为 Microsoft Azure Active Directory 配置 SCIM 预配 Configure SCIM provisioning for Microsoft Azure Active Directory

若要使用 Azure Active Directory (Azure AD) 启用到 Azure Databricks 的预配,必须为每个 Azure Databricks 工作区创建一个企业应用程序。To enable provisioning to Azure Databricks using Azure Active Directory (Azure AD) you must create an enterprise application for each Azure Databricks workspace.

备注

对配置进行预配完全独立于为 Azure Databricks 工作区设置身份验证和条件访问的过程。Provisioning configuration is entirely separate from the process of setting up authentication and conditional access for Azure Databricks workspaces. Azure Databricks 的身份验证由 Azure Active Directory 使用 OpenID Connect 协议流自动处理。Authentication for Azure Databricks is handled automatically by Azure Active Directory, using the OpenID Connect protocol flow. 可以在服务级别建立条件访问,以便创建规则来要求进行多重身份验证或将登录限制到本地网络。Conditional access, which lets you create rules to require multi-factor authentication or restrict logins to local networks, can be established at the service level. 有关说明,请参阅条件访问For instructions, see Conditional access.

要求 Requirements

你的 Azure AD 帐户必须是高级版帐户,并且你必须是该帐户的全局管理员才能启用预配。Your Azure AD account must be a Premium edition account, and you must be a global administrator for that account to enable provisioning.

创建企业应用程序并连接到 Azure Databricks SCIM APICreate an enterprise application and connect to the Azure Databricks SCIM API

在以下示例中,请将 <databricks-instance> 替换为 Azure Databricks 部署的工作区 URLIn the following examples, replace <databricks-instance> with the workspace URL of your Azure Databricks deployment.

  1. 在 Azure Databricks 中生成一个个人访问令牌并复制它。Generate a personal access token in Azure Databricks and copy it. 在后续步骤中,你将此令牌提供给 Azure AD。You provide this token to Azure AD in a subsequent step.

    重要

    以 Azure Databricks 管理员身份生成此令牌,该管理员将不由 Azure AD 企业应用程序管理。Generate this token as an Azure Databricks admin who will not be managed by the Azure AD enterprise application. 可以使用 Azure AD 取消预配由此企业应用程序管理的 Azure Databricks 管理员用户,这会导致 SCIM 预配集成被禁用。An Azure Databricks admin user who is managed by this enterprise application can be deprovisioned using Azure AD, which would cause your SCIM provisioning integration to be disabled.

  2. 在 Azure 门户中,转到“Azure Active Directory”>“企业应用程序”。In your Azure portal, go to Azure Active Directory > Enterprise Applications.

  3. 单击应用程序列表上方的“+ 新建应用程序”。Click + New Application above the application list,. 在“从库中添加”下,搜索并选择“Azure Databricks SCIM 预配连接器”。Under Add from the gallery , search for and select Azure Databricks SCIM Provisioning Connector.

  4. 输入应用程序的 名称 并单击“添加”。Enter a Name for the application and click Add. 请使用有助于管理员查找的名称,例如 <workspace-name>-provisioningUse a name that will help administrators find it, like <workspace-name>-provisioning.

  5. 在“管理”菜单下,单击“预配”。Under the Manage menu, click Provisioning.

  6. 从“预配模式”下拉菜单中,选择“自动” 。From the Provisioning Mode drop-down, select Automatic.

  7. 输入 租户 URLEnter the Tenant URL :

    https://<databricks-instance>/api/2.0/preview/scim
    

    替换为你的 Azure Databricks 部署的工作区 URLReplace with the workspace URL of your Azure Databricks deployment. 请参阅获取工作区、群集、笔记本、模型和作业标识符See Get workspace, cluster, notebook, model, and job identifiers.

  8. 在“机密令牌”字段中,输入在第 1 步生成的 Azure Databricks 个人访问令牌。In the Secret Token field, enter the Azure Databricks personal access token that you generated in step 1.

  9. 单击“测试连接”,等待确认凭据已获得启用预配的授权的消息。Click Test Connection and wait for the message that confirms that the credentials are authorized to enable provisioning.

  10. (可选)输入通知电子邮件,接收与 SCIM 预配严重错误有关的通知。Optionally, enter a notification email to receive notifications of critical errors with SCIM provisioning.

  11. 单击“保存” 。Click Save.

将用户和组分配到应用程序Assign users and groups to the application

  1. 转到“管理”>“预配”,在“设置”下将“范围”设置为“仅同步分配的用户和组”。Go to Manage > Provisioning and, under Settings, set the Scope to Sync only assigned users and groups.

    此选项仅同步分配到企业应用程序的用户和组,是我们建议你使用的方法。This option syncs only users and groups assigned to the enterprise application, and is our recommended approach.

    备注

    Azure Active Directory 不支持将嵌套组自动预配到 Azure Databricks。Azure Active Directory does not support the automatic provisioning of nested groups to Azure Databricks. 只能读取和预配属于显式分配的组的直接成员的用户。It is only able to read and provision users that are immediate members of the explicitly assigned group. 解决方法是,显式分配(或限定)包含需要预配的用户的组。As a workaround, you should explicitly assign (or otherwise scope in) the groups that contain the users who need to be provisioned. 有关详细信息,请参阅此常见问题解答For more information, see this FAQ.

  2. 若要开始将用户和组从 Azure AD 同步到 Azure Databricks,请开启“预配状态”。To start the synchronization of users and groups from Azure AD to Azure Databricks, toggle Provisioning Status on.

  3. 单击“保存” 。Click Save.

  4. 测试你的预配设置:Test your provisioning setup:

    1. 转到“管理”>“用户和组”。Go to Manage > Users and groups.
    2. 添加一些用户和组。Add some users and groups. 单击“添加用户”,选择用户和组,然后单击“分配”按钮。Click Add user , select the users and groups, and click the Assign button.
    3. 等待几分钟,检查是否已将用户和组添加到 Azure Databricks 工作区。Wait a few minutes and check that the users and groups have been added to your Azure Databricks workspace.

当 Azure AD 计划下一次同步时,将自动预配你添加和分配的任何其他用户和组。Any additional users and groups that you add and assign will automatically be provisioned when Azure AD schedules the next sync.

重要

不要分配其机密令牌(持有者令牌)已用于设置此企业应用程序的 Azure Databricks 管理员。Do not assign the Azure Databricks admin whose secret token (bearer token) was used to set up this enterprise application.

预配提示Provisioning tips

  • 启用预配之前 Azure Databricks 中已存在的用户和组在预配同步时展示以下行为:Users and groups that existed in Azure Databricks prior to enabling provisioning exhibit the following behavior upon provisioning sync:
    • 如果它们也存在于此 Azure AD 企业应用程序中,则会进行合并。Are merged if they also exist in this Azure AD enterprise application.
    • 如果它们不存在于此 Azure AD 企业应用程序中,则会被忽略。Are ignored if they don’t exist in this Azure AD enterprise application.
  • 为用户删除组成员身份后,单独分配并通过组中的成员身份复制的用户权限会保留。User permissions that are assigned individually and are duplicated through membership in a group remain after the group membership is removed for the user.
  • 使用 Azure Databricks 管理控制台直接从 Azure Databricks 工作区中删除的用户:Users removed from an Azure Databricks workspace directly, using the Azure Databricks Admin console:
    • 失去对该 Azure Databricks 工作区的访问权限,但仍可访问其他 Azure Databricks 工作区。Lose access to that Azure Databricks workspace but may still have access to other Azure Databricks workspaces.
    • 不会使用 Azure AD 预配再次同步,即使它们保留在企业应用程序中。Will not be synced again using Azure AD provisioning, even if they remain in the enterprise application.
  • 初始 Azure AD 同步将在你启用预配后立即触发。The initial Azure AD sync is triggered immediately after you turn on provisioning. 后续同步每 20-40 分钟触发一次,具体取决于应用程序中的用户和组的数目。Subsequent syncs are triggered every 20-40 minutes, depending on the number of users and groups in the application. 请参阅 Azure AD 文档中的预配摘要报告See Provisioning summary report in the Azure AD documentation.
  • “admins”组是 Azure Databricks 中的保留组,无法删除。The “admins” group is a reserved group in Azure Databricks and cannot be removed.
  • 无法在 Azure Databricks 中重命名组;请勿尝试在 Azure AD 中对它们重命名。Groups cannot be renamed in Azure Databricks; do not attempt to rename them in Azure AD.
  • 可以使用 Azure Databricks 组 API组 UI 获取任何 Azure Databricks 组的成员列表。You can use the Azure Databricks Groups API or the Groups UI to get a list of members of any Azure Databricks group.
  • 无法更新 Azure Databricks 用户名和电子邮件地址。You cannot update Azure Databricks usernames and email addresses.

疑难解答Troubleshooting

用户和组不同步Users and groups do not sync

此问题可能是因为其个人访问令牌用来连接到 Azure AD 的 Azure Databricks 管理员用户失去了管理员状态或具有的令牌无效:请以该用户身份登录到 Azure Databricks 管理控制台,并验证你是否仍是管理员以及你的访问令牌是否仍然有效。The issue could be that the Azure Databricks admin user whose personal access token is being used to connect to Azure AD has lost admin status or has an invalid token: log in to the Azure Databricks Admin console as that user and validate that you are still an admin and your access token is still valid.

另一种可能性是你尝试同步嵌套组,Azure AD 自动预配不支持此类组。Another possibility is that you are trying to sync nested groups, which are not supported by Azure AD automatic provisioning. 请参阅此常见问题解答See this FAQ.

初始同步后,用户和组不进行同步After initial sync the users and groups are not syncing

初始同步后,Azure AD 不会立即根据用户和组分配的更改进行同步。After the initial sync, Azure AD does not sync immediately upon changes to user and group assignments. 它在延迟一段时间后才安排与应用程序的同步(具体取决于用户和组的数目)。It schedules a sync with the application after a delay (depending on the number of users and groups). 你可以转到企业应用程序的“管理”>“预配”,选择“清除当前状态并重启同步”以启动立即同步。You can go to Manage > Provisioning for the enterprise application and select Clear current state and restart synchronization to initiate an immediate sync.