topic Unity Catalog Setup: Why must the first Azure Databricks account admin must be an Azure Active Directory Global Administrator at the time that they first log in to the Azure Databricks account console? in Data Governance https://community.databricks.com/t5/data-governance/unity-catalog-setup-why-must-the-first-azure-databricks-account/m-p/20021#M708 <P>We are attempting to setup Unity Catalog and our security team is requesting justification on why this level of access is required. Why must the first Azure Databricks account admin must be an Azure Active Directory Global Administrator at the time that they first log in to the Azure Databricks account console?</P> Tue, 29 Nov 2022 15:28:19 GMT Matt101122 2022-11-29T15:28:19Z Unity Catalog Setup: Why must the first Azure Databricks account admin must be an Azure Active Directory Global Administrator at the time that they first log in to the Azure Databricks account console? https://community.databricks.com/t5/data-governance/unity-catalog-setup-why-must-the-first-azure-databricks-account/m-p/20021#M708 <P>We are attempting to setup Unity Catalog and our security team is requesting justification on why this level of access is required. Why must the first Azure Databricks account admin must be an Azure Active Directory Global Administrator at the time that they first log in to the Azure Databricks account console?</P> Tue, 29 Nov 2022 15:28:19 GMT https://community.databricks.com/t5/data-governance/unity-catalog-setup-why-must-the-first-azure-databricks-account/m-p/20021#M708 Matt101122 2022-11-29T15:28:19Z Re: Unity Catalog Setup: Why must the first Azure Databricks account admin must be an Azure Active Directory Global Administrator at the time that they first log in to the Azure Databricks account console? https://community.databricks.com/t5/data-governance/unity-catalog-setup-why-must-the-first-azure-databricks-account/m-p/20022#M709 <P>Hi @Matthew Dalesio​&nbsp;</P><P></P><P>From our eng. team:</P><P>"The high privileged is only used to make sure <B>only</B> highly privileged users get access to Databricks account admin role as this is a highly-privileged role and they can make anyone else an account admin. This is only checked at the time of bootstrapping first login and we only check whether the user is a global admin in their tenant. Databricks itself is not getting any access to the organization’s Azure resources. Because this is such a highly-privileged role, we only granted Azure global admins the default Databricks account-admin role."</P><P></P><P>We don't do anything other than to call the graph API to check the global admin's token claim and verify if he/she is indeed the global administrator on Azure and flip the switch for them to become account admins on Databricks - it is a super user role and it is required to ensure that there are no privilege escalations</P><P></P><P>Hope that answers the question. Basically just a matter of security </P> Tue, 29 Nov 2022 16:44:31 GMT https://community.databricks.com/t5/data-governance/unity-catalog-setup-why-must-the-first-azure-databricks-account/m-p/20022#M709 LandanG 2022-11-29T16:44:31Z Re: Unity Catalog Setup: Why must the first Azure Databricks account admin must be an Azure Active Directory Global Administrator at the time that they first log in to the Azure Databricks account console? https://community.databricks.com/t5/data-governance/unity-catalog-setup-why-must-the-first-azure-databricks-account/m-p/20023#M710 <P>So after "making anyone else an account admin" by the first super admin (aka azure global AAD admin) can we remove him from the databricks account or downgrade his databricks account admin role? Our azure AAD admin doesn't use or need to manage our databricks setup </P> Sun, 25 Dec 2022 03:46:12 GMT https://community.databricks.com/t5/data-governance/unity-catalog-setup-why-must-the-first-azure-databricks-account/m-p/20023#M710 prasadvaze 2022-12-25T03:46:12Z