Conditional Access with Azure Data Explorer

What is Conditional Access?

The modern security perimeter extends beyond an organization's network to include user and device identity. Organizations can use identity-driven signals as part of their access control decisions. You can use Azure Active Directory(Azure AD) Conditional Access to bring signals together, to make decisions, and enforce organizational policies.

Conditional Access policies at their simplest are like if-then statements. If a user wants to access a resource, then they must complete an action. For example, a data engineer wants to access Azure Data Explorer but is required to do multi-factor authentication (MFA) to access it.

In the following example, you'll learn how to configure a Conditional Access policy that enforces MFA for selected users using the Azure Data Explorer web UI. You can use the same steps to create other policies to meet your organization's security requirements.


Using this feature requires an Azure AD Premium license. To find the right license for your requirements, see Compare available features of Azure AD.


Conditional Access policies are only applied to Azure Data Explorer's data plane operations and doesn't affect any control plane operations. For more information, see Azure control and data plane.


Conditional Access policies are applied at the tenant level; hence, it's applied to all clusters in the tenant.

Configure Conditional Access

  1. Sign in to the Azure portal as a global administrator, security administrator, or Conditional Access administrator.

  2. Browse to Azure Active Directory > Security > Conditional Access.

  3. Select New policy.

    Screenshot of the Security page, showing the Conditional Access tab.

  4. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.

  5. Under Assignments, select Users and groups. Under Include > Select users and groups, select Users and groups, add the user or group you want to include for Conditional Access, and then select Select.

    Screenshot of the users and groups section, showing the assignment of users.

  6. Under Cloud apps or actions, select Cloud apps. Under Include, select Select apps to see a list of all apps available for Conditional Access. Select Azure Data Explorer > Select.


    Please make sure you select the Azure Data Explorer app with the following GUID: 2746ea77-4702-4b45-80ca-3c97e680e8b7.

    Screenshot of the cloud apps section, showing the selection of the Azure Data Explorer app.

  7. Under Conditions, set the conditions you want to apply for all device platforms and then select Done. For more information, see Azure Active Directory Conditional Access : Conditions.

    Screenshot of the conditions section, showing the assignment of conditions.

  8. Under Access controls, select Grant, select Require multi-factor authentication, and then select Select.

    Screenshot of the access controls section, showing the granting access requirements.

  9. Set Enable policy to On, and then select Save.

    Screenshot of the enable policy section, showing the policy being turned on.

  10. Verify the policy by asking an assigned user to access the Azure Data Explorer web UI. The user should be prompted for MFA.

    Screenshot of the M F A prompt.

Next steps