Databricks Community

ma10 · ‎08-30-2024

Hi all,

For our set-up we have configured SCIM provisioning using Entra ID, group assignment on Azure is dealt with by IdentityIQ Sailpoint, and have enabled SSO for Databricks. It has/is working fine apart from one scenario. The original email assigned to an account on Entra ID has been updated from user.A@company.org to user.B@company.org, due to a name change.

The email update has been reflected everywhere (Azure, IIQ) so is referring to user.b@. However, Databricks is still trying to match to the original email user.a@. We have revoked access completely to everything and still face the same issue?

Has anyone dealt with this before, or have any ideas of how to deal with the issue?

Ismael-K · ‎01-29-2025

Currently, the email address is an immutable attribute in the Databricks application. To request a change to this behavior, you can submit a feature enhancement. In the interim, you can also submit a support case for a potential workaround.

VasylS · ‎08-04-2025

Hi Ismael-K

Is there any workarounds for this scenario?
I have exact same problem when the user changed his e-mail in Azure EntraID from UserA@BranchA.company.com to UserA@BranchB.company.com
I've deleted the user with the old email from the accounts console in accounts.azuredatabricks.net but now, when in the accounts console I searching user with a new email UserA@BranchB.company.com I cannot find it, although it remains in Azure EntraID

VasylS · ‎08-07-2025

For anyone who will face this issue in the future:

In order to fix this issue (user changed his email), you need:
1) Because email is an immutable attribute - check in Databricks account console, affected user's account, and if it has an old email - delete the user with the old email.
2) Determine the correct Enterprise application SCIM Connector (if you have multiple).
3) Stop and restart synchronization of the SCIM Connector
Check synchronization logs and that user appeared back in Databricks account console.

No need to make any changes with user account in Azure EntraID.

dbx_user · Thursday

I believe we have tried this move before, and the result was that the user was ignored from future SCIM provisioning runs. We had to manually use the API to add the user back in and are now hooked into manually updating this users user groups through the API.

Has this functionality changed?
The docs still say that this is the expected functionality. Dot point 3 under provisioning tips here: Configure SCIM provisioning using Microsoft Entra ID (Azure Active Directory) | Databricks on AWS

Vasyl_S · Friday

@dbx_user wrote:
I believe we have tried this move before, and the result was that the user was ignored from future SCIM provisioning runs. We had to manually use the API to add the user back in and are now hooked into manually updating this users user groups through the API.

Has this functionality changed?
The docs still say that this is the expected functionality. Dot point 3 under provisioning tips here: Configure SCIM provisioning using Microsoft Entra ID (Azure Active Directory) | Databricks on AWS

@dbx_user "The removed user will not be synced again using Microsoft Entra ID provisioning, even if they remain in the enterprise application."

Well, after stopping and resuming sync in the Enterprise application, the deleted user was synced again.