Basically just a matter of security

Go to solution
prasadvaze
Valued Contributor
In response to LandanG

‎12-24-2022 07:46 PM

So after "making anyone else an account admin" by the first super admin (aka azure global AAD admin) can we remove him from the databricks account or downgrade his databricks account admin role? Our azure AAD admin doesn't use or need to manage our databricks setup

0 Kudos
Announcements
Welcome to Databricks Community: Lets learn, network and celebrate together

Join our fast-growing data practitioner and expert community of 80K+ members, ready to discover, help and collaborate together while making meaningful connections. 

Click here to register and join today! 

Engage in exciting technical discussions, join a group with your peers and meet our Featured Members.