Reactivate inactive users at the account level using OAuth token for non-SCIM scenarios

Create a service principal and use an OAuth token to activate users via an API call without having to use a SCIM token.

Written by kevin.salas

Last published at: March 22nd, 2025

Problem

When attempting to reactivate a user through the account-level API while utilizing an identity provider, the system fails to complete the action.

 

Example error

{"schemas":["urn:ietf:params:scim:api:messages:2.0:Error"],"detail":"class java.lang.String cannot be cast to class java.lang.Boolean (java.lang.String and java.lang.Boolean are in module java.base of loader 'bootstrap')","status":"500"}

 

Cause

When using the SCIM connector, removing users at the account level automatically sets their status to inactive across all associated workspaces. This means that if a user is deleted or de-provisioned from the main account, their access and visibility will be automatically disabled in every connected workspace.

 

Solution

You must first activate a user at the account level before you try to activate them at the workspace level. You can reactivate users at the account level using the OAuth token method for non-SCIM scenarios.

Info

For scenarios when is possible to use the SCIM token, follow Reactivate a user that has been disabled with an identity provider at the Account and Workspace level - Databricks.

 

 

  1. Create a service principal in the Databricks account console.
  2. Grant permissions to the service principal in the account console and capture the service principal's secret and client ID. For more information, review the Create an OAuth secret for a service principal (AWSAzureGCP) documentation.
  3. Generate an account-level OAuth token. Replace <databricks-domain> with cloud.databricks.com (AWS), azuredatabricks.net (Azure), or gcp.databricks.com (GCP) as appropriate.
%sh
export CLIENT_ID=<client-id>
export CLIENT_SECRET=<client-secret>
curl --request POST \
--url https://accounts.<databricks-domain>/oidc/accounts/<my-account-id>/v1/token \
--user "$CLIENT_ID:$CLIENT_SECRET" \
--data 'grant_type=client_credentials&scope=all-apis'

 

  1. Using the OAuth Account-level token created, generate an API call from a workspace notebook to reactivate the user in the Account console:
%sh
export OAUTH_TOKEN="<oauth-token>"

curl --location --request PATCH "https://accounts.<databricks-domain>/api/2.0/accounts/scim/v2/Users/"
--header "Authorization: Bearer $OAUTH_TOKEN"
--header "Content-Type: application/json"
--data '{
  "schemas": [
    "urn:ietf:params:scim:api:messages:2.0:PatchOp"
  ],
  "Operations": [
    {
      "op": "replace",
      "path": "active",
      "value": true
    }
  ]
}'