cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Administration & Architecture
Explore discussions on Databricks administration, deployment strategies, and architectural best practices. Connect with administrators and architects to optimize your Databricks environment for performance, scalability, and security.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Unexpected Behavior with Azure Databricks and Entra ID SCIM Integration

antonionuzzo
New Contributor III

4 weeks ago

Hi everyone,

I'm currently running some tests for a company that uses Entra ID as the backbone of its authentication system. Every employee with a corporate email address is mapped within the organization's Entra ID.

Our company's Azure Databricks is connected to Entra ID via SCIM. However, we've observed some unexpected behavior: a workspace admin in Azure Databricks is able to invite into their workspace any user that exists in the corporate Entra ID—even if that user has never accessed the cloud environment before.

How is this possible? Is there a way to mitigate this?

Ideally, I would expect that only users who have been granted access to the corporate cloud environments should be able to access Databricks.

0 Kudos
1 REPLY 1

Alberto_Umana
Databricks Employee
Databricks Employee

3 weeks ago

Hello @antonionuzzo,

This behavior is occurring because Azure Databricks allows workspace administrators to invite users from their organization's Entra ID directory into the Databricks workspace. This capability functions independently of whether the user has explicitly been granted access to a corporate cloud environment. When a SCIM integration is established with Entra ID, it synchronizes user identities to Databricks, enabling these users to be invited.

To mitigate this Azure Databricks provides a setting to control the ability of workspace administrators to invite users. You can manage this through the workspace's configuration settings using the restrict_workspace_admins feature. This limits workspace administrators, allowing only specified users or groups with predetermined access permissions to join the workspace

0 Kudos

Join Us as a Local Community Builder!

Passionate about hosting events and connecting people? Help us grow a vibrant local community—sign up today to get started!

Sign Up Now
Announcements