Share via

Configure enhanced security and compliance settings

  • Article

Important

The automatic cluster update feature and the ability to enable Enhanced Security and Compliance features from the account console are in Public Preview.

The compliance security profile (with compliance standards) and enhanced security monitoring are generally available.

This article describes how to configure it on your Azure Databricks workspace or account. See the pricing page.

This add-on requires the Premium pricing tier.

Use Azure portal to enable settings on a new workspace

  1. In the Azure portal, click the Security & compliance tab on an existing Azure Databricks workspace or on the Azure Databricks workspace creation page.

  2. To enable the compliance security profile, select the checkbox next to Enable compliance security profile. In the dropdown, select one or more compliance standards or select None.

    Enhanced Security and Compliance add-on features in the Azure portal for new workspaces.

    If you enable the compliance security profile or add compliance standards, those selections are permanent for that workspace.

  3. To enable enhanced security monitoring, select the checkbox Enable enhanced security monitoring.

  4. To enable automatic cluster update, select the checkbox Enable automatic cluster update.

    To configure the maintenance window and its frequency, see Automatic cluster update

Use an ARM template

You can configure the Enhanced Security and Compliance add-on features with an ARM template that Databricks provides. It contains additional parameters that you can set to Enabled or Disabled. If you want to add them to an existing template to update the workspace, you can do so. You can set features independently except as indicated:

  • complianceSecurityProfile: Enables the compliance security profile. Once enabled, this feature is permanently enabled on the workspace.
  • complianceStandards: Configures an array of compliance standards to use with the compliance security profile.
    • If complianceSecurityProfile is set to Disabled, pass an empty array.
    • If complianceSecurityProfile is set to Enabled, you must pass an array of one or more strings that specify which (if any) compliance standards you want for your workspace. Possible selections are HIPAA, PCI_DSS, or NONE. Add the single array element NONE if you are using the compliance security profile only for its security benefits but not to process any regulated data.
  • enhancedSecurityMonitoring — Enables enhanced security monitoring. If the compliance security profile is enabled, you must set this feature to Enabled explicitly in the template.
  • automaticClusterUpdate — Enables automatic cluster update. If the compliance security profile is enabled, you must set this feature to Enabled explicitly in the template. To configure the maintenance window and its frequency, see Automatic cluster update.

To update a workspace with one or more of these features, follow the same instructions for deploying a custom template as you would for creating a new workspace with a template. However, check that you use your original template and then copy the fields from the provided example template into your existing workspace template.

Workspace template with enhanced security and compliance features

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "disablePublicIp": {
      "type": "bool",
      "defaultValue": false,
      "metadata": {
        "description": "Specifies whether to deploy Azure Databricks workspace with secure cluster connectivity (No Public IP) enabled."
      }
    },
    "workspaceName": {
      "type": "string",
      "metadata": {
        "description": "The name of the Azure Databricks workspace to create."
      }
    },
    "pricingTier": {
      "type": "string",
      "defaultValue": "premium",
      "allowedValues": [
        "standard",
        "premium"
      ],
      "metadata": {
        "description": "The pricing tier of workspace."
      }
    },
  "location": {
      "type": "string",
      "defaultValue": "[resourceGroup().location]",
      "metadata": {
        "description": "Location for all resources."
      }
    },
    "automaticClusterUpdate": {
      "type": "string",
      "defaultValue": "Disabled",
      "allowedValues": [
        "Disabled",
        "Enabled"
      ],
      "metadata": {
        "description": "Enable/Disable automatic cluster update"
      }
    },
  "enhancedSecurityMonitoring": {
      "type": "string",
      "defaultValue": "Disabled",
      "allowedValues": [
        "Disabled",
        "Enabled"
      ],
      "metadata": {
        "description": "Enable/Disable enhanced security monitoring"
      }
    },
  "complianceSecurityProfile": {
      "type": "string",
      "defaultValue": "Disabled",
      "allowedValues": [
        "Disabled",
        "Enabled"
      ],
      "metadata": {
        "description": "Enable/Disable the Compliance Security Profile"
      }
    },
  "complianceStandards": {
      "type": "array",
      "defaultValue": [],
      "allowedValues": [
        [],
        ["NONE"],
        ["HIPAA"],
        ["PCI_DSS"],
        ["HIPAA", "PCI_DSS"]
      ],
      "metadata": {
        "description": "Specify the desired compliance standards for your compliance security profile"
      }
    }
  },
  "variables": {
    "managedResourceGroupName": "[format('databricks-rg-{0}-{1}', parameters('workspaceName'), uniqueString(parameters('workspaceName'), resourceGroup().id))]",
    "trimmedMRGName": "[substring(variables('managedResourceGroupName'), 0, min(length(variables('managedResourceGroupName')), 90))]",
    "managedResourceGroupId": "[format('{0}/resourceGroups/{1}', subscription().id, variables('trimmedMRGName'))]"
  },
  "resources": [
    {
      "type": "Microsoft.Databricks/workspaces",
      "apiVersion": "2023-09-15-preview",
      "name": "[parameters('workspaceName')]",
      "location": "[parameters('location')]",
      "sku": {
        "name": "[parameters('pricingTier')]"
      },
      "properties": {
        "managedResourceGroupId": "[variables('managedResourceGroupId')]",
        "parameters": {
          "enableNoPublicIp": {
            "value": "[parameters('disablePublicIp')]"
          }
        },
        "enhancedSecurityCompliance": {
          "automaticClusterUpdate": {
            "value": "[parameters('automaticClusterUpdate')]"
          },
          "complianceSecurityProfile": {
            "value": "[parameters('complianceSecurityProfile')]",
            "complianceStandards": "[parameters('complianceStandards')]"
          },
          "enhancedSecurityMonitoring": {
            "value": "[parameters('enhancedSecurityMonitoring')]"
          }
        }
      }
    }
  ],
  "outputs": {
    "workspace": {
      "type": "object",
      "value": "[reference(resourceId('Microsoft.Databricks/workspaces', parameters('workspaceName')), '2023-09-15-preview', 'full')]"
    }
  }
}