My .NET web app works great locally. I am using WithAadUserPromptAuthentication() to log in as the current AAD user to make sure I don't expose through the app any data the user is not supposed to have access to. My problem is that the application doesn't work when deployed to Azure Web Apps. According to the error message, it appears that WithAadUserPromptAuthentication() eventually tries to setup a callback on a random local port and Azure environments are locked down to just ports 80 and 8080. Even if I could open & route a port, it appears that the actual port number changes every time. How can I get this to work? Thank you in advance, Angelos

Hello @Angelos Petropoulos if you want to connect to Azure Data Explorer using a Managed Identity in a web app, please try: var cred = new DefaultAzureCredential(); var kcsbingest = new KustoConnectionStringBuilder(@"[cluster]") .WithAadAzureTokenCredentialsAuthentication(cred); You need to give the managed identity of your web app access to Azure Data Explorer first. If the response helped, do "Accept Answer". If it doesn't work, please let us know the progress. All community members with similar issues will benefit by doing so. Your contribution is highly appreciated.

I cannot get WithAadUserPromptAuthentication() to work when deployed in Azure Web Apps

Accepted answer

Sander van de Velde | MVP 32,726 Reputation points MVP

2023-10-05T10:38:51.9+00:00
Hello @Angelos Petropoulos

if you want to connect to Azure Data Explorer using a Managed Identity in a web app, please try:

var cred = new DefaultAzureCredential(); var kcsbingest = new KustoConnectionStringBuilder(@"[cluster]") .WithAadAzureTokenCredentialsAuthentication(cred);

You need to give the managed identity of your web app access to Azure Data Explorer first.

If the response helped, do "Accept Answer". If it doesn't work, please let us know the progress. All community members with similar issues will benefit by doing so. Your contribution is highly appreciated.
Please sign in to rate this answer.

1 person found this answer helpful.
Angelos Petropoulos 25 Reputation points Microsoft Employee

2023-10-05T15:35:35.18+00:00

Are you sure that would use the current AAD user to authenticate with Kusto? It doesn't appear to be doing that:

Exception: Forbidden (403-Forbidden): { "error": { "code": "Forbidden", "message": "Caller is not authorized to perform this action", "@type": "Kusto.DataNode.Exceptions.UnauthorizedDatabaseAccessException", "@message": "Principal 'aadapp=<GUID>;<GUID>' is not authorized to read database 'DDTelInsights'.",

Is this what you meant by give the managed identity of your web app access to Azure Data Explorer first? How do I do that and why isn't that not required when I use a desktop app?

Sander van de Velde | MVP 32,726 Reputation points MVP

2023-10-05T16:12:16.5+00:00

If you enable the Managed Identity of your WebApp, the code will use that identity to connect to Azure Data Explorer.

So:

Enable the Webapp Managed Identity

Add this identity to the list of permissions, having the right role for your needs

This is done in the Permissions tab.

These are the rules to choose from:

Here you can see an Azure Function having ingestor and viewer rights:

Working with Managed Identities is a new way of connecting services. It makes life more easy.

Angelos Petropoulos 25 Reputation points Microsoft Employee

2023-10-05T16:29:45.2566667+00:00

The steps you are describing are not required for a desktop application connecting to the same Kusto cluster. Any reason why that is the case?

As you can appreciate, in an enterprise setting, the steps you are describing are almost impossible to get done by a simple dev like myself. I'm not an admin on the Kusto clusters I'm trying to access, the access rights should come from the currently logged in user, not the app's managed identity. Like in a desktop app.

Sander van de Velde | MVP 32,726 Reputation points MVP

2023-10-05T17:18:15.1633333+00:00

Hello @Angelos Petropoulos,

Azure Data Explorer access is organized around Azure Active Directory.

This also applies to code executed in a desktop or console application running on your desktop.

The fact the code 'just runs' on the desktop is likely because the application runs under the account that is already registered in AAD (As you can see above, I blurred my account with admin rights).

See also this blog post where even the Azure CLI can be used to access ADX.

You have to discuss ADX access with your database administrator.

If you want to give individual users access to the database, someone has to add the role-based access control.

He or she can make his/her life easier by working with AAD groups etc. but AAD is part of the access deal.

Angelos Petropoulos 25 Reputation points Microsoft Employee

2023-10-05T17:46:03.8333333+00:00

From my point of view, the fact that a C# desktop application (or a C# web application running locally on IIS) can safely access the Kusto cluster means that any extra hurdles are exactly that: unnecessary extra hurdles.

I can distribute my C# desktop application to my users, they will double click on the exe, it will use their AAD credentials and the end-to-end experience will have been achieved.

I can distribute by C# web app to my users, ask them to run it on their local machine, it will use their AAD credentials and the end-to-end experience will have been achieved.

If I host my C# web app in Azure, I'm blocked. I need an IT administrator to unblock me.

I think it's fair to say that my question has been answered. I wish it was a better answer, but that doesn't mean it wasn't answered :)
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

I cannot get WithAadUserPromptAuthentication() to work when deployed in Azure Web Apps

0 additional answers

Your answer