diff --git a/NEXT_CHANGELOG.md b/NEXT_CHANGELOG.md
index 95f79f472..6a5654bfe 100644
--- a/NEXT_CHANGELOG.md
+++ b/NEXT_CHANGELOG.md
@@ -12,4 +12,8 @@
 
 ### Internal Changes
 
+* Pass `excludedAttributes=entitlements` on the SCIM `/Me` request made by `WorkspaceClient.CurrentWorkspaceID` ([#1681](https://github.com/databricks/databricks-sdk-go/pull/1681)).
+
+  `CurrentWorkspaceID` only reads the `X-Databricks-Org-Id` response header and discards the body, so it has no use for the `User.Entitlements` field. Skipping that attribute avoids an expensive `getEffectivePermissions` scan on the SCIM backend, which has caused incidents on workspaces with large grant counts.
+
 ### API Changes
diff --git a/workspace_functions.go b/workspace_functions.go
index 675e29830..7e0fbb5a6 100644
--- a/workspace_functions.go
+++ b/workspace_functions.go
@@ -19,6 +19,7 @@ func (w *WorkspaceClient) CurrentWorkspaceID(ctx context.Context) (int64, error)
 	var workspaceIdStr string
 	opts := []httpclient.DoOption{
 		httpclient.WithResponseHeader("X-Databricks-Org-Id", &workspaceIdStr),
+		httpclient.WithRequestData(map[string]string{"excludedAttributes": "entitlements"}),
 	}
 	if w.Config != nil && w.Config.WorkspaceID != "" {
 		opts = append(opts, httpclient.WithRequestHeader("X-Databricks-Org-Id", w.Config.WorkspaceID))
diff --git a/workspace_functions_test.go b/workspace_functions_test.go
index f580cf165..eccf7106a 100644
--- a/workspace_functions_test.go
+++ b/workspace_functions_test.go
@@ -42,6 +42,30 @@ func TestCurrentWorkspaceIDSendsOrgIdHeaderWhenConfigHasWorkspaceID(t *testing.T
 	assert.Equal(t, "7474644166319138", gotOrgIdHeader)
 }
 
+func TestCurrentWorkspaceIDExcludesEntitlements(t *testing.T) {
+	var gotRawQuery string
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.URL.Path == "/api/2.0/preview/scim/v2/Me" {
+			gotRawQuery = r.URL.RawQuery
+			w.Header().Set("X-Databricks-Org-Id", "7474644166319138")
+			w.Write([]byte(`{}`))
+			return
+		}
+		http.NotFound(w, r)
+	}))
+	defer server.Close()
+
+	w, err := NewWorkspaceClient(&Config{
+		Host:  server.URL,
+		Token: "token",
+	})
+	require.NoError(t, err)
+
+	_, err = w.CurrentWorkspaceID(t.Context())
+	require.NoError(t, err)
+	assert.Equal(t, "excludedAttributes=entitlements", gotRawQuery)
+}
+
 func TestCurrentWorkspaceIDOmitsOrgIdHeaderWhenConfigMissingWorkspaceID(t *testing.T) {
 	// On legacy workspace hosts the host itself identifies the workspace, so
 	// no routing header is needed. When Config.WorkspaceID is empty we send