cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Data Engineering
Join discussions on data engineering best practices, architectures, and optimization strategies within the Databricks Community. Exchange insights and solutions with fellow data engineers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Automating Admin Consent for Azure Databricks SCIM App Creation Using Terraform.

meghana_tulla
New Contributor II

yesterday

I am trying to automate the creation of an Azure AD application (specifically, an Azure Databricks SCIM app) and grant admin consent for its API permissions using Terraform. The required API permissions include Application.ReadWrite.All, Application.ReadWrite.OwnedBy, Group.Read.All, and User.Read.All. To achieve this, I am automating the Azure login process using a Bash script and a Service Principal. In the script, I prompt the user to provide the Service Principal's client ID and client secret for login. While the login step works and the SCIM app is created successfully, I am unable to grant admin consent for the app programmatically. I use a null_resource with a local-exec provisioner to run an Azure CLI command (az ad app permission admin-consent), this step intermittently fails, even with retry logic. When the retries are exhausted, I have to log in interactively to grant consent manually, which defeats the purpose of automation. I suspect the issue might be related to the admin consent process, as these permissions require admin consent due to their sensitive nature. Is there a reliable way to programmatically grant admin consent for the Azure Databricks SCIM app during the Terraform execution without manual intervention? Below is a snippet of my Terraform and Bash logic for reference. Any insights or suggestions would be greatly appreciated!

resource "null_resource" "grant_admin_consent" {
provisioner "local-exec" {
command = "az ad app permission admin-consent --id ${azuread_application.scim.application_id}"
interpreter = ["bash", "-c"]
}

depends_on = [
azuread_application.scim,
azuread_application_password.scim_secret
]

triggers = {
app_id = azuread_application.scim.application_id
}
}

ERROR: Unauthorized({"ClassName":"System.Security.Authentication.AuthenticationException","Message":"S2S17000: SAL was unable to validate the protocol. Validation failure: 'ValidationCompleted; UnsupportedAuthenticationScheme; UnsupportedAuthenticationScheme; UnsupportedAuthenticationScheme'","Data":null,"InnerException":null,"HelpURL":null,"StackTraceString":null,"RemoteStackTraceString":null,"RemoteStackIndex":0,"ExceptionMethod":null,"HResult":-2146233087,"Source":null,"WatsonBuckets":null})

Interactive authentication is needed. Please run:
az logout
az login

Thank you

1 REPLY 1

Walter_C
Databricks Employee
Databricks Employee

18 hours ago

The Service Principal you're using for authentication may not have sufficient permissions to grant admin consent. Ensure that the Service Principal has the necessary roles assigned, such as "Global Administrator" or "Privileged Role Administrator"

. However, be cautious when using highly privileged accounts in automation scripts.

0 Kudos

Connect with Databricks Users in Your Area

Join a Regional User Group to connect with local Databricks users. Events will be happening in your city, and you won’t want to miss the chance to attend and share knowledge.

If there isn’t a group near you, start one and help create a community that brings people together.

Request a New Group
Announcements