Databricks is introducing new identity and access management features to help organizations secure users, manage credentials more efficiently, and implement modern authentication policies. With password-based logins now deprecated and programmatic access on the rise, Databricks is moving toward a future that’s passwordless, context-aware, and frictionless.

Goodbye Passwords, Hello MFA

As of July 2024, Databricks-managed passwords are officially deprecated. Now, to support a passwordless environment, Databricks has announced the general availability of Databricks-managed Multi-Factor Authentication (MFA) for all AWS accounts that don’t use SSO. This makes it easier for admins to enforce strong authentication policies using authenticator apps or passkey without needing external tools.

Better Control Over Access Tokens

Databricks has also introduced stricter controls over Personal Access Tokens (PATs), making long-lived, unmanaged credentials a thing of the past. Here’s what’s new,

• PATs inactive for 90 days are automatically revoked.
• Newly created PATs now have a default max lifetime of 2 years.
• A new Access Tokens Report gives admins clear insights into usage, helping them spot and remove unused or risky tokens.

These changes align with industry best practices from NIST, PCI DSS, and ISO, shifting the focus from password complexity to smarter, adaptive access management.

Unified Login for AWS Workspaces

Managing SSO just got easier. With Unified Login, all workspaces in a Databricks account can now use a single, account-level SSO configuration. This cuts down on admin overhead and ensures consistent access policies across the board. Unified Login is now the default for all new SSO setups since December 2024, and Databricks recommends all customers migrate their existing workspaces.

Admins can still enforce MFA for emergencies, giving them fallback access without compromising security.

Automatic Identity Management on Azure

For organizations using Microsoft Entra ID, Automatic Identity Management is now in public preview. This allows real-time user and group provisioning—without needing connectors or manual syncs. Even nested groups and service principals are supported.

This makes sharing AI/BI dashboards and Databricks apps across your organization easier. If a dashboard is shared with someone not yet in Databricks, they’ll automatically be provisioned with exactly the right permissions when they access it.

Token Monitoring and OAuth Federation

Admins can now monitor PAT usage through a new Token Report tab, available across AWS, Azure, and GCP. It’s a simple way to find expired, idle, or overly permissive tokens—and shut them down before they become security liabilities.

For a more secure alternative, OAuth Token Federation is on its way to general availability. This lets service principals and applications authenticate to Databricks using your organization’s identity provider—no static tokens or secrets required. It supports both account-wide federation and fine-grained controls for specific workloads.

The Bottom Line

Databricks is making it easier for organizations to adopt modern, secure identity practices at scale. Whether you're managing thousands of users or dozens of service principals, these updates are designed to reduce risk, automate provisioning, and future-proof your identity strategy.

Meet the IAM Team at Data + AI Summit

Join the Identity and Access Management team at the Data + AI Summit, June 9–12 in San Francisco. Discover the latest in data and AI governance and catch sessions on,

• Identity Security with Unity Catalog
• Simplifying Identity Management at Scale
• Secure AI/BI Deployment Across the Enterprise

Register now to save your seat!