🛡️ Azure Databricks users and groups are not synced from Microsoft Entra ID🟢⚪

Contextual name: 🛡️ Databricks users and groups are not synced from Microsoft Entra ID🟢⚪
ID: /ce/ca/azure/databricks/users-and-groups-are-synced-from-entra-id
Tags:
- ⚪ Impossible policy
- 🟢 Policy with categories
- 🟢 Policy with type
Policy Type: COMPLIANCE_POLICY
Policy Categories: SECURITY

Stats

not available

Description

Description

To ensure centralized identity and access management, users and groups from Microsoft Entra ID should be synchronized with Azure Databricks. This is achieved through SCIM provisioning, which automates the creation, update, and deactivation of users and groups in Databricks based on Entra ID assignments. Enabling this integration ensures that access controls in Databricks remain consistent with corporate identity governance policies, reducing the risk of orphaned accounts, stale permissions, and unauthorized access.

Rationale

Syncing users and groups from Microsoft Entra ID centralizes access control, enforces the least privilege principle by automatically revoking unnecessary access, reduces administrative overhead by eliminating manual user management, and ensures auditability and compliance with industry regulations.

Impact

SCIM provisioning requires role mapping to avoid misconfigured user privileges.

Audit

From Azure Portal

Verify SCIM provisioning is enabled:

Go to Microsoft Entra ID.

... see more

Remediation

Open File

Remediation

From Azure Portal

Enable provisioning in Azure Portal:

Go to Microsoft Entra ID.

Under Manage, click Enterprise applications.

Click the name of the Azure Databricks SCIM application.

Under Provisioning, select Automatic and enter the SCIM endpoint and API token from Databricks.

Enable provisioning in Databricks:

Navigate to Admin Console > Identity and Access Management.

Enable SCIM provisioning and generate an API token.

Configure role assignments:

Ensure groups from Entra ID are mapped to appropriate Databricks roles.

Restrict administrative privileges to designated security groups.

Regularly monitor sync logs:

Periodically review sync logs in Microsoft Entra ID and Databricks Admin Console.

Configure Azure Monitor alerts for provisioning failures.

Disable manual user creation in Databricks:

Ensure that all user management is controlled via SCIM sync from Entra ID.

Disable personal access token usage for authentication.

From Azure CLI

Enable SCIM User and Group Provisioning in Azure Databricks:

... see more

policy.yaml

Open File

Linked Framework Sections

Section	Policies	Compliance
💼 CIS Azure v5.0.0 → 💼 2.1.4 Ensure that users and groups are synced from Microsoft Entra ID to Azure Databricks (Manual)	1	no data
💼 CIS Azure v6.0.0 → 💼 2.1.4 Ensure that Users and Groups are Synced from Microsoft Entra ID to Azure Databricks (Manual)	1	no data
💼 Cloudaware Framework → 💼 Secure Access	61	no data

Stats​

Description​

Description​

Rationale​

Impact​

Audit​

From Azure Portal​

Remediation​

Remediation​

From Azure Portal​

From Azure CLI​

policy.yaml​

Linked Framework Sections​

Stats

Description

Description

Rationale

Impact

Audit

From Azure Portal

Remediation

Remediation

From Azure Portal

From Azure CLI

policy.yaml

Linked Framework Sections