Manage Azure Data Explorer database permissions
Azure Data Explorer enables you to control access to databases and tables, using a role-based access control model. Under this model, principals (users, groups, and apps) are mapped to roles. Principals can access resources according to the roles they're assigned. For a list of available roles, see role-based access control
This article describes the available roles and how to assign principals to those roles using the Azure portal and Azure Data Explorer management commands.
Manage permissions in the Azure portal
Sign in to the Azure portal.
Navigate to your Azure Data Explorer cluster.
In the Overview section, select the database where you want to manage permissions. For roles that apply to all databases, skip this phase and go directly to the next step.
Select Permissions then Add.
Look up the principal, select it, then Select.
Manage permissions with management commands
Sign-in to https://dataexplorer.azure.com, and add your cluster if it's not already available.
In the left pane, select the appropriate database.
Use the
.add
command to assign principals to roles:.add database databasename rolename ('aaduser | aadgroup=user@domain.com')
. To add a user to the Database user role, run the following command, substituting your database name and user..add database <TestDatabase> users ('aaduser=<user@contoso.com>')
Adding roles to principals from external tenants require either the tenant ID or name to be explicitly specified in the control command. To add a user from an external tenant to the Database user role, run the following command, substituting your database name, user and tenant name.
.add database <TestDatabase> users ('aaduser=<user@contoso.com;fabrikam.com>')
The output of the command shows the list of existing users and the roles they're assigned to in the database.
For examples pertaining to Azure Active Directory and the Kusto authorization model, please see Principals and Identity Providers