Authorizing Managed Identities in Azure Data Explorer

2022-04-19

Azure Data Explorer (ADX) has Azure AD authentication and authorization built into the product. Users can belong to one or many roles defined by an Azure AD user account, an Azure AD group, or an Azure AD service principal.

But what happens if you want to use a Managed Identity that's used by an Azure Data Factory or Synapse? Well not to fear, it's extremely straight forward and very similar to authorizing a service principal as part of an ADX role, except you don't have to create the service principal.

To get started, we need two pieces of information:

1. The MSI Azure AD Object ID (a GUID representing the application in Azure AD).
2. The Tenant ID (another GUID representing the Azure AD tenant).

Let's use an Azure Data Factory for our example.

1. Locate an ADF resource in the Azure portal.

2. Click Properties under the Settings section.

3. Copy the Managed Identity Object ID and the Managed Identity Tenant ID - we'll need this shortly.

4. Open your ADX cluster and open a new query. Run the following, substituting the values where required:

   .add database <databasename> viewers ('aadapp=<ManagedIdentityObjectId>;<TenantId>') '<ResourceName>'
   

   

Congratulations: your MSI should now have access to your ADX cluster.

In this example we are using the viewers role. Be sure to check out the roles available in ADX.