Hi @Matthew Dalesioโ
From our eng. team:
"The high privileged is only used to make sure only highly privileged users get access to Databricks account admin role as this is a highly-privileged role and they can make anyone else an account admin. This is only checked at the time of bootstrapping first login and we only check whether the user is a global admin in their tenant. Databricks itself is not getting any access to the organizationโs Azure resources. Because this is such a highly-privileged role, we only granted Azure global admins the default Databricks account-admin role."
We don't do anything other than to call the graph API to check the global admin's token claim and verify if he/she is indeed the global administrator on Azure and flip the switch for them to become account admins on Databricks - it is a super user role and it is required to ensure that there are no privilege escalations
Hope that answers the question. Basically just a matter of security