Skip to main content

Azure

This guide will help you setup the Security Analysis Tool (SAT) on Azure Databricks.

Note

SAT requires at least one SAT set up in a workspace per Azure subscription.

Prerequisites

There are some prerequisites that need to be met before you can setup SAT on Azure. Make sure you also have the appropriate permissions in your Azure cloud account to create the resources mentioned below.

SAT is especially beneficial to customers on Databricks Premium or Enterprise tiers, as most of the checks and recommendations involve security features that are only available in tiers above Standard.

App Registration

The first step is to create an App Registration in Azure. This will allow SAT to authenticate with Azure services. Follow the steps below to create an App Registration:

  • Open the Azure portal and navigate to Microsoft Entra ID.
  • Click on App registrations and then click on New registration.
  • Enter a name for the App Registration and select the appropriate permissions. The minimum requirement is to have access in a single tenant.
Account Console

App Client Secrets

After creating the App Registration, you will need to create a client secret. This secret will be used to authenticate with Azure services. Follow the steps below to create a client secret:

  • Open the App Registration you created in the previous step.
  • Click on Certificates & secrets and then click on New client secret.
  • Enter a description for the client secret and select the expiry date. Click on Add.
  • Copy the value of the client secret and save it in a secure location.
  • Please add the created app with "Reader" role into the subscription level via Access control (IAM) using Role assignments under your subscription, Access control (IAM) section
Account Console

Add Service Principal to Databricks

After creating the App Registration and client secret, you will need to add the App Registration as a service principal in Databricks. Follow the steps below to add the service principal:

  • Go to the Account Console
  • On the left side bar menu, click on User management
  • Select Service Principal and then Add service principal
  • Select Microsoft Entra ID Managed Application as the service principal type.
  • Paste the App Client ID and create a new name for the service principal.
  • Click Add.
  • The Service Principal must be granted the Account Admin role. This role provides the ability to manage account-level settings and permissions.
  • Assign the Workspace Admin Role: The Service Principal must be assigned the Workspace Admin role for each workspace it will manage. This role provides the ability to manage workspace-level settings and permissions.
  • Add to the Metastore Admin Group: The Service Principal must be added to the Metastore Admin group or role. This role provides the ability to manage metastore-level settings and permissions.
Account Console

See the Databricks documentation for more information on adding service principals.

The Service Principal requires an Accounts Admin role, Admin role for each workspace and needs to be a member of the metastore admin group is required to analyze many of the APIs. Please add this Service Princple to each workspace so that SAT can access the APIs for analysis.

Installation

Credentials Needed

To setup SAT on Azure, you will need the following credentials:

  • Databricks Account ID
  • Azure Tenant ID
  • Azure Subscription ID
  • Azure App Client ID (Obtained from App Registration)
  • Azure App Client Secret (Obtained from App Client Secrets)

To execute the SAT follow these steps on your workstation or a compatible VM that has access to the internet and the Databricks workspace:

  • Clone the SAT repository locally

      git clone https://github.com/databricks-industry-solutions/security-analysis-tool.git

Remember that the target workspace should have a profile in Databricks CLI

  • Run the install.sh script on your terminal.

To ensure that the install.sh script is executable, you need to modify its permissions using the chmod command.

  chmod +x install.sh
  ./install.sh
Account Console

Congratulations! 🎉 You are now ready to start using the SAT. Please click here for a detailed description on how to run and use it.

Troubleshooting

Please review the FAQs and troubleshooting resources, including the diagnostic notebook provided to help verify your SAT setup.

If you encounter issues during installation:

  • Double-check your credentials.
  • Ensure you have the correct configurations and permissions for your Databricks environment.

If problems persist, feel free to contact us with your feedback or questions at sat@databricks.com.

References