Local service principles are removed from groups after migration

[aminmovahed-db]

If there is a service principle in a workspace group, it will be removed from the account group post migration (since SPs do not exist in AD). Hence, there is a manual step required to identify and add the service principles to the groups after running UCX group migration jobs. It would be great to have such feature to include this manual step into the UCX job.

[nfx]

@aminmovahed-db What do you mean that "sps don't exist in AD?". Is it even possible?

[aminmovahed-db]

Databricks service principals are member of the workspace groups and they are not member of the corresponding user groups in the databricks account (since the account user groups are synced from AD and in AD there are only users). So when the workspace group is deleted and replaced by the account user group, sp does not belong to any group in the workspace anymore. In this case, the sp should be manually added to that account user group.

On Thu, 30 Nov 2023 at 18:56, Serge Smertin @.***> wrote:

@aminmovahed-db https://github.com/aminmovahed-db What do you mean that "sps don't exist in AD?". Is it even possible?

— Reply to this email directly, view it on GitHub https://github.com/databrickslabs/ucx/issues/546#issuecomment-1833269270, or unsubscribe https://github.com/notifications/unsubscribe-auth/BBMKWCK2XLRLWFYXQPKWT7DYHA32FAVCNFSM6AAAAAA63WIN5SVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMZTGI3DSMRXGA . You are receiving this because you were mentioned.Message ID: @.***>

[william-conti]

As far as I understand, this means that the Service Principal hasn't been added to the account group before doing the group migration. You can still add service principal from AD in the account console by using the SCIM API or in the account console directly. This emphasize this issue -> https://github.com/databrickslabs/ucx/issues/649 We need to log groups that doesn't have the same membership btween workspace and account