How to fully isolate catalogs and metadata per environment in a shared Databricks metastore?

Question

How to fully isolate catalogs and metadata per environment in a shared Databricks metastore?

Bill Chie 20

I’m designing environment isolation in Azure Databricks (Unity Catalog) for DEV / QAT / PRD.

Current setup:

Separate workspaces per environment (each deployed in its own VNet)

Separate ADLS Gen2 storage accounts per environment (with private endpoints)

Each catalog is mapped to its own environment-specific storage account (no shared data storage)

Goal: We want full environment containment, meaning: If a user/service does not have access to the PRD VNet, they should not be able to access anything related to PRD — including data and ideally metadata.

Understanding so far:

Unity Catalog supports only one metastore per region per tenant, shared across all workspaces

Data isolation can be achieved via catalog-level storage + private endpoints

Open question: Even with storage and network isolation in place, the metastore (metadata layer) remains shared.

Is there any supported way to:

Isolate Unity Catalog metadata per environment (DEV/QAT/PRD) within the same tenant/region, or

Restrict visibility of catalogs/metadata based on network boundaries (e.g., VNet-level access)?

Or is the only way to achieve strict isolation (including metadata) to use separate tenants or regions?

Looking for best practices or real-world implementations where strong network-level isolation is required.

Bill Chie 20 Reputation points

2026-03-20T14:16:09.02+00:00

Hi @Manoj Kumar Boyini ,

Thank you for the detailed explanation that helps clarify the Unity Catalog isolation model.

I’d like to explore the option of achieving full metadata isolation using separate Azure Databricks accounts within the same region. Could you please provide guidance on how to:

Create and manage multiple Azure Databricks accounts under the same Azure tenant

Ensure they are deployed within the same region

Understand any prerequisites, limitations, or considerations (e.g., identity management, networking, billing, or account console access)

Additionally, are there any recommended patterns or best practices for operating multiple Databricks accounts in parallel within a single organisation?

Thanks in advance for your help.

Kind regards,Bill
Manoj Kumar Boyini 11,280 Reputation points Microsoft External Staff Moderator

2026-03-23T13:55:57.2333333+00:00

Hi Bill Chie

Full Unity Catalog metadata isolation requires separating environments at the metastore level. In Azure Databricks, Unity Catalog is scoped to one metastore per region per Databricks account, and all workspaces attached to that metastore share the same metadata service.

If DEV, QAT, and PRD are deployed within the same Databricks account and region, metadata remains shared and can only be logically isolated using catalogs, permissions, and workspace-catalog bindings. Network controls such as VNets and private endpoints apply only to the data plane and do not restrict metadata visibility.

To achieve strict isolation (both data and metadata) while remaining within the same Azure tenant, the supported approaches are:

Using separate Azure Databricks accounts (for example, one per environment or trust boundary), or

Deploying environments in separate regions, where each region has its own metastore

In both cases, each environment is backed by an independent Unity Catalog metastore.

Workspaces, storage accounts, and networking components (VNets, private endpoints) can continue to remain environment-specific, while identities can still be centrally managed using Microsoft Entra ID.

Creating additional Databricks accounts is supported and, depending on your organization’s setup, This model is commonly adopted in regulated or high-security environments where strong isolation is required.

Hope this helps. Please let us know if you have any further questions.
Manoj Kumar Boyini 11,280 Reputation points Microsoft External Staff Moderator

2026-03-24T15:24:52.9966667+00:00

Hi Bill Chie

Just checking in to see if the information provided earlier was helpful. Please let us know if you need any additional details or assistance, and we’ll gladly continue supporting you.
Bill Chie 20 Reputation points

2026-03-27T09:25:51.8+00:00

Hi Manoj Kumar Boyini,

Thanks for all the detailed info.
Just to clarify, is it possible to create an Azure Databricks account within the same tenant and region? From what I understand, this may not be feasible.
Smaran Thoomu 34,795 Reputation points Microsoft External Staff Moderator

2026-03-27T16:37:18.4533333+00:00
Hi @Bill Chie
Yes, it is possible to have multiple Azure Databricks accounts within the same Azure tenant. Each account will have its own Unity Catalog metastore, which is what enables full metadata isolation.

However, the key limitation is not the tenant — it’s how the platform is structured:

A single Databricks account can only have one metastore per region

If you need multiple metastores in the same region, they must belong to different Databricks accounts

So in practice:

Same tenant is supported

Same region is supported

Multiple metastores ➜ only via separate Databricks accounts

That said, creating and managing multiple Databricks accounts in Azure is not something you typically do directly from the Azure Portal. It usually involves:

Working through Databricks account console / onboarding flow

Coordinating with your Databricks account team (or support) depending on how your org is set up

What to keep in mind with this model:

Identity can still be centralized via Microsoft Entra ID

You’ll need to manage access, networking, and workspaces separately per account

Billing and account-level settings are also isolated

Hope this helps. Please let me know if you have any questions.
Bill Chie 20 Reputation points

2026-03-27T16:54:52.9566667+00:00
Hi Smaran Thoomu,

We’re open to creating multiple Azure Databricks accounts for each environment to ensure each one has its own Unity Catalog metastore.

However, I have a question about whether it's possible to have multiple Azure Databricks accounts within the same tenant and the same region. If this is feasible, could you please guide us on how to set it up? Creating environments across tenants or regions might not be feasible for us.

From my understanding:

We can have multiple Azure Databricks accounts within the same tenant, provided the Databricks workspaces are in different regions.

Alternatively, we can have multiple Azure Databricks accounts within the same region, as long as the workspaces are in different tenants.

However, it seems that it is not possible to create multiple accounts within the same tenant and the same region.

Looking forward to your insights!
Smaran Thoomu 34,795 Reputation points Microsoft External Staff Moderator

2026-03-30T09:58:22.1566667+00:00
Hi @Bill Chie
Good question - just to clarify this part.

Yes, you can have multiple Azure Databricks accounts within the same tenant and same region. There isn’t a restriction from Azure on that combination.

The key point is how Unity Catalog is scoped:

One metastore per region per Databricks account

So if you need multiple metastores in the same region, they must be in different Databricks accounts

That’s why for strict isolation (including metadata), the supported approach is:

Separate Databricks accounts (even in the same tenant and region)

A couple of practical notes:

You’ll still be able to use the same Microsoft Entra ID for identity across accounts

Each account will be managed separately (account console, billing, settings)

Creating additional Databricks accounts usually requires going through Databricks onboarding / support rather than the Azure portal

So in your case, your plan is valid - you don’t need to move to a different tenant or region if that’s not feasible.

Answer accepted by question author

0 additional answers

Your answer

Bill Chie 20 Reputation points

2026-03-20T14:16:09.02+00:00

Hi @Manoj Kumar Boyini ,

Thank you for the detailed explanation that helps clarify the Unity Catalog isolation model.

I’d like to explore the option of achieving full metadata isolation using separate Azure Databricks accounts within the same region. Could you please provide guidance on how to:

Create and manage multiple Azure Databricks accounts under the same Azure tenant

Ensure they are deployed within the same region

Understand any prerequisites, limitations, or considerations (e.g., identity management, networking, billing, or account console access)

Additionally, are there any recommended patterns or best practices for operating multiple Databricks accounts in parallel within a single organisation?

Thanks in advance for your help.

Kind regards,Bill
Manoj Kumar Boyini 11,280 Reputation points Microsoft External Staff Moderator

2026-03-23T13:55:57.2333333+00:00

Hi Bill Chie

Full Unity Catalog metadata isolation requires separating environments at the metastore level. In Azure Databricks, Unity Catalog is scoped to one metastore per region per Databricks account, and all workspaces attached to that metastore share the same metadata service.

If DEV, QAT, and PRD are deployed within the same Databricks account and region, metadata remains shared and can only be logically isolated using catalogs, permissions, and workspace-catalog bindings. Network controls such as VNets and private endpoints apply only to the data plane and do not restrict metadata visibility.

To achieve strict isolation (both data and metadata) while remaining within the same Azure tenant, the supported approaches are:

Using separate Azure Databricks accounts (for example, one per environment or trust boundary), or

Deploying environments in separate regions, where each region has its own metastore

In both cases, each environment is backed by an independent Unity Catalog metastore.

Workspaces, storage accounts, and networking components (VNets, private endpoints) can continue to remain environment-specific, while identities can still be centrally managed using Microsoft Entra ID.

Creating additional Databricks accounts is supported and, depending on your organization’s setup, This model is commonly adopted in regulated or high-security environments where strong isolation is required.

Hope this helps. Please let us know if you have any further questions.
Manoj Kumar Boyini 11,280 Reputation points Microsoft External Staff Moderator

2026-03-24T15:24:52.9966667+00:00

Hi Bill Chie

Just checking in to see if the information provided earlier was helpful. Please let us know if you need any additional details or assistance, and we’ll gladly continue supporting you.
Bill Chie 20 Reputation points

2026-03-27T09:25:51.8+00:00

Hi Manoj Kumar Boyini,

Thanks for all the detailed info.
Just to clarify, is it possible to create an Azure Databricks account within the same tenant and region? From what I understand, this may not be feasible.
Smaran Thoomu 34,795 Reputation points Microsoft External Staff Moderator

2026-03-27T16:37:18.4533333+00:00

Hi @Bill Chie
Yes, it is possible to have multiple Azure Databricks accounts within the same Azure tenant. Each account will have its own Unity Catalog metastore, which is what enables full metadata isolation.

However, the key limitation is not the tenant — it’s how the platform is structured:

A single Databricks account can only have one metastore per region

If you need multiple metastores in the same region, they must belong to different Databricks accounts

So in practice:

Same tenant is supported

Same region is supported

Multiple metastores ➜ only via separate Databricks accounts

That said, creating and managing multiple Databricks accounts in Azure is not something you typically do directly from the Azure Portal. It usually involves:

Working through Databricks account console / onboarding flow

Coordinating with your Databricks account team (or support) depending on how your org is set up

What to keep in mind with this model:

Identity can still be centralized via Microsoft Entra ID

You’ll need to manage access, networking, and workspaces separately per account

Billing and account-level settings are also isolated

Hope this helps. Please let me know if you have any questions.
Bill Chie 20 Reputation points

2026-03-27T16:54:52.9566667+00:00

Hi Smaran Thoomu,

We’re open to creating multiple Azure Databricks accounts for each environment to ensure each one has its own Unity Catalog metastore.

However, I have a question about whether it's possible to have multiple Azure Databricks accounts within the same tenant and the same region. If this is feasible, could you please guide us on how to set it up? Creating environments across tenants or regions might not be feasible for us.

From my understanding:

We can have multiple Azure Databricks accounts within the same tenant, provided the Databricks workspaces are in different regions.

Alternatively, we can have multiple Azure Databricks accounts within the same region, as long as the workspaces are in different tenants.

However, it seems that it is not possible to create multiple accounts within the same tenant and the same region.

Looking forward to your insights!
Smaran Thoomu 34,795 Reputation points Microsoft External Staff Moderator

2026-03-30T09:58:22.1566667+00:00

Hi @Bill Chie
Good question - just to clarify this part.

Yes, you can have multiple Azure Databricks accounts within the same tenant and same region. There isn’t a restriction from Azure on that combination.

The key point is how Unity Catalog is scoped:

One metastore per region per Databricks account

So if you need multiple metastores in the same region, they must be in different Databricks accounts

That’s why for strict isolation (including metadata), the supported approach is:

Separate Databricks accounts (even in the same tenant and region)

A couple of practical notes:

You’ll still be able to use the same Microsoft Entra ID for identity across accounts

Each account will be managed separately (account console, billing, settings)

Creating additional Databricks accounts usually requires going through Databricks onboarding / support rather than the Azure portal

So in your case, your plan is valid - you don’t need to move to a different tenant or region if that’s not feasible.

Answer 1

Hi Bill Chie

Your current design already aligns well with best practices for data and network isolation. The key point to clarify is how metadata isolation works in Unity Catalog.

In Azure Databricks, Unity Catalog follows an account-level metastore model, with one metastore per region per Azure Databricks account. All workspaces attached to that metastore share the same metadata service. Because of this design, metadata is not physically isolated per environment when using a single metastore.

Within this model, the supported way to achieve DEV / QAT / PRD separation is through logical isolation, not physical separation of the metadata layer.

The recommended approach is to:

Use separate catalogs per environment

Bind each catalog only to its corresponding workspace(s) using workspace-catalog bindings

Apply catalog-level permissions to restrict access

Use separate external locations and storage accounts per environment

With workspace-catalog binding, a catalog is only accessible from the workspaces it is explicitly bound to. This prevents users in one environment from accessing or interacting with catalogs from another environment, even if they have underlying permissions. This is the supported and recommended pattern for isolation within a shared metastore.

It is also important to note that Unity Catalog’s metadata plane is a control-plane service and is not exposed as a VNet-isolated resource. Network controls such as VNets and private endpoints apply to the data plane (storage and compute), not to metadata visibility.

If your requirement is strict isolation, where metadata must also be physically separated (for example, due to compliance requirements), then environments must not share the same metastore. The supported options in that case are:

Deploy environments in separate regions (each region has its own metastore), or

Use separate Azure Databricks accounts (each account has its own metastore)

Within a single region and account, Unity Catalog provides strong logical isolation using catalogs and workspace bindings, but not full physical isolation of metadata. For full containment including metadata, separation at the metastore level (region or account) is required.

Helpful References:
https://learn.microsoft.com/en-us/azure/databricks/data-governance/unity-catalog/
https://learn.microsoft.com/en-us/azure/databricks/data-governance/unity-catalog/create-metastore
https://learn.microsoft.com/en-us/azure/databricks/catalogs/binding
https://learn.microsoft.com/en-us/azure/databricks/data-governance/unity-catalog/best-practices
https://docs.databricks.com/aws/en/data-governance/unity-catalog/best-practices

Hope this helps, Please let us know if you have any questions and concerns.

Share via

How to fully isolate catalogs and metadata per environment in a shared Databricks metastore?

0 additional answers

Your answer