SSO to Databricks with Microsoft Entra ID

This page shows how to configure Microsoft Entra ID as the identity provider for single sign-on (SSO) in your Databricks account. Microsoft Entra ID supports both OpenID Connect (OIDC) and SAML 2.0. To sync users and groups from Microsoft Entra ID, see Sync users and groups from your identity provider using SCIM.

warning

To prevent getting locked out of Databricks during single sign-on testing, keep the account console open in a different browser window. You can also configure emergency access with security keys to prevent lockout. See Emergency access to prevent lockouts.

Enable Microsoft Entra ID single sign-on

Choose your identity protocol:

OIDC

1. As an account admin, log in to the account console and click Security.

2. Click the Authentication tab.

3. Next to Authentication, click Manage.

4. Choose Single sign-on with my identity provider.

5. Click Continue.

6. Under Identity protocol, select OpenID Connect.

7. On the Authentication tab, make note of the Databricks Redirect URL value.

8. In another browser tab, create a Microsoft Entra ID application:

   1. Log in to the Azure portal as an administrator.
   2. In the left navigation, click Microsoft Entra ID.
   3. Click App registrations > New registration.
   4. Enter a name.
   5. Under Supported account types choose: Accounts in this organizational directory only.
   6. Under Redirect URI, choose web and paste the Databricks Redirect URL value.
   7. Click Register.

9. Gather the required information from the Microsoft Entra ID application:

   1. Under Essentials, copy the Application (client) ID.
   2. Click Endpoints.
   3. Copy the URL under OpenID Connect metadata document
   4. In the left pane, click Certificates & secrets.
   5. Click + New client secret.
   6. Enter a description and choose an expiration.
   7. Click Add.
   8. Copy the secret value.

10. Return to the Databricks account console Authentication page and enter values you copied from the identity provider application to the Client ID, Client secret, and OpenID issuer URL fields. Remove the /.well-known/openid-configuration ending from the URL.

    You can specify query parameters by appending them to the issuer URL, for example {issuer-url}?appid=123.

11. Optionally, enter the name of a claim in the Username claim if you want to use a claim other than email as users' Databricks usernames. For more information, see Customize a claim to use for your account's usernames.

    

12. Click Save.

13. Click Test SSO to validate that your SSO configuration is working properly. Databricks opens a new browser window and attempts to authenticate using Microsoft Entra ID. Complete the sign-in flow and review the test results.

14. Click Enable SSO to enable single sign-on for your account.

15. Test account console login with SSO. For testing steps, see Test your SSO configuration.

SAML 2.0

1. As an account admin, log in to the account console and click Security.

2. Click the Authentication tab.

3. Next to Authentication, click Manage.

4. Choose Single sign-on with my identity provider.

5. Click Continue.

6. Under Identity protocol, select SAML 2.0.

7. On the Authentication tab, make note of the Databricks Redirect URL value.

   

8. In another browser tab, create a Microsoft Entra ID application:

   1. Log in to Azure portal as an administrator.
   2. In the left navigation, click Microsoft Entra ID > Enterprise applications. The All applications pane opens and displays a random sample of the applications in your Microsoft Entra ID tenant.
   3. Click New application.
   4. Click Create your own application.
   5. Enter a name.
   6. Under What are you looking to do with your application? choose Integrate any other application you don't find in the gallery.

9. Configure the Microsoft Entra ID application:

   1. Click Properties.

   2. Set Assignment required to No. This option allows all users to sign in to the Databricks account. Users must have access to this SAML application to log into your Databricks account using SSO.

   3. In the application's properties pane, click Set up single sign on.

   4. Click SAML to configure the application for SAML authentication. The SAML properties pane appears.

   5. Next to Basic SAML configuration, click Edit.

   6. Set Entity ID to the Databricks SAML URL you got from the Databricks SSO configuration page.

   7. Set Reply URL to the Databricks SAML URL you got from the Databricks SSO configuration page.

   8. Next to SAML Signing Certificate, click Edit.

   9. In the Signing Option drop-down list, select Sign SAML response and assertion and set the Signing Algorithm to SHA-256 for enhanced security.

   10. In Attributes & Claims, click Edit.

   11. Set the Unique User Identifier (Name ID) field to user.mail.

   12. Under SAML Certificates, next to Certificate (Base64), click Download. The certificate is downloaded locally as a file with the .cer extension.

   13. Open the .cer file in a text editor and copy the file contents. The file is the entire x.509 certificate for the Microsoft Entra ID SAML application.

       important

       • Do not open it using the macOS keychain, which is the default application for that file type in macOS.
       • The certificate is sensitive data. Use caution about where to download it. Delete it from local storage as soon as possible.

   14. In the Azure portal, under Set up Microsoft Entra ID SAML Toolkit, copy and save the Login URL and Microsoft Entra ID Identifier.

10. Return to the Databricks account console Authentication tab and enter values you copied from Microsoft Entra ID:

    • Single Sign-On URL: The Microsoft Entra ID Login URL
    • Identity Provider Entity ID: The Microsoft Entra ID Microsoft Entra ID Identifier
    • x.509 Certificate: The Microsoft Entra ID x.509 certificate, including the markers for the beginning and end of the certificate

11. Click Save.

12. Click Test SSO to validate that your SSO configuration is working properly. Databricks opens a new browser window and attempts to authenticate using Microsoft Entra ID. Complete the sign-in flow and review the test results.

13. Click Enable SSO to enable single sign-on for your account.

14. Test account console login with SSO. For testing steps, see Test your SSO configuration.

Configure unified login and add users to Databricks

After you configure SSO, Databricks recommends that you configure unified login and add users to your account using SCIM provisioning.

1. Configure unified login

   Unified login allows you to use the account console SSO configuration in your Databricks workspaces. If your account was created after June 21, 2023 or you did not configure SSO before December 12, 2024, unified login is enabled on your account for all workspaces and it cannot be disabled. To configure unified login, see Enable unified login.

2. Add users to Databricks

   1. Enable JIT provisioning

      Databricks recommends enabling JIT to automatically add users to Databricks when they first log in using SSO. JIT provisioning is on by default for accounts created after May 1, 2025 when SSO is configured. See Automatically provision users (JIT).

   2. Configure SCIM provisioning

      Databricks recommends using SCIM provisioning to sync users and groups automatically from your identity provider to your Databricks account. SCIM streamlines onboarding a new employee or team by using your identity provider to create users and groups in Databricks and give them the proper level of access. See Sync users and groups from your identity provider using SCIM.

Customize a claim to use for your account's usernames

By default, usernames in Databricks are represented as a user's email address. To assign usernames using a different value, configure a custom claim in your Microsoft Entra ID account.

Choose your identity protocol:

OIDC

For OIDC applications, configure optional claims using the Token configuration page in your Microsoft Entra ID App Registration.

1. Sign in to the Microsoft Entra admin center as at least a Cloud Application Administrator.

2. Browse to Identity > Applications > App registrations and select the application you created for Databricks SSO.

3. In the sidebar, under Manage, click Token configuration.

4. Click Add optional claim.

5. For Token type, select ID.

6. Select the claim you want to include in the token (for example, email, preferred_username, or another available claim) and click Add.

   note

   The list of available claims depends on your token version. If you need claims that aren't in the predefined list, use directory extension attributes or a custom claims provider. See Configure optional claims in the Microsoft Entra documentation.

7. If prompted to turn on the Microsoft Graph email permission, select the checkbox and click Add.

8. In the Databricks account console, enter the claim name from step 6 in the Username claim field and click Save.

9. Click Test SSO to validate your configuration, then click Enable SSO.

warning

Some optional claims, such as upn, might not be included in tokens issued by certain Microsoft Entra ID token endpoints (for example, the v2.0 endpoint). If SSO fails after configuring a custom username claim:

• Verify the claim is present in the ID token by inspecting it with jwt.ms.
• See the optional claims reference for which claims are supported for each token version.

SAML 2.0

For SAML applications, configure custom claims using the Attributes & Claims settings in your Microsoft Entra ID Enterprise Application.

1. Sign in to the Microsoft Entra admin center as at least a Cloud Application Administrator.
2. Browse to Identity > Applications > Enterprise applications and select the application you created for Databricks SSO.
3. In the sidebar, click Single sign-on.
4. In Attributes & Claims, click Edit.
5. Click Add new claim.
   • Enter a Name for the claim. This is the name you enter in the Username claim field of your Databricks SSO configuration.
   • For Source, select Attribute.
   • For Source attribute, select the desired Microsoft Entra ID attribute for this claim.
6. Click Save.
7. In the Databricks account console, enter the claim name from step 5 in the Username claim field and click Save.
8. Click Test SSO to validate your configuration, then click Enable SSO.