Skip to main content
Last updated on

Configure Microsoft Entra ID for automatic identity management

Preview

This feature is in Public Preview.

This page describes how to configure Microsoft Entra ID to provision users, groups, and service principals to your Databricks account using automatic identity management. Databricks uses the Microsoft Graph API to read user, group, service principal, and group membership data from your Microsoft Entra ID tenant. To enable automatic identity management, you must register a new Microsoft Entra ID application with federated credentials and grant read permissions on your SSO application.

Before you begin

  • You must be an account admin in Databricks.
  • You must have Microsoft Entra ID admin access.
  • You must have SSO configured using OIDC with the same Microsoft Entra ID tenant.
note

If you don't have SSO configured using OIDC, or need to use a different Microsoft Entra ID tenant, contact your Databricks account team.

Step 1: Find your SSO app

Locate the Microsoft Entra ID application used to configure SSO for your Databricks account. You will use this application throughout the remaining steps.

  1. In the Azure portal, go to Microsoft Entra ID > Manage > App registrations > All applications and search for the app that was used to set up SSO for your Databricks account.
  2. On the overview page, note the Application ID. You will use this value in Step 5.

Step 2: Create a federated credential

Create a federated credential that allows Databricks to authenticate as your SSO application.

  1. As an account admin, log in to the account console.
  2. In the sidebar, click Security.
  3. Click the User provisioning tab, then click Configure in the Automatic identity management section.
  4. In the dialog, note the Issuer and Subject values shown.
  5. In the Azure portal, navigate to the SSO app registration from Step 1.
  6. Click Manage > Certificates & secrets.
  7. Select the Federated credentials tab, then click Add credential.
  8. Set Federated credential scenario to Other issuer.
  9. For Issuer, enter the value from the Databricks account console.
  10. For Type, select Explicit subject identifier.
  11. For Value, enter the Subject value from the Databricks account console.
  12. Leave all other values unchanged and click Add.

Step 3: Grant read permissions

An Microsoft Entra ID admin must grant the following application-level permissions to your SSO application:

Permission

Purpose

User.Read.All

Allows Databricks to query users and read their attributes

Group.Read.All

Allows Databricks to query groups and read their attributes

Application.Read.All

Allows Databricks to query service principals and read their attributes

GroupMember.Read.All

Allows Databricks to query group memberships

To grant permissions:

  1. In the Azure portal, navigate to the SSO app registration from Step 1 and click Manage > API permissions > Add a permission.
  2. Select Microsoft Graph > Application permissions, then search for and select each permission listed above.
  3. Click Grant admin consent.
note

After assigning permissions, you might see "Not granted for …" warning messages. An Microsoft Entra ID admin must click Grant admin consent to clear these warnings. This button is only visible to admins with the required roles.

Step 4: Enable group claims

Enabling group claims allows Databricks to retrieve group memberships from the SSO OAuth token during login.

  1. In the Azure portal, navigate to the SSO app registration from Step 1.
  2. Click Manage > Token configuration > Add groups claim.
  3. Select All groups and click Add.

Step 5: Enable automatic identity management in Databricks

  1. As an account admin, log in to the account console.

  2. In the sidebar, click Security.

  3. Click the User provisioning tab, then click Configure in the Automatic identity management section.

  4. Set Client ID to the Application ID of the SSO app from Step 1.

  5. Click Test connection. If the federated credential and permissions are configured correctly, the test passes.

  6. Click Enable AIM.

    Changes take five to ten minutes to take effect.

Databricks external ID and Microsoft Entra ID object ID

Databricks uses the Microsoft Entra ID ObjectId as the authoritative link for syncing identities and group memberships, and automatically updates the externalId field to match the ObjectId in a daily recurring flow. Databricks recommends against mixing provisioning methods. Adding the same identity through both automatic identity management and SCIM provisioning causes duplicate entries and permission conflicts. Use automatic identity management as the single source of truth, with group memberships mirroring Microsoft Entra ID.

You can merge these duplicate identities by providing their external ID in Databricks. Use the Account Users, Account Service Principals, or Account Groups API to update the principal to add their Microsoft Entra ID objectId in the externalId field.

Because the externalId can update over time, Databricks strongly recommends that you do not use custom workflows that depend on the externalId field.

On this page