Databricks Community

pranav5 · ‎05-01-2025

I'm a workspace admin for a databricks workspace. I can add a microsoft security group in the workspace. When I click on the group to view it I can view the members of the group same in the Azure AD reflecting correctly but it throws an error on the top saying that it failed with SCIM and status 404.

I can still view this group in the groups of the Identity and Access -> Groups but can't add this group to the admins databricks group.

Can you please help me with what I'm missing?

lingareddy_Alva · ‎05-01-2025

@pranav5

This issue usually occurs because of how Databricks handles group provisioning via SCIM, especially with external groups from Azure AD.
SCIM 404 Error: This generally means Databricks cannot find a matching SCIM identity for the Azure AD group — usually because Databricks didn’t provision the group itself via SCIM.
Azure AD security groups may appear in the Databricks UI (via entitlement sync), but unless they are SCIM-provisioned, Databricks can’t manage or nest them internally.

To Fix This:
Here are some steps to verify and resolve:

1. Confirm SCIM Provisioning
Make sure SCIM provisioning from Azure AD to Databricks is fully configured:
In Azure AD > Enterprise Applications > [Your Databricks app] > Provisioning:
- Confirm it's On and working without errors.
- Check that group provisioning is enabled (not just users).
-Look for this group in the provisioning logs — it should be successfully pushed.

2. Group Assignment in Azure AD
Ensure that:
- The group is assigned to the Databricks app in Azure AD.
- It’s not just visible — it must be assigned for SCIM to provision it properly.

3. Group Must Be SCIM-Managed to Nest in Databricks
Databricks only supports nesting SCIM-managed groups. If your group is external (from Azure AD but not SCIM-provisioned), you cannot nest it under admins or any other group.

Workaround: If nesting is required:
- Create a new group in Azure AD.
- Assign users and the group to the Databricks SCIM app.
- Allow Azure AD to provision it into Databricks.
- Then you can nest this new SCIM group under the admins group in Databricks.

LR

pranav5 · ‎05-01-2025

Hello @lingareddy_Alva

Thank you for your response, I don't have access to view the Provisioning in Enterprise Applications -> Databricks -> Provisioning.
There are other AAD groups that are assigned under the admins group, I think they are SCIM assigned.

So, is SCIM provisioning something a Databricks Account Admin do? What exactly would be done by the Account Admin so that this group is SCIM enabled. P.S. There are other groups that are SCIM enabled and exist under the admins databricks group.

lingareddy_Alva · ‎05-01-2025

@pranav5

No, SCIM provisioning itself is configured in Azure Active Directory (AAD) and must be done by someone who has admin access in Azure AD — usually an Azure AD Admin, Enterprise App Admin, or Identity team member.

A Databricks Account Admin can view and manage users/groups after they are SCIM-provisioned, but cannot trigger SCIM provisioning unless they also have the required Azure AD permissions.

Please check with your Azure AD Admin.

LR

Databricks Community

Unable to add a microsoft security group as Workspace Admin

Join Us as a Local Community Builder!

DAIS 2025 Virtual Learning Festival: 11 June - 02 July 2025

Welcome to the Greece User Group!

DAIS 2025 Day 1 Highlights

What an incredible Day 2 at DAIS 2025!