cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 
Help
Administration & Architecture
Explore discussions on Databricks administration, deployment strategies, and architectural best practices. Connect with administrators and architects to optimize your Databricks environment for performance, scalability, and security.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 

Disable local user creation when using SCIM Provisioning

ThePussCat
New Contributor III

โ€Ž03-27-2025 06:49 AM

We have implemented SCIM Provisioning using Azure AD (MS Entra) to Azure Databricks.

All is good.

Except, we would like to know if it is possible to disable the ability to create users within Azure Databricks, so that none can be "accidentally" created?

 

Many thanks

0 Kudos
8 REPLIES 8

NandiniN
Databricks Employee
Databricks Employee

โ€Ž04-30-2025 11:11 PM

To disable the ability to create users directly within Azure Databricks to prevent accidental user creation, you can configure your identity provider (IdP) setup.

When SCIM is in use, Azure AD becomes the source of truth for identities. Any users or groups that need access to Azure Databricks must be provisioned through Azure AD.

https://learn.microsoft.com/en-us/azure/databricks/admin/users-groups/scim/

0 Kudos

ThePussCat
New Contributor III
In response to NandiniN

โ€Ž05-01-2025 02:49 AM

Thanks for the reply, but this is what we are already doing. However it does not actually "disallow" the creation of users within Databricks itself, which is what we really want to achieve.

0 Kudos

Louis_Frolio
Databricks Employee
Databricks Employee

a week ago

Greetings @ThePussCat , I would like to add what my colleague posted above. 

 
Yesโ€”there are a couple of ways to prevent โ€œaccidentalโ€ user creation so identities only arrive via your SCIM provisioning flow.
 

Recommended controls

  • Disable auto user creation (JIT) on SSO. This stops Databricks from creating a user the first time someone signs in via SSO; only users you provision (e.g., via SCIM) can exist in the workspace.
  • Use accountโ€‘level SCIM with identity federation, and turn off any workspaceโ€‘level SCIM connectors you might still have. This centralizes identity creation at the account, reduces drift, and avoids duplicate paths for user creation.
  • In Microsoft Entra (Azure AD), set the enterprise appโ€™s Assignment required to Yes if you want only explicitly assigned users to be able to sign in. This prevents unassigned users from authenticating to Databricks (and therefore from being created), which complements disabling JIT in Databricks.
    Note: Entra group assignment doesnโ€™t cascade to nested groups, so only direct members of assigned groups can sign in.

Where to click

  • Databricks SSO setting: In each workspace, go to Admin settings > Authentication/SSO and disable the setting labeled โ€œAuto user creation,โ€ โ€œAdd users on first login,โ€ or similar wording.
  • Accountโ€‘level SCIM: Configure the Azure Databricks SCIM connector at the account, then shut down any workspaceโ€‘level SCIM connectors you previously used, per the migration guidance.
  • Entra Assignment required: Entra admin center > Enterprise applications > Azure Databricks SCIM/SSO app > Properties > set Assignment required = Yes (be mindful of the nestedโ€‘group behavior).

Optional: monitoring and verification

  • Audit unexpected signโ€‘ins and user appearances using system tables (for example, system.access.audit) after you change the controls, so you can confirm that no new users are being created outside your SCIM flow.
Hope this added information helps, Louis.
0 Kudos

ThePussCat
New Contributor III
In response to Louis_Frolio

a week ago

Louis, Many thanks! I really appreciate this reply. However perhaps you could provide more info on this statement:

Databricks SSO setting: In each workspace, go to Admin settings > Authentication/SSO and disable the setting labeled โ€œAuto user creation,โ€ โ€œAdd users on first login,โ€ or similar wording.

I know the Databricks UI is forever changing, but I have looked around and cannot find anything that looks like what you describe.Is this perhaps a legacy setting that we have disabled?

Thanks again - I'll be talking to our MS Entra admin in the morning!

0 Kudos

Louis_Frolio
Databricks Employee
Databricks Employee

a week ago

Are you a workspace admin?

0 Kudos

ThePussCat
New Contributor III
In response to Louis_Frolio

a week ago

I'm the Account Admin.

We try to avoid workspace specific configuration settings where we can, other than allowing some beta/preview on our DEV workspaces.

Louis_Frolio
Databricks Employee
Databricks Employee
In response to ThePussCat

a week ago

Got it. I found a little more information that might help. Give this a read and let me know if it helps.

 
You're right that the UI has evolved, and the wording I used maps to newer account-level controls rather than a visible workspace toggle.
 

What changed

  • The legacy workspace-level SSO page and its โ€œAdd users on first login / auto user creationโ€ toggle only appears when unified login is disabled. For most accounts today, unified login is enabled, so you wonโ€™t see that workspace SSO toggle in Admin Settings. This is expected UI behavior.
  • The capability behind โ€œauto user creationโ€ is now called just-in-time (JIT) provisioning at the account level. JIT automatically creates a Databricks user on first successful SSO login when enabled.

Where to check it now

  • In the account console, go to Security > User provisioning and look for โ€œCreate new identities during first-time authentication.โ€ Thatโ€™s the JIT toggle that replaces the old workspace-level โ€œauto user creation.โ€
  • Defaults have changed over time: for accounts created after May 1, 2025, JIT is ON by default once SSO is configured; earlier accounts can enable/disable it in the same place.

Azure/Microsoft Entra specifics

  • On Azure Databricks, single sign-on with Microsoft Entra ID is the default for both the account console and workspaces, which is why most customers donโ€™t interact with separate workspace SSO settings anymore.
  • If your account uses automatic identity management, JIT is always enabled and cannot be turned off; new users are provisioned on first login automatically. This is by design in that mode.

Practical ways to control who can be created/onboarded

  • Use SCIM provisioning from Microsoft Entra to sync only the users/groups you intend into the Databricks account; this is the recommended pattern for managed onboarding.
  • In Microsoft Entra, set the enterprise appโ€™s Assignment required property to โ€œYesโ€ so only assigned users can sign in to the Databricks app; unassigned users will be blocked from obtaining tokens and wonโ€™t be created via JIT.

Why you couldnโ€™t find the workspace toggle

Because unified login is enabled for most accounts (and cannot be disabled for accounts created after June 21, 2023 or that hadnโ€™t configured workspace SSO before Dec 12, 2024), workspace-level SSO settingsโ€”including the old โ€œadd users on first loginโ€ toggleโ€”are hidden and considered legacy.
 
Let me know if this helps.
Cheers, Louis.

ThePussCat
New Contributor III

Wednesday

Thank you! Thats really clear now, and hopefully helpful to others.

Ours is set to (default) OFF - we do not want JIT provisioning enabled.

 

0 Kudos

Join Us as a Local Community Builder!

Passionate about hosting events and connecting people? Help us grow a vibrant local communityโ€”sign up today to get started!

Sign Up Now
Announcements