I have Azure Databricks workspace hidden inside VNET and configured with Private Link, following instruction from Microsoft.
Now I’m trying to do SCIM provisioning with this workspace and I’m getting following error.
When I tried with workspace without Private Link then everything works fine.
Is there any solution to use SCIM provisioning with workspace which has Azure Private Link configured?
2
Answers
Azure AD’s SaaS Application SCIM provisioning service requires internet-accessible endpoints. Your usage of the Private Link feature isn’t going to play nicely with that, given the endpoint isn’t internet accessible.
This feature may help, though: https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/on-premises-scim-provisioning
In a nutshell, it allows you to do SCIM provisioning via an agent (hosted on a server that IS internet accessible), which can then talk to other non-internet accessible servers on the same network. You’ll have to use the generic SCIM provisioning features here and may need to customize some attribute mappings as a result, as the Databricks-tailored gallery app is only available for internet-facing instances of Databricks at this time. Beyond that, I think the on-premises provisioning feature should help here.
One option could be to set
publicNetworkAccesstotrueto be able to access the control plane both publicly and via private endpoint. I guess the provisioning service would be able to talk to the Databricks control plane that way.Now the downside is that, well, your control plane could be accessed publicly. But you could mitigate that by imposing a conditional access policy in your Azure AD tenant to force all authentication callbacks to originate from your own VNets.