The way forward for id safety is passwordless, context-aware, and frictionless—and we’re persevering with to construct towards that future at Databricks. We’ve launched new capabilities throughout the Databricks Information Intelligence Platform to assist prospects strengthen authentication, automate id provisioning, and allow safe programmatic entry, making it simpler to implement trendy, scalable id and entry controls.
As a reminder, Databricks-managed passwords reached end-of-life on July 10, 2024, and are not supported within the UI or by way of API authentication. To additional help a passwordless future, we’re additionally asserting the Common Availability of Databricks-managed Multi-Issue Authentication (MFA).
As extra prospects depend on Databricks to democratize information and AI entry, securing programmatic entry is extra necessary than ever. To scale back long-term API token danger, we’ve launched a number of new controls:
- Automated revocation of Private Entry Tokens (PATs) which can be inactive for 90 days
- A most lifetime of two years for newly created PATs, so credentials not persist indefinitely by default
- Common Availability of the Entry Tokens Report, giving admins deeper visibility into token utilization and danger
These updates align with the path of evolving business requirements, together with NIST, PCI DSS, and ISO, that are shifting away from password complexity towards smarter, extra adaptive id frameworks.
Right here’s a deeper dive into what’s new and the right way to profit from it.
Simplify your SSO administration with unified login on AWS
We’re shifting all prospects to unified login, the place SSO doesn’t need to be configured on particular person workspaces. Unified login immediately brings single sign-on (SSO) to all Databricks workspaces in your account.
Unified login allows you to handle one account-level SSO configuration. Which means much less overhead for admins, constant entry insurance policies for customers, and a stronger general safety posture. Mixed with SSO emergency entry utilizing MFA, unified login additionally supplies a safe fallback for directors, making certain centralized management with out sacrificing flexibility.
Unified login is already utilized in 1000’s of manufacturing workspaces, and prospects ought to plan their migration to it now. As of December 2024, all new account-level SSO setups are mechanically opted into unified login by default. This streamlines rollout and makes it easy for brand new customers to begin utilizing options like AI/BI dashboard sharing, Genie Areas, and Apps with no additional configuration wanted. We advocate you progress all workspaces to Unified Login ASAP.
Greatest practices for enabling unified login
To make use of a single account-level SSO setup on your account, guarantee your id supplier’s (IdP) configuration permits all of your workspace customers to authenticate to the Databricks account. When full, you may confidently choose in any previous workspaces to reuse account-level SSO with unified login. Lastly, take away outdated workspace-specific IdP tiles to keep away from confusion.
Be safe by default with Databricks-managed multi-factor authentication (MFA)
SSO stays one of the best follow for centralized id administration. Enabling MFA on the Id Supplier (IdP) aligns along with your firm’s safety insurance policies and ensures a constant, policy-compliant method throughout your complete consumer base.
We’re excited to introduce Databricks-managed MFA, now Usually Accessible for all AWS accounts that haven’t but configured single sign-on (SSO). This new characteristic permits admins to implement multi-factor authentication (MFA) for all customers, enhancing safety throughout your group. With help for well-liked authenticator apps and passkeys, organising MFA is fast and straightforward. Admins can allow it by means of the Account Console.
Shortly provision new customers on Azure Databricks with Automated Id Administration
Automated Id Administration, now in Public Preview for Microsoft Entra ID, permits safe, real-time entry administration by natively integrating with customers, teams, and repair principals in Entra ID, no connector apps or guide sync required. Better of all, it additionally respects nested teams and teams containing service principals, making certain constant entry management throughout advanced id hierarchies.
Certainly one of our key use circumstances is simplifying the sharing of AI/BI Dashboards or Databricks Apps, the place practitioners can share with any consumer within the group, no matter whether or not they’re in a workspace. This enables dashboard house owners to share AI/BI dashboards or apps with any Entra ID id—even these not but in Databricks—for seamless, safe collaboration. New customers are mechanically provisioned solely when shared content material is accessed, they usually inherit solely the particular permissions granted, making certain they see and use solely what they’re entitled to. It saves time for admins and makes it simpler for organizations to increase information insights throughout their groups. See our launch weblog for the small print.
Monitor and handle private entry tokens with new admin instruments
Take management of non-public entry tokens (PATs) with new token monitoring instruments, now in Public Preview throughout AWS, Azure, and GCP. Whereas we advocate utilizing OAuth entry tokens as a substitute of PATs for improved safety, these monitoring instruments assist cut back danger and enhance entry hygiene by giving admins full visibility into lively PATs, imposing time-to-live (TTL) limits, and enabling fast revocation of compromised or unused tokens.
Admins can now entry this data by means of a brand new Token Report tab within the Databricks Admin Console. From there, account admins can discover lively tokens belonging to particular customers or workspaces. You should use it to seek out older tokens that had been set to by no means expire or these which can be nonetheless lively however haven’t been actively utilized in a month. We particularly advocate searching for private entry tokens belonging to workspace admins and revoking them in the event that they aren’t wanted.
Safe programmatic entry with OAuth Token Federation
To assist prospects safe API-based entry, we’re excited to announce added help for OAuth token federation, which is able to quickly be typically obtainable throughout AWS, Azure, and GCP. Token federation permits functions to authenticate to Databricks utilizing tokens out of your trusted IdP, eliminating the necessity to retailer Databricks secrets and techniques like static tokens or passwords.
You possibly can configure token federation at two ranges:
- Account-wide: Permits token federation for all customers and repair principals in your account. For security-conscious organizations that need to implement constant controls throughout all workloads
- Particular person service principal degree (often known as workload id federation): For implementing fine-grained management over particular functions
OAuth Token Federation is very highly effective for purchasers managing numerous service principals. For instance, should you’re utilizing 100+ service principals for GitHub Actions, you may migrate them to token federation and remove the necessity to retailer and rotate over 100 long-lived Databricks-managed secrets and techniques.
Account admins can configure an account-level federation coverage utilizing the Databricks CLI model 0.239.0 and above, or the Databricks account-wide and service principal token federation REST APIs.
How we strengthen authentication at Databricks
Along with new product capabilities, we lead by instance in our company surroundings as effectively. At Databricks, along with our centralized single sign-on, we’ve carried out:
- {Hardware}-based multi-factor authentication by way of FIDO2 units
- Context-aware authentication that comes with machine belief, geolocation and behavioral patterns
- Automated response to a breached password detection from our risk intelligence sources
- Transferring from quarterly to annual compelled password modifications to encourage higher passwords
- Least privilege dataset-level authorization so {that a} consumer who wants entry to a non-standard desk will be licensed for simply that desk as a substitute of a whole different position.
In mixture, this supplies our workers with simple entry to assets whereas sustaining a robust safety posture.
Your id safety modernization journey on Databricks begins right here
Whether or not you’re simply getting began with MFA or able to undertake full automation, Databricks has the instruments and integrations to help you each step of the best way.
To scale back your safety danger and take full benefit of those capabilities, we advocate the next finest practices:
- Allow SSO on the account degree
- Require MFA for all customers
- Use OAuth federation for API entry
- Monitor authentication logs for uncommon exercise
When you’re able to dive in rapidly, our id finest follow guides on AWS, Azure and GCP are a great place to begin.
Be a part of the Id and Entry Administration product and engineering group on the Information + AI Summit, June 9–12 on the Moscone Heart in San Francisco! Get a primary have a look at the most recent improvements in information and AI governance and take a look at our id and entry administration classes: