Conditional Access with Azure Data Explorer

What is Conditional Access?

The modern security perimeter extends beyond an organization's network to include user and device identity. Organizations can use identity-driven signals as part of their access control decisions. You can use Microsoft Entra Conditional Access to bring signals together, to make decisions, and enforce organizational policies.

Conditional Access policies at their simplest are like if-then statements. If a user wants to access a resource, then they must complete an action. For example, a data engineer wants to access Azure Data Explorer but is required to do multi-factor authentication (MFA) to access it.

In the following example, you'll learn how to configure a Conditional Access policy that enforces MFA for selected users using the Azure Data Explorer web UI. You can use the same steps to create other policies to meet your organization's security requirements.

Prerequisites

Using this feature requires a Microsoft Entra ID P1 or P2 license. To find the right license for your requirements, see Compare available features of Microsoft Entra ID.

Note

Conditional Access policies are only applied to Azure Data Explorer's data administration operations and don't affect any resource administration operations.

Tip

Conditional Access policies are applied at the tenant level; hence, it's applied to all clusters in the tenant.

Configure Conditional Access

  1. Sign in to the Azure portal as a global administrator, security administrator, or Conditional Access administrator.

  2. Browse to Microsoft Entra ID > Security > Conditional Access.

  3. Select New policy.

    Screenshot of the Security page, showing the Conditional Access tab.

  4. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.

  5. Under Assignments, select Users and groups. Under Include > Select users and groups, select Users and groups, add the user or group you want to include for Conditional Access, and then select Select.

    Screenshot of the users and groups section, showing the assignment of users.

  6. Under Cloud apps or actions, select Cloud apps. Under Include, select Select apps to see a list of all apps available for Conditional Access. Select Azure Data Explorer > Select.

    Tip

    Please make sure you select the Azure Data Explorer app with the following GUID: 2746ea77-4702-4b45-80ca-3c97e680e8b7.

    Screenshot of the cloud apps section, showing the selection of the Azure Data Explorer app.

  7. Under Conditions, set the conditions you want to apply for all device platforms and then select Done. For more information, see Microsoft Entra Conditional Access : Conditions.

    Screenshot of the conditions section, showing the assignment of conditions.

  8. Under Access controls, select Grant, select Require multi-factor authentication, and then select Select.

    Screenshot of the access controls section, showing the granting access requirements.

  9. Set Enable policy to On, and then select Save.

    Screenshot of the enable policy section, showing the policy being turned on.

  10. Verify the policy by asking an assigned user to access the Azure Data Explorer web UI. The user should be prompted for MFA.

    Screenshot of the M F A prompt.