cancel
Showing results forย 
Search instead forย 
Did you mean:ย 
Administration & Architecture
Explore discussions on Databricks administration, deployment strategies, and architectural best practices. Connect with administrators and architects to optimize your Databricks environment for performance, scalability, and security.
cancel
Showing results forย 
Search instead forย 
Did you mean:ย 

Question About Workspace MFA Enforcement and Email OTP Behavior

calvp
New Contributor II

Hello Databricks Community,

We are using Azure Databricks with Microsoft Entra ID (Azure AD) authentication.

Our current login experience is the following:

  • Access to the Databricks Account Console requires Microsoft Entra MFA.

  • The first access to a workspace requires both Microsoft Entra MFA and an email OTP verification code.

  • Subsequent accesses to the workspace require only the email OTP verification (after the browser session/cookie has been established).

For security and compliance reasons, we would like to enforce Microsoft Entra MFA for every workspace login and avoid the email OTP verification step entirely.

Could you please confirm:

  1. Is it possible to configure Azure Databricks workspaces to rely exclusively on Microsoft Entra ID authentication and MFA?

  2. Is it possible to disable the workspace email OTP verification step?

  3. Is there any supported configuration (Unified Login, Conditional Access, Authentication Policies, etc.) that forces a fresh Microsoft Entra MFA challenge for every workspace login?

If this is not currently supported, could you clarify the intended authentication flow and any roadmap items related to this behavior?

Thank you.

1 ACCEPTED SOLUTION

Accepted Solutions

emma_s
Databricks Employee
Databricks Employee

Hi, yes it is perfectly possible. The email flow only happens when you are using invite users by email as the way of adding users to the workspace. If you replace this so to use automatic identity management instead then it shouldn't need to do the email flow instead. Docs here - ttps://learn.microsoft.com/en-us/azure/databricks/security/auth/. 

On question 3 - once you have enabled automatic identity management then it will be controlled by entra conditional access, I think setting it to ask every time should mean it gets a new log on each time. But I haven't got a way of confirming this.

It may be worth a support ticket on this to help you answer these questions in a more certain way.

Thanks,

Emma

View solution in original post

1 REPLY 1

emma_s
Databricks Employee
Databricks Employee

Hi, yes it is perfectly possible. The email flow only happens when you are using invite users by email as the way of adding users to the workspace. If you replace this so to use automatic identity management instead then it shouldn't need to do the email flow instead. Docs here - ttps://learn.microsoft.com/en-us/azure/databricks/security/auth/. 

On question 3 - once you have enabled automatic identity management then it will be controlled by entra conditional access, I think setting it to ask every time should mean it gets a new log on each time. But I haven't got a way of confirming this.

It may be worth a support ticket on this to help you answer these questions in a more certain way.

Thanks,

Emma