How can I access the Databricks account console as an Azure Global Administrator after deploying a workspace with Terraform?

Below is one approach to troubleshoot and work around this “vicious circle” issue when using a Global Administrator in MS Entra ID to log into the Databricks account console after deploying a workspace with Terraform via a service principal.

---

What’s Happening

When you create an Azure Databricks workspace via Terraform using a service principal, the account admin settings in the Databricks account (which controls access to the account console) are not automatically populated with your personal Global Administrator account. In effect, there’s no active “Databricks account admin” record for your user—so when you try to log in through the account console with Azure AD, you’re blocked.

---

Options for Resolution

1. Use the Workspace Instead of the Account Console

   • Access Your Workspace Directly:
   Even though you can’t log into the account console, you can usually still launch and administrate your specific Databricks workspace. In the Azure portal, click the “Launch Workspace” button. This takes you directly to the workspace UI where you can manage clusters, notebooks, and workspace-level users.

2. Add an Account Admin to the Databricks Account

   • Leverage the Service Principal:
   If you need to use features found in the account console (for billing or multi-workspace management), you’ll need to have an account admin assigned. Since the workspace was created using a service principal and no account admin was explicitly set, you have two common approaches:

   • a. Modify Your Terraform Deployment (for Future Workspaces):
     Adjust your Terraform configuration to explicitly set an account admin. Some deployments allow you to pass admin emails or object IDs so that one or more Azure AD users become account admins. Check if the Databricks provider or resource supports an attribute for setting an account admin.

   • b. Manually Add an Account Administrator:
     If your deployment has already run and you have access only to the workspace UI, you might have to contact Databricks support (or use any available API/CLI if supported) to add your Global Administrator account as an account admin. This action isn’t self-service in every scenario—a support case may be required.

3. Review Single Sign-On (SSO) Configuration

   • Ensure Proper SSO Setup:
   Sometimes, SSO mismatches can prevent proper account mapping. Verify that the Azure AD integration settings (in both the Databricks workspace and account-level configurations) are correct. Incomplete SSO setups might cause your user not to be recognized as having the needed privileges even though you’re a Global Administrator in Entra ID.

---

Summary

• If your goal is to manage workspace settings: Use the workspace UI instead of the account console.
• If you need account-level functions: You must explicitly add an account admin (either via Terraform configuration or manually, possibly with support intervention) because creating a workspace with a service principal doesn’t automatically grant your user account these privileges.
• Double-check SSO settings: Ensure that your Azure AD integration is complete and correctly configured.

This approach addresses the issue directly as the official documentation does not provide additional steps beyond accessing the account console. If further issues persist, reaching out to Databricks support might be necessary.