![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(201.6, 72%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECO%3C/text%3E%3C/svg%3E)
Azure Databricks
An Apache Spark-based analytics platform optimized for Azure.
2,211 questions
If users in your Azure Databricks workspace are being automatically added to the admin group without any direct action, the issue may be linked to SCIM provisioning or other group management settings.
First step to verify is to check if the SCIM provisioning configuration in Microsoft Entra ID does not include rules or mappings that automatically place certain security group members into the Databricks admin group.
You may have some nested groups that are being synchronized. If a nested group that contains users is provisioned as part of an admin group, its members may be included automatically.
With Unity Catalog, users and groups can inherit privileges based on catalog configurations so try that there are no catalog-wide settings that automatically promote certain user groups or specific roles to admin privileges.
Have you checked also if there are custom sync rules or scripts in Microsoft Entra ID that trigger user promotions based on specific attributes or conditions ?
One last thing, if you are using any third-party identity management tools or systems that may have access to both Azure Databricks and Microsoft Entra ID, keep in mind that these tools could be orchestrating changes based on predefined roles or permissions.