Can’t add members to external groups using the UI

Disable the immutable external groups preview if you’re an account admin, or use the API to update group details.

Written by Gihyeon Lee

Last published at: July 1st, 2025

Problem

While you attempt to add users or service principals to external groups from the User management view in your Databricks account console, you notice the Add members button is grayed out and displays the following message. 

“External groups cannot be managed in the browser. Use the group management API instead.”

 

Cause

External groups can no longer be updated through the UI by default, except for account admins. This change keeps external groups in sync with your identity provider. For more information, review the Databricks platform release notes December 2024 (AWSAzureGCP) documentation.

 

Solution

If you are an account admin, you can disable the Immutable external groups preview in the account console preview page (in Public Preview as of June 2025). For more information, review the Manage Databricks Previews (AWSAzureGCP) documentation.

 

Otherwise, use the Databricks account-level REST API. For details, review the Update the group details (AWSAzureGCP) API documentation. 

 

Example implementation

This section provides an example implementation of CURL commands for adding, removing, and replacing patch operations using the update group details API endpoint referenced above.

 

Prerequisite: account-level OAuth access token

 

Databricks supports multiple authorization methods. To generate your account-level OAuth access token, choose the best authorization method for your use case. For more information, please review the Authorizing access to Databricks resources (AWSAzureGCP) documentation.

 

Add operation

export OAUTH_TOKEN="<account-level-oauth-access-token>"

curl --request PATCH \
"https://accounts.cloud.databricks.com/api/2.0/accounts/<account-id>/scim/v2/Groups/<group-id>" \
--header "Authorization: Bearer $OAUTH_TOKEN" \
--header "Content-Type: application/json" \
--data-raw '{
 "schemas": [
  "urn:ietf:params:scim:api:messages:2.0:PatchOp"
 ],
 "Operations": [
  {
   "op": "add",
   "value": {
    "members": [
     {"value": "<user-or-service-principal-id-1>"},
     {"value": "<user-or-service-principal-id-2>"},
     {"value": "<user-or-service-principal-id-3>"}
    ]
   }
  }
 ]
}'

 

Remove operation

export OAUTH_TOKEN="<oauth-access-token>"

curl --request PATCH \
"https://accounts.cloud.databricks.com/api/2.0/accounts/<account-id>/scim/v2/Groups/<group-id>" \
--header "Authorization: Bearer $OAUTH_TOKEN" \
--header "Content-Type: application/json" \
--data-raw '{
 "schemas": [
  "urn:ietf:params:scim:api:messages:2.0:PatchOp"
 ],
 "Operations": [
  {
   "op": "remove",
   "path": "members[value eq '<user-or-service-principal-id-1>']"
  },
  {
   "op": "remove",
   "path": "members[value eq '<user-or-service-principal-id-2>']"
  }
 ]
}'

 

Replace operation

export OAUTH_TOKEN="<oauth-access-token>"

curl --request PATCH \
"https://accounts.cloud.databricks.com/api/2.0/accounts/<account-id>/scim/v2/Groups/<group-id>" \
--header "Authorization: Bearer $OAUTH_TOKEN" \
--header "Content-Type: application/json" \
--data-raw '{
 "schemas": [
  "urn:ietf:params:scim:api:messages:2.0:PatchOp"
 ],
 "Operations": [
  {
   "op": "replace",
   "path": "members",
   "value": [
    {"value": "<user-or-service-principal-id-1>"},
    {"value": "<user-or-service-principal-id-2>"},
    {"value": "<user-or-service-principal-id-3>"}
   ]
  }
 ]
}'