Cross-tenant data connection

When you need to create a data connection for an Azure Event Hubs or Azure Event Grid service in a different tenant, use the Create Data Connections API to build the connection.

In this article, you learn how to use PowerShell to create a cross-tenant Event Hubs data connection and auxiliary tokens to authenticate.

Prerequisites

• If you don't have an Azure subscription, create a free Azure account before you begin.
• Create an Event Hub in Tenant1. This is the tenant that hosts the source Event Hubs.
• Create a test cluster and database in Tenant2. This is the tenant that hosts the destination cluster.
• A single Entra account with access to both tenants or a multitenant service principal.

Permissions

The Entra account or multitenant service principal must have at least the following permissions:

• Data Explorer: Contributor
• Event Hubs Namespace: Azure Event Hubs Data Owner

Note

The account can be local or guest to Tenant1 or Tenant2, as long as it has the prerequisite permissions. Permissions must be at the Namespace level, and not at the Event Hubs level.

Assign role to the Entra Account or Service Principal in Event Hubs for Tenant1

1. In the Azure portal, browse to your Event Hubs namespace.

2. In the left menu, select Access control (IAM) > Add role assignments.

3. In the Add role assignment window, enter the settings in the table, and then select Save.

   Setting	Suggested value
   Role	Azure Event Hubs Data Owner
   Assign access to	User, group, or service principal
   Select	The email address of the Entra user or Service Principal ID

Assign role to the Entra Account or Service Principal in the cluster for Tenant2

1. In the Azure portal, browse to your Data Explorer cluster.

2. In the left menu, select Access control (IAM) > Add role assignments.

3. In the Add role assignment window, enter the settings in the table and then select Save.

   Setting	Suggested value
   Role	Contributor
   Assign access to	User, group, or service principal
   Select	The email address of the Entra user or Service Principal ID

Set up the cross-tenant data connection

Set up a cross-tenant data connection between the cluster and Event Hubs using PowerShell.

Before you begin

Create the Get-AzCachedAccessToken function to get the access token for Tenant1. The source code for the function can be found in the PowerShell gallery. You can include this code in your personal PowerShell profile to make it easier to call, or you can run it and then use it in these steps.

Entra account

1. Run the following command to connect to the Event Hubs subscription in Tenant1:

   Connect-AzAccount -TenantId <Tenant ID> -Subscription "<SubscriptionName>"
   

2. Add a variable to store the access token for Tenant1:

   $tokenfromtenant1 = Get-AzCachedAccessToken
   

3. Add an auxiliary token variable for Tenant1:

   $auxpat="Bearer $tokenfromtenant1"
   

4. Run the following command to connect to the cluster subscription in Tenant2:

   Connect-AzAccount -TenantId <Tenant ID> -SubscriptionId "<SubscriptionName>"
   

5. Add a variable with the token for Tenant2:

   $tokenfromtenant2 = Get-AzCachedAccessToken
   

6. Add a pat variable to be used as the primary token:

   $pat="Bearer $tokenfromtenant2"
   

7. Add an HTTP body request variable to use as an Event Hub resource, when invoking the web request:

   $requestbody ='{"location": "Australia East","kind": "EventHub","properties": { "eventHubResourceId": "/subscriptions/<subscription ID>/resourceGroups/<ResourceGroupName>/providers/Microsoft.EventHub/namespaces/<EventHubNamespaceName>/eventhubs/<EventHubName>","consumerGroup": "$Default","dataFormat": "JSON", "tableName": "<ADXTableName>", "mappingRuleName": "<ADXTableMappingName>"}}'
   

8. Add a URI variable to use as a cluster resource, when invoking the web request:

   $adxdcuri="https://management.azure.com/subscriptions/<subscriptionID>/resourceGroups/<resource group name>/providers/Microsoft.Kusto/clusters/<ADXClusterName>/databases/<ADXdbName>/dataconnections/<ADXDataConnectionName>?api-version=2020-02-15"
   

9. Invoke the following web request, that uses the previously defined variables, to create the data connection:

   Invoke-WebRequest -Headers @{Authorization = $pat; 'x-ms-authorization-auxiliary' = $auxpat} -Uri $adxdcuri -Body $requestbody -Method PUT -ContentType 'application/json'
   

Service Principal account

1. Define the Service Principal ID:

   $ServicePrincipalID = "<Application(Client)ID>"
   

2. Set the Service Principal secret:

   $Password = ConvertTo-SecureString -String "<Secret>" -AsPlainText -Force
   

3. Create a new PSCredential object to securely store and pass credentials:

   $Credential = New-Object -TypeName "System.Management.Automation.PSCredential" -ArgumentList $ServicePrincipalID, $Password
   

4. Connect to the Event Hub subscription in Tenant1:

   Connect-AzAccount -TenantId <Tenant ID> -Subscription "<SubscriptionName>" -ServicePrincipal -Credential $Credential
   

5. Store the cached access token in the $tokenfromtenant1 variable:

   $tokenfromtenant1 = Get-AzCachedAccessToken
   

6. Create a string that includes the cached access token in the format required for authorization headers:

   $auxpat="Bearer $tokenfromtenant1"
   

7. Connect to the cluster subscription in Tenant2:

   Connect-AzAccount -TenantId <Tenant ID> -Subscription "<SubscriptionName>" -ServicePrincipal -Credential $Credential
   

8. Store the cached access token in the $tokenfromtenant2 variable.

   $tokenfromtenant2 = Get-AzCachedAccessToken
   

9. Create a string that includes the cached access token in the format required for authorization headers:

   $pat="Bearer $tokenfromtenant2"
   

10. Add Event hub resource details to a variable:

    $requestbody = '{"location": "East US", "kind": "EventHub", "properties": { "eventHubResourceId": "/subscriptions/<subscriptionID>/resourceGroups/<ResourceGroupName>/providers/Microsoft.EventHub/namespaces/<EventHubNamespaceName>/eventhubs/<EventHubName>", "consumerGroup": "$Default", "dataFormat": "MultiJSON", "tableName": "<ADXTableName>", "mappingRuleName": "<ADXTableMappingName>"}}'
    

11. Add cluster details to a variable:

    $adxdcuri="https://management.azure.com/subscriptions/<subscriptionID>/resourceGroups/<ResourceGroupName>/providers/Microsoft.Kusto/clusters/<ADXClusterName>/databases/<ADXdbName>/dataconnections/<ADXDataConnectionName>?api-version=2020-02-15"
    

12. Send the request to create the data connection:

    Invoke-WebRequest -Headers @{Authorization = $pat; 'x-ms-authorization-auxiliary' = $auxpat} -Uri $adxdcuri -Body $requestbody -Method PUT -ContentType 'application/json'
    

After you finish

1. Verify that you can now see the newly created data connection in the Azure portal.

2. Optional: After establishing the data connection, you can revoke or delete the previously granted permissions for the Entra Account or Service Principal. Since the cluster ingestion uses the Event Hubs keys, these permissions are no longer required.

Important

If the primary or secondary Event Hubs keys are rotated, data ingestion might stop working. In that case, you need to drop and recreate the data connection.

Related content

• Query data in Azure Data Explorer
• Convert to multitenant