cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Administration & Architecture
Explore discussions on Databricks administration, deployment strategies, and architectural best practices. Connect with administrators and architects to optimize your Databricks environment for performance, scalability, and security.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to make an Entra group available for GRANT commands inside a workspace?

mzs
Contributor

2 hours ago

We're using Azure Databricks and automatic identity management. Users and groups sync over automatically.

If I want to grant permissions to an Entra group to a schema, I can't just run something like this in a workspace notebook:

GRANT USE SCHEMA ON SCHEMA xxx.yyy TO `Example Entra Group`;

It can't find the group. If I go to workspace settings -> security -> groups -> add group, and start typing the name of the group, it populates in a dropdown. If I click on the group it found, the browser makes a GraphQL call to "GetOrCreateIdpGroup". Once that's happened, I can cancel out of the "add group" dialog, and my GRANT query above starts working.

How can I do this programmatically using the API? Ideally at the workspace level.

I'd like to automate the assignment of groups to schemas using a job and service principal. I don't particularly care if the groups are in Entra or Databricks, but I'm trying to avoid using Databricks account-level APIs as they don't have fine-grained permissions: whatever process or job is creating a group in the Databricks account would need full admin privileges at the account level. I figured I could create the groups in Entra instead, because apps in Entra can be given access just to create groups. The group seems like it syncs over, but I can't use it in a GRANT command in a workspace until I go through the "add group" workspace UI above.

0 Kudos
2 REPLIES 2

Ashwin_DSA
Databricks Employee
Databricks Employee

an hour ago

Hi @mzs,

To make sure we suggest the right option, can you share a bit more about your setup?

  • Cloud & workspace type: Are you on Azure Databricks, and is the workspace identity-federated (Unity Catalog enabled)?
  • Identity sync: Are you using Automatic Identity Management (AIM) with Entra, SCIM, or both?
  • How are you managing groups today? Terraform, REST API, or just SQL GRANT from notebooks?
  • What principal is running the automation? (service principal vs. user; workspace-admin vs. limited role)

 

Regards,
Ashwin | Delivery Solution Architect @ Databricks
Helping you build and scale the Data Intelligence Platform.
***Opinions are my own***
0 Kudos

mzs
Contributor
In response to Ashwin_DSA

56m ago

Hi Ashwin, yes, it's Azure Databricks, Unity Catalog is enabled, and automatic identity management is enabled. We are not using SCIM.

I'm looking for ways to automate group creation using a fairly limited-privilege service principal. Either using the REST API from outside Databricks, or maybe a job running as a service principal inside Databricks that I could then trigger from outside. If I do it inside Databricks, I figure I could use GRANT and/or the REST API with WorkspaceClient() and the default credentials available to the job.

This would be using a service principal, probably one that we'd create at either the account or workspace level in Databricks. I would give it the minimum privileges possible to do what it needs to do: create a schema and assign a group to the schema.

But I was testing GRANT manually in the SQL Editor as an Entra user with workspace admin privileges.

0 Kudos
Announcements