Cosmosdb_sq_request plugin not working for service to service authentication.
Cosmosdb_sq_request plugin not working for service to service authentication.
In documentation(https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/cosmosdb-plugin?pivots=azuredataexplorer#authentication-and-authorization:~:text=If%20no%20token%20is%20provided%2C%20the%20Microsoft%20Entra%20token%20of%20the%20requesting%20principal%20will%20be%20used%20for%20authentication.) it is mentioned that if we do not provide the Token then the token of the requesting principal id will be used. This feature works fine when using in ADX UI in the azure portal. But when we try to use this feature through aks(running a query containing cosmosdb_sql_request in adx) we get the following error:
"message": "Semantic error: evaluate cosmosdb_sql_request(): the following error(s) occurred while evaluating the output schema: The 'cosmosdb_sql_request' plugin failed to acquire an AAD on-behalf token: 'MSAL.Desktop.4.56.0.0.MsalServiceException: \n\tErrorCode: invalid_request\nMicrosoft.Identity.Client.MsalServiceException: AADSTS65002: Consent between first party application '2746ea77-4702-4b45-80ca-3c97e680e8b7' and first party resource '797f4846-ba00-4fd7-ba43-dac1f8f63013' must be configured via preauthorization - applications owned and operated by Microsoft ....
This suggest that there needs to be approval (preauthorization) between first party application 2746ea77-4702-4b45-80ca-3c97e680e8b(Azure Data Explorer app first party Guid) and 797f4846-ba00-4fd7-ba43-dac1f8f63013 (the Windows Azure Service Management API: https://management.core.windows.net Guid).
I think this has to be enabled at resource level of the ADX so that resource to resource communication can take place.