Add Users: SCIM
You'll configure SCIM to automatically sync users from your identity provider into Databricks in ~15 min.
Prereqs: Account Console, account-admin privileges, identity provider admin access
What you'll walk away with
A live sync between your identity provider (Entra ID, Okta, or OneLogin) and the Databricks account. Users and their attributes refresh on a schedule, so this is the last time you add anyone by hand.
Prerequisites
- Account-admin access to the Databricks account console.
- Admin access to your identity provider (Entra ID, Okta, or OneLogin).
Steps
1. Pick your identity provider
Follow the guide that matches your IdP:
| Identity provider | Guide |
|---|---|
| Microsoft Entra ID (Azure AD) | Configure SCIM provisioning for Entra ID |
| Okta | Configure SCIM provisioning for Okta |
| OneLogin | Configure SCIM provisioning for OneLogin |
On Azure there is a newer automatic sync that replaces manual SCIM setup: Sync users and groups automatically from Microsoft Entra ID. If you are on Azure, use it.
2. Configure the SCIM connector
Work through your chosen guide: create a SCIM application in your IdP, generate a SCIM token from the Databricks account console, and wire up the sync.
If the steps differ by cloud, select your cloud provider at the top right of the Databricks docs page.
3. Run the first sync
Trigger the initial sync from your IdP. The users should land in the account console under User management > Users.
4. (Optional) Let every IdP user in
Want everyone in your identity provider to get Databricks access without per-user assignment? See Enable all identity provider users to access Databricks.
Verify
- Go to User management > Users in the account console.
- Check that the synced users have the right emails and display names.
- In your IdP, confirm the SCIM application reports a successful provisioning status.
Where people trip
Users not appearing after sync
Open the SCIM application logs in your IdP and look for provisioning errors. The usual culprits: an expired SCIM token, the wrong account console URL in the IdP config, or the user not assigned to the SCIM application in the first place.
Duplicate users after enabling SCIM
If you added people by hand before turning on SCIM, the sync can create a second copy of each. Match on email address in the IdP connector settings so the existing accounts merge instead of doubling up.
Next
- Do next: Add Groups
- Learn why: Account Console foundations
- Reference: SCIM provisioning overview