Sync users and groups automatically from Microsoft Entra ID

This page describes how Azure Databricks automatically syncs users, service principals, and groups from Microsoft Entra ID using automatic identity management.

Automatic identity management overview

Automatic identity management enables you to seamlessly add users, service principals, and groups from Microsoft Entra ID into Azure Databricks without configuring an application in Microsoft Entra ID. When automatic identity management is enabled, you can directly search in identity federated workspaces for Microsoft Entra ID users, service principals, and groups, and add them to your workspace. Databricks uses Microsoft Entra ID as the source of record, so any changes to group memberships are respected in Azure Databricks.

Just-in-time (JIT) provisioning is always enabled when automatic identity management is turned on, and you cannot turn it off. New users from Microsoft Entra ID are automatically provisioned in Azure Databricks upon first login. See Automatically provision users (JIT).

Add MS Entra ID group from workspace

Users can also share dashboards with any user, service principal, or group in Microsoft Entra ID. Those users are automatically added to the Azure Databricks account upon login. They are not added as members to the workspace that the dashboard is in. Members of Microsoft Entra ID who do not have access to the workspace are granted access to a view-only copy of a dashboard published with embedded credentials. For more information on dashboard sharing, see Share a dashboard.

Automatic identity management is not supported in non-identity federated workspaces. For more information on identity federation, see Enable identity federation.

User and group statuses

When automatic identity management is enabled, users, service principals, and groups from Microsoft Entra ID are visible in the account console and the workspace admin settings page. Their status reflects their activity and state between Microsoft Entra ID and Azure Databricks:

Status Meaning
Inactive: No usage Identity in Microsoft Entra ID that has not logged into Azure Databricks yet.
Active Identity is active in Azure Databricks.
Active: Removed From EntraID Previously active in Azure Databricks and has been removed from Microsoft Entra ID.
Deactivated Identity has been deactivated in Microsoft Entra ID.

Deactivated users and users removed from Microsoft Entra ID cannot log in to Azure Databricks or authenticate to Azure Databricks APIs. As a security best practice, we recommend revoking personal access tokens for Deactivated and Active: Removed From EntraID users.

Groups and service principals that are managed using automatic identity management are shown as External in Azure Databricks. External identities cannot be updated using the Azure Databricks UI.

Automatic identity management vs SCIM provisioning

When automatic identity management is enabled, all users, groups, and group memberships sync from Microsoft Entra ID to Azure Databricks so SCIM provisioning is not necessary. If you keep the SCIM enterprise application running in parallel, the SCIM application continues to manage users and groups configured in the Microsoft Entra ID enterprise application. It does not manage Microsoft Entra ID identities that were not added using SCIM provisoning.

Databricks recommends using automatic identity management. The table below compares features of automatic identity management with the features of SCIM provisioning.

Features Automatic identity management SCIM provisioning
Sync users
Sync groups
(Direct members only)
Sync nested groups
Sync service principals
Configure and manage Microsoft Entra ID application
Requires Microsoft Entra ID Premium edition
Requires Microsoft Entra ID Cloud Application Administrator role
Requires identity federation

Azure Databricks external Id and Microsoft Entra ID object Id

Azure Databricks uses the Microsoft Entra ID ObjectId as the authoritative link for syncing identities and group memberships, and automatically updates the externalId field to match the ObjectId in a daily recurring flow. In some cases, mismatches or duplicate identities might still occur, especially if a user, service principal, or group is added to Azure Databricks through both automatic identity management and another method, such as SCIM provisioning. In these situations, you might see duplicate entries, with one listing with the status of Inactive: no usage. The user is not inactive and can log in Azure Databricks.

You can merge these duplicate identities by providing their external ID in Azure Databricks. Use the Account Users, Account Service Principals, or Account Groups API to update the principal to add their Microsoft Entra ID objectId in the externalId field.

Because the externalId can update over time, Azure Databricks strongly recommends that you do not use custom workflows that depend on the externalId field.

Enable automatic identity management

Automatic identity management is enabled by default for accounts created after August 1, 2025. Account admins can enable automatic identity management in the account console.

  1. As an account admin, log in to the account console.

  2. In the sidebar, click Settings.

  3. In the User provisioning tab, toggle Automatic identity management to Enabled.

    Changes take five to ten minutes to take effect.

    Enabled automatic identity management in the account.

After your account is enabled, to add and remove users, service principals, and groups from Microsoft Entra ID, follow the instructions below:

Disable automatic identity management

When automatic identity management is disabled:

  • Users and service principals remain: They retain access but are no longer synced with Microsoft Entra ID. You can manually remove or deactivate users and service principals in the account console after disabling automatic identity management.
  • Groups lose membership: Groups remain in Azure Databricks, but all group members are removed.
  • No sync with Microsoft Entra ID: Changes in Microsoft Entra ID (such as user removals or group updates) are not reflected in Azure Databricks.
  • No permission inheritance: Users managed by automatic identity management cannot inherit permissions from parent groups. This affects nested group-based permission models.

If you plan to disable automatic identity management, Databricks recommends setting up SCIM provisioning in advance as a fallback. SCIM can then take over identity and group synchronization.

  1. As an account admin, log in to the account console.

  2. In the sidebar, click Settings.

  3. In the User provisioning tab, toggle Automatic identity management to Disabled.