turbot/steampipe-mod-azure-compliance

Control: 3.1.4 Ensure that users and groups are synced from Microsoft Entra ID to Azure Databricks

Description

To ensure centralized identity and access management, users and groups from Microsoft Entra ID should be synchronized with Azure Databricks. This is achieved through SCIM provisioning, which automates the creation, update, and deactivation of users and groups in Databricks based on Entra ID assignments. Enabling this integration ensures that access controls in Databricks remain consistent with corporate identity governance policies, reducing the risk of orphaned accounts, stale permissions, and unauthorized access.

Syncing users and groups from Microsoft Entra ID centralizes access control, enforces the least privilege principle by automatically revoking unnecessary access, reduces administrative overhead by eliminating manual user management, and ensures auditability and compliance with industry regulations.

Remediation

From Azure Portal

Enable provisioning in Azure Portal:

  1. Go to Microsoft Entra ID.
  2. Under Manage, click Enterprise applications.
  3. Click the name of the Azure Databricks SCIM application.
  4. Under Provisioning, select Automatic and enter the SCIM endpoint and API token from Databricks.

Enable provisioning in Databricks:

  1. Navigate to Admin Console > Identity and Access Management.
  2. Enable SCIM provisioning and generate an API token.

Configure role assignments:

  1. Ensure groups from Entra ID are mapped to appropriate Databricks roles.
  2. Restrict administrative privileges to designated security groups.

Regularly monitor sync logs:

  1. Periodically review sync logs in Microsoft Entra ID and Databricks Admin Console.
  2. Configure Azure Monitor alerts for provisioning failures.

Disable manual user creation in Databricks:

  1. Ensure that all user management is controlled via SCIM sync from Entra ID.
  2. Disable personal access token usage for authentication.

From Azure CLI

Enable SCIM User and Group Provisioning in Azure Databricks:

az ad app update --id <databricks-app-id> --set provisioning.provisioningMode=Automatic

Default Value

By default, Azure Databricks does not sync users and groups from Microsoft Entra ID.

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.cis_v400_3_1_4

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.cis_v400_3_1_4 --share

SQL

This control uses a named query:

select
a.id as resource,
case
when provisioning_state = 'Failed' then 'alarm'
else 'ok'
end as status,
case
when provisioning_state = 'Failed' then a.name || ' has a failed provisioning state.'
else a.name || ' has a successful provisioning state.'
end as reason
, a.resource_group as resource_group
, sub.display_name as subscription
from
azure_databricks_workspace as a,
azure_subscription as sub
where
sub.subscription_id = a.subscription_id;

Tags