cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 
Help
Administration & Architecture
Explore discussions on Databricks administration, deployment strategies, and architectural best practices. Connect with administrators and architects to optimize your Databricks environment for performance, scalability, and security.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 

Terraform - Assign permissions to Entra Id group

SรธrenBrandt2
New Contributor II

โ€Ž09-16-2025 07:28 AM

Dear All,
 
Using a Terraform workspace-level provider, I am trying to add an Entra Id group to the account, and then assign permissions to the group.
 
The Terraform provider runs in the context of an Entra Id user account with workspace admin permissions, and without account admin permissions.
 
The following code successfully adds the group to the workspace:
 
resource "databricks_group" "users" {
   display_name = "Entra Id group name"
   external_id = "Entra Id group object id"
}
 
Then, to assign User permissions on the workspace to the group:
resource "databricks_permission_assignment" "workspace_user" {
   principal_id = databricks_group.users.id
   permissions = ["USER"]
}
 
The Terraform PLAN phase does as expected, but then in the apply phase, I get the error "Error: cannot create permission assignment: Principal not found in account." That is, I can register the group, but I cannot read account level metadata about the group.
 
The above is consistent with what I see in the workspace Settings/Identity and access/Groups panel: I can add a group to the Workspace. But if I afterwards click the group to see group information, I get the error: "Call failed to /ajax/...: Group with id XXXXXX not found, ...".
 
Any ideas on how I can make this work?
 
Further context:
 
  1. In my Databricks account, I have "Automatic identity management" enabled.
  2. The account I use when running Terraform is Workspace admin but not Databricks Account admin.
  3. I can make it work if I run the Terraform code with Databricks account admin permissions and using an account level provider to register the Entra Id group, it works. However, this is not an option for me in production. 
BR,
Sรธren
0 Kudos
3 REPLIES 3

nayan_wylde
Esteemed Contributor

โ€Ž09-16-2025 07:53 AM

@SรธrenBrandt2 Here are few quick checks you can do and rerun.

1. Please make sure the Service Principle running the terraform code have  Group Manager role on the specific account group. With that role, it can read that group at the account and retrieve the principal_id without being a full Account Admin. Databricksโ€™ identity docs confirm โ€œgroup managers can manage group membershipโ€ and that workspace admins can add groups to the account in identityโ€‘federated setups; but the leastโ€‘privilege โ€œGroup Managerโ€ just for the required groups is often acceptable in regulated environments.

2. Verify the group exists at the account first (AIM). With Automatic identity management enabled, Entra ID users/SPNs/groups are visible at the account and are marked External; theyโ€™re synced from Entra ID. Donโ€™t rely on externalId for automationโ€”Databricks warns it can change; prefer the stable Databricks id (principal_id).

3. Use the account provider only to resolve principal IDs, then perform the workspace assignment with the workspace provider.

provider "databricks" {
alias = "account"
host = "https://accounts.azuredatabricks.net"
# Azure Databricks Account Console ID is constant:
account_id = ""
# authenticate with a principal that can read the group at the account
}

# --- Workspace-scope provider (this is how you authenticate today) ---
provider "databricks" {
alias = "workspace"
host = var.workspace_url
}

0 Kudos

SรธrenBrandt2
New Contributor II
In response to nayan_wylde

โ€Ž09-16-2025 08:25 AM

Hi Nayan,

Thank you for your response!

Your first point "Please make sure the Service Principle running the terraform code have Group Manager role on the specific account group" actually nails my challenge, although I did not spell this out in my question.

So far, to make it work, I have been doing as follows:

  1. Ask a databricks account admin to:
    1. Register the Entra Id group in the Databricks account.
    2. Assign "Group: Manage" permissions to the Service Principal running Terraform.
    3. Resolve the group principal ID and provide it as input to my Terraform script
  2. Run my Terraform code with a service principal with workspace (but not account) admin privileges to perform the remaining work.

So what I am looking for is really a way to do steps 1a-c without having to bother a Databricks account admin.

Is that possible at the moment, I wonder?

0 Kudos

nayan_wylde
Esteemed Contributor
In response to SรธrenBrandt2

โ€Ž09-17-2025 07:14 AM - edited โ€Ž09-17-2025 07:15 AM

I tried this at my end. It seems currently  to add any groups from accounts from workspace the SPN requires account admin permissions. If you don't want to provide a common SPN that is running terraform code as  account admin. I would rather isolate my code in two pipelines. One creating a Super Admin SPN that is account admin and using that SPN to add account groups to workspaces. Another SPN having as workspace admin and performing workspace related tasks like creating catalogs, cluster and assigning permissions.

0 Kudos

Join Us as a Local Community Builder!

Passionate about hosting events and connecting people? Help us grow a vibrant local communityโ€”sign up today to get started!

Sign Up Now
Announcements