Managed identities overview
A managed identity from Azure Active Directory allows your cluster to easily access other Azure AD-protected resources such as Azure Storage. The identity is managed by the Azure platform and doesn't require you to provision or rotate any secrets.
Your Azure Data Explorer cluster can be granted two types of identities:
- System-assigned identity: Tied to your cluster and deleted if your resource is deleted. A cluster can only have one system-assigned identity.
- User-assigned identity: A standalone Azure resource that can be assigned to your cluster. A cluster can have multiple user-assigned identities.
Managed identity authentication can be used in Azure Data Explorer for various supported flows. To authenticate with managed identities, follow these steps:
- Configure a managed identity for your cluster
- Configure the managed identity policy
- Use managed identity in supported workflows
Configure a managed identity for your cluster
Your cluster needs permissions to act on behalf of the given managed identity. This assignment can be given for both system-assigned and user-assigned managed identities. For instructions, see Configure managed identities for your Azure Data Explorer cluster.
Configure the managed identity policy
To use the managed identity, you need to configure the managed identity policy to allow this identity. For instructions, see Managed Identity policy.
The managed identity policy control commands are:
- .alter managed_identity policy
- .alter-merge managed_identity policy
- .delete managed_identity policy
- .show managed_identity policy
Use in supported workflows
After assigning the managed identity to your cluster and configuring the relevant managed identity policy usage, you can start using managed identity authentication in the following workflows:
- External Tables: Create an external table with managed identity authentication. The authentication is stated as part of the connection string. For examples, see storage connection string. For instructions for using external tables with managed identity authentication, see Authenticate external tables with managed identities
- Continuous Export: Run a continuous export on behalf of a managed identity. This is required to run continuous export jobs exporting data to an external table that uses impersonation authentication. This is also required if the query of the Continuous export references tables in other databases. To specify that, add the managed identity identifier in the optional parameters given in the
create-or-alter
command. - Event Hubs Native Ingestion: Use a managed identity with event hub native ingestion. For more information, see Ingest data from event hub into Azure Data Explorer.
- Python plugin: Use a managed identity to authenticate to storage accounts of external artifacts that are used in the python plugin. Please note that the
SandboxArtifacts
usage needs to be defined on the cluster level managed identity policy. For more information, see Python plugin. - SDK based ingestion: When queuing blobs for ingestion from your own storage accounts, you can use managed identities as an alternative to shared access signature (SAS) tokens and Shared Keys authentication methods. For more information, see Queue blobs for ingestion using managed identity authentication.
- Ingest from storage: Ingest data from files located in cloud storages into a target table using managed identity authentication. Refer to the ingestion from storage documentation for examples.
Note
Attempting to use managed identities in any other flow will result in the following error message: "Authentication with a Managed Identity is disabled for this flow"