The Subscription itself, which includes Azure Databricks created in Directory A of account A, has been transferred to directory B of account B.
A Compute cluster and Workflow were already created in directory A of account A.
It for running Workflow of Directory B of Account B was deleted.
A Compute cluster was created though.
when starting the Compute cluster in Azure Databricks, an error CrossTenantUserAssignmentRequestForbidden occurs during the error FailedIdentityOperation as shown in the capture below.
The following attempts were made to resolve the error, but no cases of the above error occurred in Azure Databricks.
- Check the Link Knowledge base: Cloud provider initiated terminations for the above error
- Googling with search keyword "databricks FailedIdentityOperation"
- Googling with search keyword "azure It is not permitted to assign a user assigned managed identity to an Azure resource in a different Azure AD tenant."
- Googling with search keyword "CrossTenantUserAssignmentRequestForbidden"
Need help with how to fix the above error in Azure Databricks and run Compute cluster.
2
Answers
The error "CrossTenantUserAssignmentRequestForbidden" typically occurs when an operation in Azure Databricks is attempting to assign a user from one tenant (in this case, Directory A) to a resource in a different tenant (Directory B).
To fix this error and run the Compute cluster, you will need to make sure that the user or service principal attempting to start the cluster has been granted the necessary permissions to access resources in both Directory A and Directory B.
Here are some steps you can take to troubleshoot and fix the issue:
There may be some specific things you can check in the AAD and Azure Databricks configuration:
In Azure Active Directory (AAD):
Check if the user or service principal has been granted the necessary permissions and roles in both Directory A and Directory B. This can include roles such as Global Administrator, Owner, Contributor, or User Access Administrator.
Ensure that the user or service principal has been granted the necessary permissions to access the Azure Databricks workspace and Compute cluster resources in both directories. This can include roles such as Owner, Contributor, or User Access Administrator.
Check if any Conditional Access policies or security settings in AAD may be preventing the user or service principal from accessing resources in both directories.
In Azure Databricks workspace and cluster configuration:
Verify that the user or service principal has been granted the necessary permissions and roles to access the Azure Databricks workspace and Compute cluster resources. This can include roles such as Owner, Contributor, or User Access Administrator.
Check if the Compute cluster is associated with the correct virtual network, subnet, and network security group, and that the required ports are open for communication.
Verify if the Compute cluster is configured to use the correct credentials and permissions for both Directory A and Directory B.
Ensure that all the required dependencies and configurations for the Compute cluster are in place, such as storage accounts, data sources, and required software libraries.
Check if the Azure Databricks workspace and Compute cluster are both in the same region, as cross-region operations may require additional permissions and configurations.
Please note: The specific steps may vary depending on your environment and requirements. Hope it helps!