Introducing next-level identity security at Databricks

The future of identity security is passwordless, context-aware, and frictionless—and we’re continuing to build toward that future at Databricks. We’ve introduced new capabilities across the Databricks Data Intelligence Platform to help customers strengthen authentication, automate identity provisioning, and enable secure programmatic access, making it easier to implement modern, scalable identity and access controls.

As a reminder, Databricks-managed passwords reached end-of-life on July 10, 2024, and are no longer supported in the UI or via API authentication. To further support a passwordless future, we’re also announcing the General Availability of Databricks-managed Multi-Factor Authentication (MFA).

As more customers rely on Databricks to democratize data and AI access, securing programmatic access is more important than ever. To reduce long-term API token risk, we’ve introduced several new controls:

• Automatic revocation of Personal Access Tokens (PATs) that are inactive for 90 days
• A maximum lifetime of 2 years for newly created PATs, so credentials no longer persist indefinitely by default
• General Availability of the Access Tokens Report, giving admins deeper visibility into token usage and risk

These updates align with the direction of evolving industry standards, including NIST, PCI DSS, and ISO, which are shifting away from password complexity toward smarter, more adaptive identity frameworks.

Here’s a deeper dive into what’s new and how to make the most of it.

Simplify your SSO management with unified login on AWS

We are moving all customers to unified login, where SSO doesn’t have to be configured on individual workspaces. Unified login instantly brings single sign-on (SSO) to all Databricks workspaces in your account.

Unified login lets you manage one account-level SSO configuration. That means less overhead for admins, consistent access policies for users, and a stronger overall security posture. Combined with SSO emergency access using MFA, unified login also provides a secure fallback for administrators, ensuring centralized control without sacrificing flexibility. 

Unified login is already used in thousands of production workspaces, and customers should plan their migration to it now. As of December 2024, all new account-level SSO setups are automatically opted into unified login by default. This streamlines rollout and makes it simple for new users to start using features like AI/BI dashboard sharing, Genie Spaces, and Apps with no extra configuration needed. We recommend you move all workspaces to Unified Login ASAP. 

Best practices for enabling unified login

To use a single account-level SSO setup for your account, ensure your identity provider's (IdP) configuration permits all your workspace users to authenticate to the Databricks account. When complete, you can confidently opt in any old workspaces to reuse account-level SSO with unified login. Finally, remove outdated workspace-specific IdP tiles to avoid confusion.

Be secure by default with Databricks-managed multi-factor authentication (MFA)

SSO remains the best practice for centralized identity management. Enabling MFA at the Identity Provider (IdP) aligns with your company’s security policies and ensures a consistent, policy-compliant approach across your entire user base. 

We’re excited to introduce Databricks-managed MFA, now Generally Available for all AWS accounts that haven’t yet configured single sign-on (SSO). This new feature allows admins to enforce multi-factor authentication (MFA) for all users, enhancing security across your organization. With support for popular authenticator apps and passkeys, setting up MFA is quick and easy. Admins can enable it through the Account Console.

Quickly provision new users on Azure Databricks with Automatic Identity Management 

Automatic Identity Management, now in Public Preview for Microsoft Entra ID, enables secure, real-time access management by natively integrating with users, groups, and service principals in Entra ID,  no connector apps or manual sync required. Best of all, it also respects nested groups and groups containing service principals, ensuring consistent access control across complex identity hierarchies. 

One of our key use cases is simplifying the sharing of AI/BI Dashboards or Databricks Apps, where practitioners can share with any user in the organization, regardless of whether they are in a workspace. This allows dashboard owners to share AI/BI dashboards or apps with any Entra ID identity—even those not yet in Databricks—for seamless, secure collaboration. New users are automatically provisioned only when shared content is accessed, and they inherit only the specific permissions granted, ensuring they see and use only what they’re entitled to. It saves time for admins and makes it easier for organizations to extend data insights across their teams. See our launch blog for the details.

Monitor and manage personal access tokens with new admin tools

Take control of personal access tokens (PATs) with new token monitoring tools, now in Public Preview across AWS, Azure, and GCP. While we recommend using OAuth access tokens instead of PATs for improved security, these monitoring tools help reduce risk and improve access hygiene by giving admins full visibility into active PATs, enforcing time-to-live (TTL) limits, and enabling quick revocation of compromised or unused tokens.

Admins can now access this information through a new Token Report tab in the Databricks Admin Console. From there, account admins can find active tokens belonging to specific users or workspaces. You can use it to find older tokens that were set to never expire or those that are still active but haven’t been actively used in a month. We especially recommend looking for personal access tokens belonging to workspace admins and revoking them if they aren’t needed. 

Secure programmatic access with OAuth Token Federation

To help customers secure API-based access, we’re excited to announce added support for OAuth token federation, which will soon be generally available across AWS, Azure, and GCP. Token federation allows applications to authenticate to Databricks using tokens from your trusted IdP, eliminating the need to store Databricks secrets like static tokens or passwords.

You can configure token federation at two levels: 

1. Account-wide: Enables token federation for all users and service principals in your account. For security-conscious organizations that want to enforce consistent controls across all workloads
2. Individual service principal level (also known as workload identity federation): For implementing fine-grained control over specific applications

OAuth Token Federation is especially powerful for customers managing a large number of service principals. For example, if you're using 100+ service principals for GitHub Actions, you can migrate them to token federation and eliminate the need to store and rotate over 100 long-lived Databricks-managed secrets.

Account admins can configure an account-level federation policy using the Databricks CLI version 0.239.0 and above, or the Databricks account-wide and service principal token federation REST APIs.

How we strengthen authentication at Databricks

In addition to new product capabilities, we lead by example in our corporate environment as well. At Databricks, in addition to our centralized single sign-on, we’ve implemented:

• Hardware-based multi-factor authentication via FIDO2 devices
• Context-aware authentication that incorporates device trust, geolocation and behavioral patterns
• Automated response to a breached password detection from our threat intelligence sources
• Moving from quarterly to annual forced password changes to encourage better passwords
• Least privilege dataset-level authorization so that a user who needs access to a non-standard table can be authorized for just that table instead of an entire other role.

In aggregate, this provides our employees with straightforward access to resources while maintaining a strong security posture.

Your identity security modernization journey on Databricks starts here

Whether you’re just getting started with MFA or ready to adopt full automation, Databricks has the tools and integrations to support you every step of the way.

To reduce your security risk and take full advantage of these capabilities, we recommend the following best practices:

• Enable SSO at the account level
• Require MFA for all users
• Use OAuth federation for API access
• Monitor authentication logs for unusual activity

If you're ready to dive in quickly, our identity best practice guides on AWS, Azure and GCP are a good place to start. 

Join the Identity and Access Management product and engineering team at the Data + AI Summit, June 9–12 at the Moscone Center in San Francisco! Get a first look at the latest innovations in data and AI governance and check out our identity and access management sessions: 

• Using Identity Security With Unity Catalog for Faster, Safer Data Access

• Unlocking Access: Simplifying Identity Management at Scale With Databricks

• Securely Deploying AI/BI to All Users in Your Enterprise

 Register now to secure your spot!