Azure Databricks Workspace: Users are being added to the admins group on their own

Chris O'Brien 0 Reputation points
2024-11-01T10:04:34.28+00:00

We have an Azure Databricks workspace with Unity Catalog enabled. We are using SCIM provisioning to sync some Entra security groups to the workspace so that we can control access to the catalog items. We have noticed that some users are being added automatically to the workspace admin group. I can remove the users, but they slowly start reappearing in the admin group again without anyone selecting the option to add the users.

I'm not sure if SCIM provisioning could be causing this, but please can someone assist with what could be causing users to be added to the admin group on their own without anyone explicitly selecting the option to add them?

Azure Databricks
Azure Databricks
An Apache Spark-based analytics platform optimized for Azure.
2,221 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Amira Bedhiafi 26,491 Reputation points
    2024-11-02T13:58:14.5833333+00:00

    If users in your Azure Databricks workspace are being automatically added to the admin group without any direct action, the issue may be linked to SCIM provisioning or other group management settings.

    First step to verify is to check if the SCIM provisioning configuration in Microsoft Entra ID does not include rules or mappings that automatically place certain security group members into the Databricks admin group.

    You may have some nested groups that are being synchronized. If a nested group that contains users is provisioned as part of an admin group, its members may be included automatically.

    With Unity Catalog, users and groups can inherit privileges based on catalog configurations so try that there are no catalog-wide settings that automatically promote certain user groups or specific roles to admin privileges.

    Have you checked also if there are custom sync rules or scripts in Microsoft Entra ID that trigger user promotions based on specific attributes or conditions ?

    One last thing, if you are using any third-party identity management tools or systems that may have access to both Azure Databricks and Microsoft Entra ID, keep in mind that these tools could be orchestrating changes based on predefined roles or permissions.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.