Categories
Azure

Auto-provision Databricks AD groups that match specific RegEx

I’m assuming you already have:
1. Configured Databricks with SCIM provissioning connector
2. Active Directory Plan eligable for these operations
3. Automation Account from which you have specific system user you authenticate with.

Also these auto-assignemnts of users and/or groups works for other Enterprise Applications or Application Registration as well.

  1. Go to Enterprise Applications, locate your configured Databricks account and add the user you’re authenticating with from the AA account as Owner.
  1. Create new Automation Account PowerShell Runbook (Go to your Automation Account, select “Runbooks”, click “Create a runbook” type a name and then select “Create”
  1. Paste the code where:
    1. <tenantId> = your tenant id
    2. <userName> = The user that is Owner of the Enterprise Application or App Registration
    3. <yourApp> = The name of the Enterprise Application or App Registration
    4. <REGEX> = The regular expression you like to filter the groups or users from. For instance if you write “AZURE_D_” it will filter all groups that have AZURE_D_ in it.
$tenantId="<tenantId>"
$userName="<userName>"
$secretaa = ConvertTo-SecureString "<your password>" -AsPlainText -Force
$azureCredential = New-Object System.Management.Automation.PSCredential($userName, $secretaa)
Connect-AzureAD -Credential $azureCredential -Tenant $tenantId 
$servicePrincipal = Get-AzureADServicePrincipal -Filter "DisplayName eq '<yourApp>'" 
$appRole = $servicePrincipal.AppRoles | Where-Object { $_.DisplayName -eq 'User' }
$groups = Get-AzureADGroup -SearchString "<REGEX>"
foreach ($group in $groups) { New-AzureADGroupAppRoleAssignment -ObjectId $group.ObjectId -PrincipalId $group.ObjectId -ResourceId $servicePrincipal.ObjectId -Id $appRole.Id -InformationAction SilentlyContinue }

Also for this POC script I’m directly adding the password in $secretaa. If you are to operationalize this you should get the password (secret) from Key Vault. If you will be running this from Hybrid Worker Group make sure you have all the PowerShell libraries installed. (If you don’t you’ll see errors which libraries you require.)

4. Publish the Runbook (click “Publish”, then select “Yes”)


5. Go to the Automation Acccount and create new schedule (select “Schedules” click on “Add a schedule”, name the schedule and configure the appropriate values as would work for you. Make sure you select “Recurrance: Recurring” and “Set expiration: No” if you want this to run every time.

6. Go to the Published PowerShell Runbook and link the schedule:

6.1 Select “Schedules” then click on “Add a schedule”

6.2 Select the schedule you just created

6.3 If you are using Hybrid Worker Group or you’ve modified the script yo use parameters make sure you add them in “paramers and run settings section”.

You can edit this approach to auto-assign/auto-provision other Enterprise Applications on rewrite the script to work for Application Registrations too.

Stay Awesome,
Ivelin

Leave a Reply

Your email address will not be published.