cancel
Showing results forย 
Search instead forย 
Did you mean:ย 
Data Governance
Join discussions on data governance practices, compliance, and security within the Databricks Community. Exchange strategies and insights to ensure data integrity and regulatory compliance.
cancel
Showing results forย 
Search instead forย 
Did you mean:ย 

Unity Catalog Setup: Why must the first Azure Databricks account admin must be an Azure Active Directory Global Administrator at the time that they first log in to the Azure Databricks account console?

Matt101122
Contributor

We are attempting to setup Unity Catalog and our security team is requesting justification on why this level of access is required. Why must the first Azure Databricks account admin must be an Azure Active Directory Global Administrator at the time that they first log in to the Azure Databricks account console?

1 ACCEPTED SOLUTION

Accepted Solutions

LandanG
Databricks Employee
Databricks Employee

Hi @Matthew Dalesioโ€‹ 

From our eng. team:

"The high privileged is only used to make sure only highly privileged users get access to Databricks account admin role as this is a highly-privileged role and they can make anyone else an account admin. This is only checked at the time of bootstrapping first login and we only check whether the user is a global admin in their tenant. Databricks itself is not getting any access to the organizationโ€™s Azure resources. Because this is such a highly-privileged role, we only granted Azure global admins the default Databricks account-admin role."

We don't do anything other than to call the graph API to check the global admin's token claim and verify if he/she is indeed the global administrator on Azure and flip the switch for them to become account admins on Databricks - it is a super user role and it is required to ensure that there are no privilege escalations

Hope that answers the question. Basically just a matter of security

View solution in original post

2 REPLIES 2

LandanG
Databricks Employee
Databricks Employee

Hi @Matthew Dalesioโ€‹ 

From our eng. team:

"The high privileged is only used to make sure only highly privileged users get access to Databricks account admin role as this is a highly-privileged role and they can make anyone else an account admin. This is only checked at the time of bootstrapping first login and we only check whether the user is a global admin in their tenant. Databricks itself is not getting any access to the organizationโ€™s Azure resources. Because this is such a highly-privileged role, we only granted Azure global admins the default Databricks account-admin role."

We don't do anything other than to call the graph API to check the global admin's token claim and verify if he/she is indeed the global administrator on Azure and flip the switch for them to become account admins on Databricks - it is a super user role and it is required to ensure that there are no privilege escalations

Hope that answers the question. Basically just a matter of security

prasadvaze
Valued Contributor II

So after "making anyone else an account admin" by the first super admin (aka azure global AAD admin) can we remove him from the databricks account or downgrade his databricks account admin role? Our azure AAD admin doesn't use or need to manage our databricks setup

Connect with Databricks Users in Your Area

Join a Regional User Group to connect with local Databricks users. Events will be happening in your city, and you wonโ€™t want to miss the chance to attend and share knowledge.

If there isnโ€™t a group near you, start one and help create a community that brings people together.

Request a New Group