cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Administration & Architecture
Explore discussions on Databricks administration, deployment strategies, and architectural best practices. Connect with administrators and architects to optimize your Databricks environment for performance, scalability, and security.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Azure Databricks SCIM provisioning configured, working...but what happens when user is deleted?

m997al
Contributor III

‎08-08-2024 09:37 AM

Hi - I have Azure Databricks with Unity Catalog, and the SCIM Connector provisioning up and working.

Due to a misunderstanding on my part, I deleted some individual users (using the Databricks admin console) thinking that I was deleting individual accounts in Databricks (a legacy setup for us).

Instead, I saw that not only did I delete the user account, but I deleted the user from the Group in Databricks that they were properly in as well.

This group (let's call it "dbusers") was/is propagated via the SCIM connector from Azure AD to Azure Databricks.

So now I am in a situation where the Azure AD group is 100% correct (users still there), while the Azure Databricks group (which should be basically a copy of the AD group) is missing the members that I deleted inside Databricks.

Unfortunately, deleting and then re-adding the users in the AD group is no re-propagating them to Databricks.  I have confirmed that completely new users can still be properly pushed to the Databricks group from the AD group via the SCIM connection.

This seems like some sort of weird sync issue between the Databricks group (which has a source of the AD group) and the AD group.

Any ideas here?  Thus far I am not able to add back the users I mistakenly deleted not just from the individual users but from the Databricks group as well.  Thanks.

0 Kudos
2 REPLIES 2

m997al
Contributor III

‎08-09-2024 07:45 AM

Hi - having no luck at all here.  We have tried triggering full provisionings for the Databricks SCIM connector in Azure to propagate this group again to Databricks, but the group will not update with the users that were deleted inside Databricks.  We tried deleting the user in the AD group and adding them back, and then provisioning... no luck.

This is becoming a tricky problem.  We don't want to have to delete the AD group and recreate it anew, but something is going on with the SCIM provisioning that won't let us re-sync users NOT deleted in the AD group, but mistakenly deleted inside of Databricks.

m997al
Contributor III

‎08-13-2024 06:50 AM

This was resolved...but why it was resolved remains a mystery.  We simply re-provisioned by turning off and then on the SCIM provisioning in the Azure portal for the Databricks SCIM connector (which is supposed to cause a full re-provisioning, but didn't seem to do that last week).

There are some good pieces of information here: Configure SCIM provisioning using Microsoft Entra ID (Azure Active Directory) - Azure Databricks | M...

...in particular, it appears from the tips in that link that you can manually add back users inside of Databricks that were mistakenly deleted inside Databricks, and the synching from the SCIM connector should still work fine.

Finally, there is a check-box in the provisioning section in Azure portal for the Databricks SCIM connector, which say "prevent accidental deletion".  We didn't check that box, but wondered what it does.

0 Kudos

Connect with Databricks Users in Your Area

Join a Regional User Group to connect with local Databricks users. Events will be happening in your city, and you won’t want to miss the chance to attend and share knowledge.

If there isn’t a group near you, start one and help create a community that brings people together.

Request a New Group
Announcements