Unity Catalog Setup: Why must the first Azure Databricks account admin must be an Azure Active Directory Global Administrator at the time that they first log in to the Azure Databricks account console?

Matt101122
Contributor II

‎11-29-2022 07:28 AM

We are attempting to setup Unity Catalog and our security team is requesting justification on why this level of access is required. Why must the first Azure Databricks account admin must be an Azure Active Directory Global Administrator at the time that they first log in to the Azure Databricks account console?

LandanG
Databricks Employee
Databricks Employee

‎11-29-2022 08:44 AM

Hi @Matthew Dalesio​ 

From our eng. team:

"The high privileged is only used to make sure only highly privileged users get access to Databricks account admin role as this is a highly-privileged role and they can make anyone else an account admin. This is only checked at the time of bootstrapping first login and we only check whether the user is a global admin in their tenant. Databricks itself is not getting any access to the organization’s Azure resources. Because this is such a highly-privileged role, we only granted Azure global admins the default Databricks account-admin role."

We don't do anything other than to call the graph API to check the global admin's token claim and verify if he/she is indeed the global administrator on Azure and flip the switch for them to become account admins on Databricks - it is a super user role and it is required to ensure that there are no privilege escalations

Hope that answers the question. Basically just a matter of security

View solution in original post

prasadvaze
Valued Contributor II
In response to LandanG

‎12-24-2022 07:46 PM

So after "making anyone else an account admin" by the first super admin (aka azure global AAD admin) can we remove him from the databricks account or downgrade his databricks account admin role? Our azure AAD admin doesn't use or need to manage our databricks setup

0 Kudos