Reactivate a user that has been disabled with AAD at the Account and Workspace level

Using a default account API call, activate the user first at the account level, then the workspace level.

Written by david.vega

Last published at: October 25th, 2024

Problem

When using Azure Active Directory (AAD) as an Identity Provider, if you try to reactivate a user via the default account and workspace-level API, you receive an empty response or stack trace, and the user remains inactive.

{"schemas":["urn:ietf:params:scim:api:messages:2.0:Error"],"detail":"class java.lang.String cannot be cast to class java.lang.Boolean (java.lang.String and java.lang.Boolean are in module java.base of loader 'bootstrap')","status":"500"}

 

Cause

With the AAD account SCIM connector, if any users are removed at the account level, the user status will be updated to inactive in all workspaces. 

 

Solution

To reactivate a user using a default account API call, activate them first at the account level, then the workspace level. 

 

Account-level activation 

curl --request PATCH \
'https://accounts.cloud.databricks.com/api/2.0/accounts/<accountId>/scim/v2/Users/<userId>' \
--header 'Accept: application/scim+json' \
--header 'Authorization: Bearer <account SCIM Token>' \
--header 'Content-Type: application/json' \
--data-raw '{
  "schemas": [ "urn:ietf:params:scim:api:messages:2.0:PatchOp" ], 
  "Operations": [ { 
    "op": "replace", 
    "path": "active", 
    "value": [ { "value": "true" } ] 
  } ] 
}

 

Workspace-level SCIM activation 

curl --request PATCH \
"https://<workspace URL>/api/2.0/account/scim/v2/Users/<UserId>" \
--header 'Accept: application/scim+json' \
--header 'Authorization: Bearer <account+workspace admin PAT>\
--header 'Content-Type: application/json' \
--data-raw '{
  "schemas": [ "urn:ietf:params:scim:api:messages:2.0:PatchOp" ], 
  "Operations": [ { 
    "op": "replace", 
    "path": "active", 
    "value": [ { "value": "true" } ] 
  } ] 
}'