Is there an existing issue for this?

• I have searched the existing issues

Problem statement

In #339 we create UC storage credentials using Azure Service Principals which:

• have owner, contributor, or reader role on storage that are being used in Databricks
• have client_secret stored in Databricks secret
• are not used by existing UC storage credentials

To further enhance this migration feature and align with UC best practice, we need to help customers to switch to Managed Identity based UC Storage Credentials.

Proposed Solution

1. If user confirm, UCX will create Azure Databricks Access Connector with system assigned Managed Identity that has same role assignment as the Azure Service Principals we crawled in Migrate Azure Service Principals that access storage to UC Storage Credentials #339. Then the UC storage credential will use this access connector.
2. If there are Managed Identity based UC Storage Credentials already have same or higher role assignment on a location than the crawled Azure Service Principals. No need to migrate.
3. If there are user assigned managed identity that crawled from Migrate Azure Service Principals that access storage to UC Storage Credentials #339, and such managed identity is not used in UC Storage Credential, confirm with customer and create an access connector and storage credential using this managed identity.

Additional Context

No response