Azure Installation

This guide will walk you through setting up the Security Analysis Tool (SAT) on Azure Databricks.

Unity Catalog Required

SAT v0.5.0 and higher requires Unity Catalog. Make sure Unity Catalog is enabled in your Databricks environment before installing SAT.

Azure Subscription

SAT requires at least one SAT setup in a workspace per Azure subscription. One deployment can monitor all workspaces within the same subscription.

Best for Premium & Enterprise Tiers

SAT is especially beneficial to customers on Databricks Premium or Enterprise tiers, as most checks and recommendations involve security features only available in these tiers.

Prerequisites

Before you begin, ensure you have:

• ✅ Reviewed the general prerequisites
• ✅ Appropriate permissions in your Azure cloud account
• ✅ A metastore attached to your installation workspace
• ✅ Databricks CLI installed and configured
• ✅ Python version lower than 3.12 (for local installation using install.sh)

---

Step 1: Create Azure App Registration

The App Registration allows SAT to authenticate with Azure services and Databricks.

Follow these steps in the Azure Portal:

1. Open the Azure portal and navigate to Microsoft Entra ID
2. Click on App registrations → New registration
3. Enter a name for the App Registration (e.g., "SAT-App")
4. Select the appropriate permissions (minimum requirement: single tenant access)
5. Click Register

---

Step 2: Create Client Secret

After creating the App Registration:

1. Open the App Registration you just created
2. Click on Certificates & secrets → New client secret
3. Enter a description for the client secret
4. Select an expiry date
5. Click Add
6. Copy and save the secret value immediately (you won't be able to see it again!)
7. Add the app with "Reader" role to your subscription:
   • Navigate to your subscription's Access control (IAM) section
   • Click Add role assignment
   • Select the "Reader" role
   • Assign it to your App Registration

---

Step 3: Add Service Principal to Databricks

Now you'll connect your Azure App Registration to Databricks as a Service Principal.

Follow these steps in Databricks Account Console:

1. Navigate to the Databricks Account Console
2. Click on User management in the left sidebar
3. Select Service Principal → Add service principal
4. Paste the App Client ID (Application ID from Azure)
5. Create a name for the service principal
6. Click Add
7. Grant the Account Admin role
8. Assign the Workspace Admin role for each workspace to be monitored
9. Add to the Metastore Admin group or role

Required Permissions:

• Account Admin role
• Workspace Admin role for each workspace
• Metastore admin group membership

📚 Learn more about Service Principals

---

Step 4: Run Installation

Credentials Required

Have these credentials ready before starting:

• 🔑 Databricks Account ID
• 🔑 Azure Tenant ID
• 🔑 Azure Subscription ID
• 🔑 Azure App Client ID (from Step 1)
• 🔑 Azure App Client Secret (from Step 2)

Installation Steps

Run these commands on your workstation or a VM with internet access and Databricks workspace connectivity:

1. Clone the SAT repository:

git clone https://github.com/databricks-industry-solutions/security-analysis-tool.git
cd security-analysis-tool

Databricks CLI Required

Make sure the target workspace has a profile configured in the Databricks CLI.

2. Make the installation script executable and run it:

chmod +x install.sh
./install.sh

Proxy Support

Proxies are supported! You can add your HTTP and HTTPS proxy values during the install.sh script when prompted.

3. Follow the interactive prompts:

The installation script will guide you through the setup process. Here's what it looks like:

---

Next Steps

Congratulations! You've successfully installed SAT on Azure Databricks.

Installation Complete

SAT is now ready to analyze your Databricks workspaces. Click here for a detailed guide on how to run and use it.

---

Need Help?

If you encounter problems during installation:

Common Issues:

• ✓ Double-check your credentials are correct
• ✓ Verify you have the required permissions in your Azure and Databricks environments
• ✓ Ensure the Service Principal has been added to all workspaces
• ✓ Confirm the metastore is attached to your workspace
• ✓ Verify the App Registration has the "Reader" role on your subscription

Resources:

• Review our FAQ page for common questions
• Use the diagnostic notebook to verify your setup
• Check the troubleshooting guide for specific errors

Still need help? Contact us at sat@databricks.com

---

References

• Azure App Registration
• Databricks Service Principals on Azure