設定 Microsoft Azure Active Directory 的 SCIM 布建 Configure SCIM provisioning for Microsoft Azure Active Directory

若要使用 Azure Active Directory (Azure AD 啟用布建至 Azure Databricks,您必須為每個) 工作區建立企業應用程式。To enable provisioning to Azure Databricks using Azure Active Directory (Azure AD) you must create an enterprise application for each Azure Databricks workspace.

注意

布建設定與為 Azure Databricks 工作區設定驗證和條件式存取的程式完全不同。Provisioning configuration is entirely separate from the process of setting up authentication and conditional access for Azure Databricks workspaces. 使用 OpenID Connect 通訊協定流程,Azure Active Directory 會自動處理 Azure Databricks 的驗證。Authentication for Azure Databricks is handled automatically by Azure Active Directory, using the OpenID Connect protocol flow. 條件式存取,可讓您建立規則來要求多重要素驗證,或限制對局域網路的登入,可以在服務層級建立。Conditional access, which lets you create rules to require multi-factor authentication or restrict logins to local networks, can be established at the service level. 如需相關指示,請參閱 條件式存取For instructions, see Conditional access.

需求 Requirements

您的 Azure AD 帳戶必須是 Premium 版帳戶,而且您必須是該帳戶的全域管理員,才能啟用布建。Your Azure AD account must be a Premium edition account, and you must be a global administrator for that account to enable provisioning.

建立企業應用程式並連接到 Azure Databricks SCIM APICreate an enterprise application and connect to the Azure Databricks SCIM API

在下列範例中,請將 <databricks-instance> 取代為 Azure Databricks 部署的 工作區 URLIn the following examples, replace <databricks-instance> with the workspace URL of your Azure Databricks deployment.

  1. 在 Azure Databricks 中產生 個人存取權杖 ,並加以複製。Generate a personal access token in Azure Databricks and copy it. 您會在後續步驟中提供此權杖以 Azure AD。You provide this token to Azure AD in a subsequent step.

    重要

    以 Azure Databricks 系統管理員的身分來產生此權杖,此權杖 將不 受 Azure AD 企業應用程式管理。Generate this token as an Azure Databricks admin who will not be managed by the Azure AD enterprise application. 您可以使用 Azure AD 取消布建此企業應用程式管理的 Azure Databricks 管理使用者,這會導致您的 SCIM 布建整合遭到停用。An Azure Databricks admin user who is managed by this enterprise application can be deprovisioned using Azure AD, which would cause your SCIM provisioning integration to be disabled.

  2. 在您的 Azure 入口網站中,移至 Azure Active Directory > 企業應用程式In your Azure portal, go to Azure Active Directory > Enterprise Applications.

  3. 按一下應用程式清單上方的 [ + 新增應用程式 ]。Click + New Application above the application list,. [從資源庫新增] 下,搜尋並選取 [ Azure Databricks SCIM 布建連接器]。Under Add from the gallery, search for and select Azure Databricks SCIM Provisioning Connector.

  4. 輸入應用程式的 名稱 ,然後按一下 [ 新增]。Enter a Name for the application and click Add. 使用可協助系統管理員找到它的名稱,例如 <workspace-name>-provisioningUse a name that will help administrators find it, like <workspace-name>-provisioning.

  5. 按一下 [管理] 功能表下的 [布建]。Under the Manage menu, click Provisioning.

  6. 從 [布建 模式] 下拉式清單中,選取 [ 自動]。From the Provisioning Mode drop-down, select Automatic.

  7. 輸入 租使用者 URLEnter the Tenant URL:

    https://<databricks-instance>/api/2.0/preview/scim
    

    使用 Azure Databricks 部署的 工作區 URL 來取代 <databricks 實例>。Replace with the workspace URL of your Azure Databricks deployment. 請參閱 取得工作區、叢集、筆記本、模型和作業識別碼See Get workspace, cluster, notebook, model, and job identifiers.

  8. 在 [ 秘密權杖 ] 欄位中,輸入您在步驟1中產生的 Azure Databricks 個人存取權杖。In the Secret Token field, enter the Azure Databricks personal access token that you generated in step 1.

  9. 按一下 [ 測試連接 ],並等候確認認證已獲授權可啟用布建的訊息。Click Test Connection and wait for the message that confirms that the credentials are authorized to enable provisioning.

  10. (選擇性)輸入通知電子郵件,以接收 SCIM 布建的重大錯誤通知。Optionally, enter a notification email to receive notifications of critical errors with SCIM provisioning.

  11. 按一下 [儲存]。Click Save.

將使用者和群組指派給應用程式Assign users and groups to the application

  1. 移至 [ 管理 > 布建],然後在 [設定] 下,將 範圍 設定為 [ 僅同步已指派的使用者和群組]。Go to Manage > Provisioning and, under Settings, set the Scope to Sync only assigned users and groups.

    此選項只會同步處理指派給企業應用程式的使用者和群組,也是我們建議的方法。This option syncs only users and groups assigned to the enterprise application, and is our recommended approach.

    注意

    Azure Active Directory 不支援將嵌套群組自動布建到 Azure Databricks。Azure Active Directory does not support the automatic provisioning of nested groups to Azure Databricks. 它只可以讀取和布建明確指派之群組的直屬成員使用者。It is only able to read and provision users that are immediate members of the explicitly assigned group. 因應措施是,您應該明確指派 (,或) 包含需要布建的使用者之群組的範圍。As a workaround, you should explicitly assign (or otherwise scope in) the groups that contain the users who need to be provisioned. 如需詳細資訊,請參閱 此常見問題For more information, see this FAQ.

  2. 若要開始將使用者和群組同步處理至 Azure Databricks 的 Azure AD,請在上切換布建 狀態To start the synchronization of users and groups from Azure AD to Azure Databricks, toggle Provisioning Status on.

  3. 按一下 [儲存]。Click Save.

  4. 測試您的布建設定:Test your provisioning setup:

    1. 移至 [ 管理 > 使用者和群組]。Go to Manage > Users and groups.
    2. 新增一些使用者和群組。Add some users and groups. 按一下 [ 新增使用者],選取 [使用者和群組],然後按一下 [ 指派 ] 按鈕。Click Add user, select the users and groups, and click the Assign button.
    3. 等候幾分鐘的時間,並確認已將使用者和群組新增至您的 Azure Databricks 工作區。Wait a few minutes and check that the users and groups have been added to your Azure Databricks workspace.

當 Azure AD 排程下一次同步時,會自動布建您新增並指派的任何其他使用者和群組。Any additional users and groups that you add and assign will automatically be provisioned when Azure AD schedules the next sync.

重要

請勿將其秘密權杖 (持有人權杖) 用來設定此企業應用程式的 Azure Databricks 系統管理員。Do not assign the Azure Databricks admin whose secret token (bearer token) was used to set up this enterprise application.

布建秘訣Provisioning tips

  • 在啟用布建之前存在於 Azure Databricks 中的使用者和群組,會在布建同步處理時顯示下列行為:Users and groups that existed in Azure Databricks prior to enabling provisioning exhibit the following behavior upon provisioning sync:
    • 如果它們也存在於此 Azure AD 企業應用程式中,則會合並。Are merged if they also exist in this Azure AD enterprise application.
    • 如果不存在此 Azure AD 企業應用程式中,則會予以忽略。Are ignored if they don’t exist in this Azure AD enterprise application.
  • 系統會在移除使用者的群組成員資格之後,透過群組中的成員資格來個別指派和重複的使用者許可權。User permissions that are assigned individually and are duplicated through membership in a group remain after the group membership is removed for the user.
  • 使用 Azure Databricks 管理主控台,直接從 Azure Databricks 工作區移除使用者:Users removed from an Azure Databricks workspace directly, using the Azure Databricks Admin console:
    • 失去對該 Azure Databricks 工作區的存取權,但仍可存取其他 Azure Databricks 工作區。Lose access to that Azure Databricks workspace but may still have access to other Azure Databricks workspaces.
    • 將不會使用 Azure AD 布建再次同步,即使它們仍在企業應用程式中也一樣。Will not be synced again using Azure AD provisioning, even if they remain in the enterprise application.
  • 初始 Azure AD 同步處理會在您開啟布建之後立即觸發。The initial Azure AD sync is triggered immediately after you turn on provisioning. 後續的同步處理會每隔20-40 分鐘觸發一次,這取決於應用程式中的使用者和群組數目。Subsequent syncs are triggered every 20-40 minutes, depending on the number of users and groups in the application. 請參閱 Azure AD 檔中的布建 摘要報告See Provisioning summary report in the Azure AD documentation.
  • "Admins" 群組是 Azure Databricks 中的保留群組,且無法移除。The “admins” group is a reserved group in Azure Databricks and cannot be removed.
  • 無法在 Azure Databricks 中重新命名群組請勿嘗試在 Azure AD 中重新命名。Groups cannot be renamed in Azure Databricks; do not attempt to rename them in Azure AD.
  • 您可以使用 Azure Databricks 群組 API群組 UI 來取得任何 Azure Databricks 群組的成員清單。You can use the Azure Databricks Groups API or the Groups UI to get a list of members of any Azure Databricks group.
  • 您無法更新 Azure Databricks 使用者名稱和電子郵件地址。You cannot update Azure Databricks usernames and email addresses.

疑難排解Troubleshooting

使用者和群組不同步Users and groups do not sync

問題可能是,Azure Databricks 的系統管理員使用者,其個人存取權杖是用來連線 Azure AD 已遺失管理員狀態或具有不正確權杖:請以該使用者身分登入 Azure Databricks 管理主控台,並驗證您是否仍然是系統管理員,而且您的存取權杖仍然有效。The issue could be that the Azure Databricks admin user whose personal access token is being used to connect to Azure AD has lost admin status or has an invalid token: log in to the Azure Databricks Admin console as that user and validate that you are still an admin and your access token is still valid.

另一個可能的原因是您嘗試同步處理不受 Azure AD 自動布建支援的嵌套群組。Another possibility is that you are trying to sync nested groups, which are not supported by Azure AD automatic provisioning. 請參閱 此常見問題See this FAQ.

初始同步處理之後,使用者和群組不會同步After initial sync the users and groups are not syncing

初始同步處理之後,Azure AD 不會在使用者和群組指派的變更時立即同步處理。After the initial sync, Azure AD does not sync immediately upon changes to user and group assignments. 它會根據) 的使用者和群組數目,在延遲 (之後,排定與應用程式進行同步處理。It schedules a sync with the application after a delay (depending on the number of users and groups). 您可以移至 [管理企業應用程式 > 布建],然後選取 [ 清除目前狀態] 並重新啟動同步 處理,以起始立即同步處理。You can go to Manage > Provisioning for the enterprise application and select Clear current state and restart synchronization to initiate an immediate sync.