cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 
Help
Data Governance
Join discussions on data governance practices, compliance, and security within the Databricks Community. Exchange strategies and insights to ensure data integrity and regulatory compliance.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 

Unity Catalog Setup: Why must the first Azure Databricks account admin must be an Azure Active Directory Global Administrator at the time that they first log in to the Azure Databricks account console?

Go to solution
Matt101122
Contributor

โ€Ž11-29-2022 07:28 AM

We are attempting to setup Unity Catalog and our security team is requesting justification on why this level of access is required. Why must the first Azure Databricks account admin must be an Azure Active Directory Global Administrator at the time that they first log in to the Azure Databricks account console?

1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
LandanG
Databricks Employee
Databricks Employee

โ€Ž11-29-2022 08:44 AM

Hi @Matthew Dalesioโ€‹ 

From our eng. team:

"The high privileged is only used to make sure only highly privileged users get access to Databricks account admin role as this is a highly-privileged role and they can make anyone else an account admin. This is only checked at the time of bootstrapping first login and we only check whether the user is a global admin in their tenant. Databricks itself is not getting any access to the organizationโ€™s Azure resources. Because this is such a highly-privileged role, we only granted Azure global admins the default Databricks account-admin role."

We don't do anything other than to call the graph API to check the global admin's token claim and verify if he/she is indeed the global administrator on Azure and flip the switch for them to become account admins on Databricks - it is a super user role and it is required to ensure that there are no privilege escalations

Hope that answers the question. Basically just a matter of security

View solution in original post

2 REPLIES 2

Go to solution
LandanG
Databricks Employee
Databricks Employee

โ€Ž11-29-2022 08:44 AM

Hi @Matthew Dalesioโ€‹ 

From our eng. team:

"The high privileged is only used to make sure only highly privileged users get access to Databricks account admin role as this is a highly-privileged role and they can make anyone else an account admin. This is only checked at the time of bootstrapping first login and we only check whether the user is a global admin in their tenant. Databricks itself is not getting any access to the organizationโ€™s Azure resources. Because this is such a highly-privileged role, we only granted Azure global admins the default Databricks account-admin role."

We don't do anything other than to call the graph API to check the global admin's token claim and verify if he/she is indeed the global administrator on Azure and flip the switch for them to become account admins on Databricks - it is a super user role and it is required to ensure that there are no privilege escalations

Hope that answers the question. Basically just a matter of security

Go to solution
prasadvaze
Valued Contributor II
In response to LandanG

โ€Ž12-24-2022 07:46 PM

So after "making anyone else an account admin" by the first super admin (aka azure global AAD admin) can we remove him from the databricks account or downgrade his databricks account admin role? Our azure AAD admin doesn't use or need to manage our databricks setup

0 Kudos

Connect with Databricks Users in Your Area

Join a Regional User Group to connect with local Databricks users. Events will be happening in your city, and you wonโ€™t want to miss the chance to attend and share knowledge.

If there isnโ€™t a group near you, start one and help create a community that brings people together.

Request a New Group
Announcements