Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Compete to become Power BI Data Viz World Champion! First round ends August 18th. Get started.

Reply
YashikaAgrawal
Helper IV
Helper IV

Managing Databricks Access for Cross Tenant Users

‎08-07-2025 02:37 AM

Hi, Need help,

 

We are working on migrating Power BI tenant from Infy to TATA tenant.
In our current setup (Infy tenant), we have an Azure AD security group used to control access to Databricks. Users raise a ticket, and we manually add them to this group.

As part of a cross-tenant migration, some users are moving to a new TATA tenant. Databricks will continue to reside in the Infy tenant.

Key considerations:
Users from TATA will be B2B guests in Infy.
We want to avoid manual group assignment via tickets.
We still want to control access to the existing Databricks workspace in Infy.

Question:
a. What is the recommended approach to manage Databricks access for users who now belong to the TATA tenant?
b. Is there a best practice for managing this (e.g., Access Packages, dynamic groups, automation)? How can we securely and efficiently provide group-based access for TATA users in this cross-tenant setup?

Thanks

Labels:
Message 1 of 2
182 Views
0
1 ACCEPTED SOLUTION
rohit1991
Super User
Super User

‎08-07-2025 03:15 AM

Hi @YashikaAgrawal 

 

Since your Databricks environment will stay in the Infy tenant, and the users are moving to the TATA tenant, here’s what I’d suggest based on similar setups:

1. Stick with the existing security group in Infy
No need to change the way Databricks access is currently controlled. Even after the move, users from the TATA tenant can be added as B2B guest users in Infy and then included in the same Azure AD group that manages access to Databricks. So your group structure doesn’t need to be rebuilt.

 

2. Avoid manual ticketing with Access Packages
If you want to skip the manual part (which I highly recommend), look into Access Packages in Azure AD Entitlement Management (Infy tenant). These let external users (your TATA users) request access via a portal, and you can:

  a. Add approval steps

  b. Set access expiry (e.g. 30/60/90 days)

  c. Run access reviews later if needed

It’s a clean, secure way to give access without relying on ticketing or scripts.

 

3. A quick note on dynamic groups
Dynamic groups might sound like a good option, but unfortunately, they don’t support guest users at the moment — so they won’t help here.

 

4. What if you don’t have Entra P2?
If licensing is a blocker, you can still automate group assignments using PowerShell or Graph API, but it does require some custom scripting. That works too — just a bit more effort.


So, in short:

  • Keep the Infy security group as the main control point
  • Use Access Packages for smooth, self-service onboarding of TATA users
  • Avoid dynamic groups for this case
  • If needed, use scripts for automation instead

Did it work? ✔ Give a Kudo • Mark as Solution – help others too!

View solution in original post

Message 2 of 2
163 Views
1 REPLY 1
rohit1991
Super User
Super User

‎08-07-2025 03:15 AM

Hi @YashikaAgrawal 

 

Since your Databricks environment will stay in the Infy tenant, and the users are moving to the TATA tenant, here’s what I’d suggest based on similar setups:

1. Stick with the existing security group in Infy
No need to change the way Databricks access is currently controlled. Even after the move, users from the TATA tenant can be added as B2B guest users in Infy and then included in the same Azure AD group that manages access to Databricks. So your group structure doesn’t need to be rebuilt.

 

2. Avoid manual ticketing with Access Packages
If you want to skip the manual part (which I highly recommend), look into Access Packages in Azure AD Entitlement Management (Infy tenant). These let external users (your TATA users) request access via a portal, and you can:

  a. Add approval steps

  b. Set access expiry (e.g. 30/60/90 days)

  c. Run access reviews later if needed

It’s a clean, secure way to give access without relying on ticketing or scripts.

 

3. A quick note on dynamic groups
Dynamic groups might sound like a good option, but unfortunately, they don’t support guest users at the moment — so they won’t help here.

 

4. What if you don’t have Entra P2?
If licensing is a blocker, you can still automate group assignments using PowerShell or Graph API, but it does require some custom scripting. That works too — just a bit more effort.


So, in short:

  • Keep the Infy security group as the main control point
  • Use Access Packages for smooth, self-service onboarding of TATA users
  • Avoid dynamic groups for this case
  • If needed, use scripts for automation instead

Did it work? ✔ Give a Kudo • Mark as Solution – help others too!
Message 2 of 2
164 Views

Helpful resources

Announcements
August Power BI Update Carousel

Power BI Monthly Update - August 2025

Check out the August 2025 Power BI update to learn about new features.

August 2025 community update carousel

Fabric Community Update - August 2025

Find out what's new and trending in the Fabric community.

View All