Manage Azure Data Explorer database permissions

Azure Data Explorer enables you to control access to databases and tables, using a role-based access control model. Under this model, principals (users, groups, and apps) are mapped to roles. Principals can access resources according to the roles they're assigned. For a list of available roles, see role-based access control

This article describes the available roles and how to assign principals to those roles using the Azure portal and Azure Data Explorer management commands.

Manage permissions in the Azure portal

  1. Sign in to the Azure portal.

  2. Navigate to your Azure Data Explorer cluster.

  3. In the Overview section, select the database where you want to manage permissions. For roles that apply to all databases, skip this phase and go directly to the next step.

    Select database.

  4. Select Permissions then Add.

    Database permissions.

  5. Look up the principal, select it, then Select.

    Screenshot of the Azure portal New Principals page. A principal name and image are selected and highlighted. The Select button is also highlighted.

Manage permissions with management commands

  1. Sign-in to https://dataexplorer.azure.com, and add your cluster if it's not already available.

  2. In the left pane, select the appropriate database.

  3. Use the .add command to assign principals to roles: .add database databasename rolename ('aaduser | aadgroup=user@domain.com'). To add a user to the Database user role, run the following command, substituting your database name and user.

    .add database <TestDatabase> users ('aaduser=<user@contoso.com>')
    

    Adding roles to principals from external tenants require either the tenant ID or name to be explicitly specified in the control command. To add a user from an external tenant to the Database user role, run the following command, substituting your database name, user and tenant name.

    .add database <TestDatabase> users ('aaduser=<user@contoso.com;fabrikam.com>')
    

    The output of the command shows the list of existing users and the roles they're assigned to in the database.

    For examples pertaining to Azure Active Directory and the Kusto authorization model, please see Principals and Identity Providers

Next steps

Write queries