<\/p>\n\n\n\n
In Databricks, identities (users, groups, service principals) live at the account<\/strong> level and can be assigned to one or more workspaces<\/strong>. For Unity Catalog (UC), principals must exist at the account<\/strong> level to be granted data privileges, and Databricks recommends provisioning via SCIM<\/strong> from your IdP (Microsoft Entra ID). (Microsoft Learn<\/a>)<\/p>\n\n\n\n Roles you typically need<\/strong><\/p>\n\n\n\n Entra \u201cusers\u201d become principals you can provision<\/strong> into Databricks with SCIM. (Microsoft Learn<\/a>)<\/p>\n<\/blockquote>\n\n\n\n \u2705 Best practice: Use SCIM<\/strong> to sync identities automatically (next section). Account admins can also assign users to workspaces<\/strong> from the account console (assuming identity federation). (Microsoft Learn<\/a>)<\/p>\n<\/blockquote>\n\n\n\n SCIM<\/strong> (System for Cross-domain Identity Management) is the standard used to auto-provision<\/strong> users and groups from your IdP (Microsoft Entra ID) into the Databricks account<\/strong>. Once configured, new Entra users\/groups sync automatically into Databricks (no manual adds), and removals\/updates propagate. (Microsoft Learn<\/a>)<\/p>\n\n\n\n High-level setup (Entra \u2192 Databricks account)<\/strong><\/p>\n\n\n\n If you previously synced identities to individual workspaces<\/strong>, disable those connectors when enabling account-level SCIM<\/strong>. (Databricks Documentation<\/a>)<\/p>\n<\/blockquote>\n\n\n\n Why groups?<\/strong> Grant permissions to a group<\/strong> (e.g., Create groups<\/strong><\/p>\n\n\n\n Use cases<\/strong><\/p>\n\n\n\n From the Account console<\/strong>:<\/p>\n\n\n\n Assign groups<\/strong> instead of individual users so new team members inherit access automatically.<\/p>\n<\/blockquote>\n\n\n\n Within each workspace<\/strong>, a principal needs the right entitlements<\/strong> (\u201cpersonas\u201d):<\/p>\n\n\n\n Where to set (workspace)<\/strong><\/p>\n\n\n\n Examples<\/strong><\/p>\n\n\n\n A service principal<\/strong> (SP) is a non-human identity you use for automation<\/strong> (Jobs, pipelines, CI\/CD, API\/CLI). You can create:<\/p>\n\n\n\n Create Entra service principal (app registration)<\/strong><\/p>\n\n\n\n You\u2019ll use these when granting the SP access to Databricks and other Azure resources.<\/p>\n<\/blockquote>\n\n\n\n At the account level<\/strong><\/p>\n\n\n\n Assign the SP to workspaces<\/strong><\/p>\n\n\n\n Use cases<\/strong><\/p>\n\n\n\n (Use the Account<\/strong> vs Workspace<\/strong> CLI context appropriately.)<\/p>\n\n\n\n\n
\n\n\n\nHow to add\/create new users in Microsoft Entra ID (Azure AD)<\/h1>\n\n\n\n
\n
\n
\n\n\n\nHow to add\/create new users in the Databricks Account console<\/strong><\/h1>\n\n\n\n
If you must add manually:<\/p>\n\n\n\n\n
\n
\n\n\n\nWhat is SCIM<\/strong> in Databricks?<\/h1>\n\n\n\n
\n
\n
\n\n\n\nCreate and Use Groups<\/strong> in Databricks<\/h1>\n\n\n\n
data-analysts<\/code>, data-engineers<\/code>) instead of individual users. This simplifies workspace access, persona\/entitlements, and data permissions in Unity Catalog. (Microsoft Learn<\/a>)<\/p>\n\n\n\n\n
\n
data-analysts<\/code>: Databricks SQL<\/strong> persona only.<\/li>\n\n\n\ndata-engineers<\/code>: Workspace<\/strong> persona (DE\/ML), plus Cluster create<\/strong> ability.<\/li>\n\n\n\nplatform-admins<\/code>: Workspace admins.<\/li>\n<\/ul>\n\n\n\n
\n\n\n\nAssign users (or groups) to a Workspace<\/strong><\/h1>\n\n\n\n
\n
\n
\n\n\n\nWorkspace-level access or Persona<\/strong> in Databricks (Entitlements)<\/h1>\n\n\n\n
\n
Entitlements are available in Premium<\/strong> or above and managed by a workspace admin<\/strong>. (Microsoft Learn<\/a>, Databricks Documentation<\/a>)<\/li>\n<\/ul>\n\n\n\n\n
\n
\n\n\n\n How to create a Service Principal<\/strong> in Microsoft Azure<\/h1>\n\n\n\n
\n
\n
etl-automation-sp<\/code>) \u2192 Register<\/strong>.<\/li>\n\n\n\n\n
\n\n\n\nAdd Service Principal to the Databricks Workspace<\/strong><\/h1>\n\n\n\n
\n
\n
\n
\n
\n\n\n\nHandy snippets & checklists<\/h2>\n\n\n\n
Databricks CLI (optional) quick checks<\/h3>\n\n\n\n
# List account\/workspace scopes or principals (run in the right context\/profile)\ndatabricks secrets list-scopes\ndatabricks groups list # list workspace groups (if using workspace API)\ndatabricks service-principals list\n<\/code><\/pre>\n\n\n\nWho can manage what?<\/h3>\n\n\n\n
\n
Best practices<\/h3>\n\n\n\n
\n