Cosmosdb_sq_request plugin not working for service to service authentication.

DEVESH KUMAR 0 Reputation points Microsoft Employee
2023-11-07T07:18:53.6833333+00:00

Cosmosdb_sq_request plugin not working for service to service authentication.

In documentation(https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/cosmosdb-plugin?pivots=azuredataexplorer#authentication-and-authorization:~:text=If%20no%20token%20is%20provided%2C%20the%20Microsoft%20Entra%20token%20of%20the%20requesting%20principal%20will%20be%20used%20for%20authentication.) it is mentioned that if we do not provide the Token then the token of the requesting principal id will be used. This feature works fine when using in ADX UI in the azure portal. But when we try to use this feature through aks(running a query containing cosmosdb_sql_request in adx) we get the following error:

"message": "Semantic error: evaluate cosmosdb_sql_request(): the following error(s) occurred while evaluating the output schema: The 'cosmosdb_sql_request' plugin failed to acquire an AAD on-behalf token: 'MSAL.Desktop.4.56.0.0.MsalServiceException: \n\tErrorCode: invalid_request\nMicrosoft.Identity.Client.MsalServiceException: AADSTS65002: Consent between first party application '2746ea77-4702-4b45-80ca-3c97e680e8b7' and first party resource '797f4846-ba00-4fd7-ba43-dac1f8f63013' must be configured via preauthorization - applications owned and operated by Microsoft ....

This suggest that there needs to be approval (preauthorization) between first party application 2746ea77-4702-4b45-80ca-3c97e680e8b(Azure Data Explorer app first party Guid) and 797f4846-ba00-4fd7-ba43-dac1f8f63013 (the Windows Azure Service Management API: https://management.core.windows.net Guid).

I think this has to be enabled at resource level of the ADX so that resource to resource communication can take place.

Azure Data Explorer
Azure Data Explorer
An Azure data analytics service for real-time analysis on large volumes of data streaming from sources including applications, websites, and internet of things devices.
524 questions
{count} votes

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.