Skip to main content

Add Groups — SCIM

You'll configure SCIM to automatically sync groups from your identity provider into Databricks in ~10 min.

Prereqs: Add Users — SCIM (SCIM connector already configured)

What you'll build

Groups from your identity provider synced into the Databricks account automatically. Group membership changes in your IdP propagate to Databricks without manual intervention.

Prerequisites

  • SCIM connector already configured (see Add Users — SCIM).
  • Admin access to your identity provider.

Steps

1. Configure group sync in your IdP

If you already configured SCIM for users, group sync uses the same connector. Follow the guide for your identity provider:

Identity providerGuide
Microsoft Entra ID (Azure AD)Configure SCIM provisioning for Entra ID
OktaConfigure SCIM provisioning for Okta
OneLoginConfigure SCIM provisioning for OneLogin

Select your cloud provider at the top-right of the Databricks docs page if the instructions differ by cloud.

2. Assign groups in the IdP

In your identity provider, assign the groups you want synced to the Databricks SCIM application. Only assigned groups will sync.

3. Trigger a sync

Run a manual sync from your IdP or wait for the next scheduled sync cycle. Verify the groups appear in the Databricks account console.

Verify

  1. In the Databricks account console, navigate to User management > Groups.
  2. Confirm the synced groups appear with the correct names and members.
  3. In your IdP, verify the SCIM application shows a successful provisioning status for groups.

Troubleshoot

Groups not appearing after sync

Verify the groups are assigned to the SCIM application in your IdP. Unassigned groups are not pushed. Check the SCIM application provisioning logs for errors.

Group members missing after sync

SCIM syncs group membership at the IdP level. If a user is in the group in your IdP but not appearing in Databricks, check that the user is also assigned to the SCIM application individually.

Next