Azure Databricks administration introduction
This article provides an introduction to Azure Databricks administrator privileges and responsibilities.
Required Azure admin permissions
To manage your Azure Databricks service, you need the following Azure admin permissions:
- A user with the Azure Contributor or Owner role who can view and make changes to your Azure Databricks service, Azure subscription, and diagnostic logging configurations.
- Microsoft Entra ID administrators with permission to enable Microsoft Entra ID (formerly Azure Active Directory) conditional access.
- To create Azure Databricks workspaces, you need to meet one of the following requirements:
- You must be an Azure Contributor or Owner.
- The
Microsoft.ManagedIdentity
resource provider must be registered in your subscription. See Register resource provider in the Azure documentation.
Databricks admin types
There are two main levels of admin privileges available on the Azure Databricks platform:
Account admins: Manage the Azure Databricks account, including enabling Unity Catalog, user provisioning, and account-level identity management.
Workspace admins: Manage workspace identities, access control, settings, and features for individual workspaces in the account.
Additionally, users can be assigned these feature-specific admin roles, which have narrower sets of privileges:
- Metastore admins: Manage privileges and ownership for all securable objects within a Unity Catalog metastore, such as who can create catalogs or query a table.
What are account admins?
Account admins have privileges over the entire Azure Databricks account. As an account admin, you can manage account settings, set up user provisioning, create metastores for Unity Catalog enablement, and manage identities across all workspaces in the account.
Account admins can also delegate the account admin and workspace admin roles to any other user.
Establish your first account admin
Note
You must have at least one Azure Databricks workspace deployed in your account before you can establish an account admin.
To enable the account console and establish your first account admin, you'll need to engage someone who has the Microsoft Entra ID (formerly Azure Active Directory) Global Administrator role. For security purposes, only someone with the Microsoft Entra ID Global Administrator role has permissions to assign the first account admin role. After completing these steps, you can remove the Global Administrator from the Azure Databricks account.
The Global Administrator should use the following instructions:
- Sign into your Azure Portal with your Global Admin credentials.
- Go to accounts.databricks.azure.cn and sign in with Microsoft Entra ID. Azure Databricks automatically creates an account admin role for you.
- Click User management.
- Find and click the username of the user you want to delegate the account admin role to.
- On the Roles tab, turn on Account admin.
Once another user has the account admin role, the Microsoft Entra ID Global Administrator no longer needs to be involved. The new account admin can remove the Global Administrator from the Azure Databricks account and assign other users the account admin role.
Access the account console
The account console is where account admins manage their Azure Databricks account.
Account admins can access the account console at https://accounts.databricks.azure.cn or by clicking their email address at the top of the workspace UI and selecting Manage Account.
Account users who are not account admins can only access the account from https://accounts.databricks.azure.cn. Upon logging in, the account console opens to a list of their workspaces.
Note
If you are in multiple Microsoft Entra ID tenants, the account console URL will bring you to the Azure Databricks account console in your default tenant. To access the account console of a different tenant, access the account console from within a workspace in your preferred tenant.
Account admin responsibilities
As an account admin, your responsibilities include:
- Enabling Unity Catalog
- Managing identities
- Monitoring account usage logs
- Managing account-level settings
Enable Unity Catalog
Note
If your Azure Databricks account was created after November 9, 2023, your workspaces might have Unity Catalog enabled by default. For more information, see Automatic enablement of Unity Catalog.
An account admin is needed to enable Unity Catalog in your account. The process involves creating a Unity Catalog metastore, which can only be done by an account admin.
For instructions on enabling Unity Catalog, see Get started using Unity Catalog.
Manage identities
Account admins should sync their identity provider with Azure Databricks if applicable. See Sync users and groups from Microsoft Entra ID.
If you've enabled Unity Catalog for at least one workspace in your account, identities (users, groups, and service principals) should be managed in the account console. Account admins can grant permissions and assign workspaces to these identities.
For more information, see Manage users and groups.
Manage account settings
Account admins can manage aspects of their Azure Databricks account from the account console using the Settings section. This includes enabling new features across the account and configuring IP access lists.
What are workspace admins?
Workspace admins have admin privileges within a single workspace. They can manage workspace-level identities, regulate compute use, and enable and delegate role-based access control (Premium plan only).
Access the admin settings
Workspace admins are the only users who have access to the workspace's admin settings page. As a workspace admin, you can access admin settings by clicking your username in the top bar of the Azure Databricks workspace and selecting Settings.
Workspace admin responsibilities
As a workspace admin, your responsibilities include:
- Managing identities in your workspace
- Creating and managing compute resources
- Managing workspace features and settings
Manage identities in your workspace
If your workspace is enabled for Unity Catalog, identities should be added at the account level. Workspace admins can then assign users, groups, and service principals to their workspace. For more information on adding and removing identities in a workspace, see Manage users, service principals, and groups.
Create and manage compute resources
Workspace admins can create SQL warehouses (a compute resource that lets you run SQL commands on data objects within Databricks SQL) and clusters for their workspace users. For instructions on creating SQL warehouses, see Create a SQL warehouse.
It is also the workspace admin's job to regulate how compute resources are used in their workspace. Workspace admins have the following tools:
- Limit workspace users' cluster creation options with cluster policies.
- Databricks recommends managing all init scripts as cluster-scoped init scripts. Instead of using global init scripts, manage init scipts using cluster policies.
- Learn which compute resources have Unity Catalog access.
Manage workspaces features and settings
Workspace admins are responsible for managing select workspace behavior and settings. For information on other available workspace settings, see Managing workspace settings.