Configure managed identities for your Azure Data Explorer cluster

Article
05/03/2023

A managed identity from Azure Active Directory allows your cluster to easily access other Azure AD-protected resources such as Azure Key Vault. The identity is managed by the Azure platform and doesn't require you to provision or rotate any secrets. Managed identity configuration is currently supported only to enable customer-managed keys for your cluster.

For an overview of managed identities, see Authenticate using managed identities in your Azure Data Explorer cluster.

Your Azure Data Explorer cluster can be granted two types of identities:

System-assigned identity: Tied to your cluster and deleted if your resource is deleted. A cluster can only have one system-assigned identity.
User-assigned identity: Standalone Azure resource that can be assigned to your cluster. A cluster can have multiple user-assigned identities.

This article shows you how to add and remove system-assigned and user-assigned managed identities for Azure Data Explorer clusters.

Note

Managed identities for Azure Data Explorer won't behave as expected if your Azure Data Explorer cluster is migrated across subscriptions or tenants. The app will need to obtain a new identity, which can be done by disabling and re-enabling the feature. Access policies of downstream resources will also need to be updated to use the new identity.

Add a system-assigned identity

Assign a system-assigned identity that is tied to your cluster, and is deleted if your cluster is deleted. A cluster can only have one system-assigned identity. Creating a cluster with a system-assigned identity requires an additional property to be set on the cluster. Add the system-assigned identity using the Azure portal, C#, or Resource Manager template as detailed below.

Add a system-assigned identity using the Azure portal

New Azure Data Explorer cluster

Create an Azure Data Explorer cluster
In the Security tab > System assigned identity, select On. To remove the system assigned identity, select Off.
Select Next : Tags > or Review + create to create the cluster.

Existing Azure Data Explorer cluster

Open an existing Azure Data Explorer cluster.
Select Settings > Identity in left pane of portal.
In the Identity pane > System assigned tab:
1. Move the Status slider to On.
2. Select Save
3. In the pop-up window, select Yes
After a few minutes, the screen shows:
- Object ID - Used for customer-managed keys
- Permissions - Select relevant role assignments

Add a system-assigned identity using C#

Prerequisites

To set up a managed identity using the Azure Data Explorer C# client:

Install the Azure Data Explorer NuGet package.
Install the Microsoft.Identity.Client NuGet package for authentication.
Install the Microsoft.Rest.ClientRuntime NuGet package for authentication.
Create an Azure AD application and service principal that can access resources. You add role assignment at the subscription scope and get the required Directory (tenant) ID, Application ID, and Client Secret.

Create or update your cluster

Create or update your cluster using the Identity property:

var tenantId = "xxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxxx"; //Directory (tenant) ID
var clientId = "xxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxxx"; //Application ID
var clientSecret = "PlaceholderClientSecret"; //Client Secret
var subscriptionId = "xxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxxx";

var authClient = ConfidentialClientApplicationBuilder.Create(clientId)
    .WithAuthority($"https://login.microsoftonline.com/{tenantId}")
    .WithClientSecret(clientSecret)
    .Build();
var result = authClient.AcquireTokenForClient(new[] { "https://management.core.windows.net/" }).ExecuteAsync().Result;
var credentials = new TokenCredentials(result.AccessToken, result.TokenType);
var kustoManagementClient = new KustoManagementClient(credentials) { SubscriptionId = subscriptionId };
var resourceGroupName = "testrg";
var clusterName = "mykustocluster";
var clusterData = new Cluster(
    location: "Central US",
    sku: new AzureSku("Standard_E8ads_v5", "Standard", 5),
    identity: new Identity(IdentityType.SystemAssigned)
);

await kustoManagementClient.Clusters.CreateOrUpdateAsync(resourceGroupName, clusterName, clusterData);

Run the following command to check if your cluster was successfully created or updated with an identity:
```
clusterData = await kustoManagementClient.Clusters.GetAsync(resourceGroupName, clusterName);
```
If the result contains ProvisioningState with the Succeeded value, then the cluster was created or updated, and should have the following properties:
```
var principalGuid = clusterData.Identity.PrincipalId;
var tenantGuid = clusterData.Identity.TenantId;
```

PrincipalId and TenantId are replaced with GUIDs. The TenantId property identifies the Azure AD tenant to which the identity belongs. The PrincipalId is a unique identifier for the cluster's new identity. Within Azure AD, the service principal has the same name that you gave to your App Service or Azure Functions instance.

Add a system-assigned identity using an Azure Resource Manager template

An Azure Resource Manager template can be used to automate deployment of your Azure resources. To learn more about deploying to Azure Data Explorer, see Create an Azure Data Explorer cluster and database by using an Azure Resource Manager template.

Adding the system-assigned type tells Azure to create and manage the identity for your cluster. Any resource of type Microsoft.Kusto/clusters can be created with an identity by including the following property in the resource definition:

{
   "identity": {
      "type": "SystemAssigned"
   }
}

For example:

{
    "apiVersion": "2019-09-07",
    "type": "Microsoft.Kusto/clusters",
    "name": "[variables('clusterName')]",
    "location": "[resourceGroup().location]",
    "identity": {
        "type": "SystemAssigned"
    }
}

Note

A cluster can have both system-assigned and user-assigned identities at the same time. The type property would be SystemAssigned,UserAssigned

When the cluster is created, it has the following additional properties:

{
   "identity": {
      "type": "SystemAssigned",
      "tenantId": "<TENANTID>",
      "principalId": "<PRINCIPALID>"
   }
}

<TENANTID> and <PRINCIPALID> are replaced with GUIDs. The TenantId property identifies the Azure AD tenant to which the identity belongs. The PrincipalId is a unique identifier for the cluster's new identity. Within Azure AD, the service principal has the same name that you gave to your App Service or Azure Functions instance.

Remove a system-assigned identity

Removing a system-assigned identity will also delete it from Azure AD. System-assigned identities are also automatically removed from Azure AD when the cluster resource is deleted. A system-assigned identity can be removed by disabling the feature. Remove the system-assigned identity using the Azure portal, C#, or Resource Manager template as detailed below.

Remove a system-assigned identity using the Azure portal

Sign in to the Azure portal.
Select Settings > Identity in left pane of portal.
In the Identity pane > System assigned tab:
1. Move the Status slider to Off.
2. Select Save
3. In the pop-up window, select Yes to disable the system-assigned identity. The Identity pane reverts to same condition as before the addition of the system-assigned identity.

Remove a system-assigned identity using C#

Run the following to remove the system-assigned identity:

var clusterPatch = new ClusterUpdate(identity: new Identity(IdentityType.None));
await kustoManagementClient.Clusters.UpdateAsync(resourceGroupName, clusterName, clusterPatch);

Remove a system-assigned identity using an Azure Resource Manager template

Run the following to remove the system-assigned identity:

{
   "identity": {
      "type": "None"
   }
}

Note

If the cluster had both system-assigned and user-assigned identities at the same time, following system-assigned identity removal, the type property will be UserAssigned

Add a user-assigned identity

Assign a user-assigned managed identity to your cluster. A cluster can have more than one user-assigned identity. Creating a cluster with a user-assigned identity requires an additional property to be set on the cluster. Add the user-assigned identity using the Azure portal, C#, or Resource Manager template as detailed below.

Add a user-assigned identity using the Azure portal

Sign in to the Azure portal.
Create a user-assigned managed identity resource.
Open an existing Azure Data Explorer cluster.
Select Settings > Identity in left pane of portal.
In the User assigned tab, select Add.
Search for the identity you created earlier and select it. Select Add.

Add a user-assigned identity using C#

Prerequisites

To set up a managed identity using the Azure Data Explorer C# client:

Install the Azure Data Explorer NuGet package.
Install the Microsoft.Identity.Client NuGet package for authentication.
Install the Microsoft.Rest.ClientRuntime NuGet package for authentication.
Create an Azure AD application and service principal that can access resources. You add role assignment at the subscription scope and get the required Directory (tenant) ID, Application ID, and Client Secret.

Create or update your cluster

Create or update your cluster using the Identity property:

var tenantId = "xxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxxx"; //Directory (tenant) ID
var clientId = "xxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxxx"; //Application ID
var clientSecret = "PlaceholderClientSecret"; //Client Secret
var subscriptionId = "xxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxxx";
var authClient = ConfidentialClientApplicationBuilder.Create(clientId)
    .WithAuthority($"https://login.microsoftonline.com/{tenantId}")
    .WithClientSecret(clientSecret)
    .Build();
var result = authClient.AcquireTokenForClient(new[] { "https://management.core.windows.net/" }).ExecuteAsync().Result;
var credentials = new TokenCredentials(result.AccessToken, result.TokenType);
var kustoManagementClient = new KustoManagementClient(credentials) { SubscriptionId = subscriptionId };
var resourceGroupName = "testrg";
var clusterName = "mykustocluster";
var userIdentityResourceId = $"/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<identityName>";
var clusterData = new Cluster(
    location: "Central US",
    sku: new AzureSku("Standard_E8ads_v5", "Standard", 5),
    identity: new Identity(
        IdentityType.UserAssigned,
        userAssignedIdentities: new Dictionary<string, IdentityUserAssignedIdentitiesValue>(1)
        {
            { userIdentityResourceId, new IdentityUserAssignedIdentitiesValue() }
        }
    )
);
await kustoManagementClient.Clusters.CreateOrUpdateAsync(resourceGroupName, clusterName, clusterData);

Run the following command to check if your cluster was successfully created or updated with an identity:
```
clusterData = await kustoManagementClient.Clusters.GetAsync(resourceGroupName, clusterName);
```
If the result contains ProvisioningState with the Succeeded value, then the cluster was created or updated, and should have the following properties:
```
var userIdentity = clusterData.Identity.UserAssignedIdentities[userIdentityResourceId];
var principalGuid = userIdentity.PrincipalId;
var clientGuid = userIdentity.ClientId;
```
The PrincipalId is a unique identifier for the identity that's used for Azure AD administration. The ClientId is a unique identifier for the application's new identity that's used for specifying which identity to use during runtime calls.

Add a user-assigned identity using an Azure Resource Manager template

Any resource of type Microsoft.Kusto/clusters can be created with a user-assigned identity by including the following property in the resource definition, replacing <RESOURCEID> with the resource ID of the desired identity:

{
   "identity": {
      "type": "UserAssigned",
      "userAssignedIdentities": {
         "<RESOURCEID>": {}
      }
   }
}

For example:

{
    "apiVersion": "2019-09-07",
    "type": "Microsoft.Kusto/clusters",
    "name": "[variables('clusterName')]",
    "location": "[resourceGroup().location]",
    "identity": {
        "type": "UserAssigned",
        "userAssignedIdentities": {
            "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', variables('identityName'))]": {}
        }
    },
    "dependsOn": [
        "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', variables('identityName'))]"
    ]
}

When the cluster is created, it has the following additional properties:

{
   "identity": {
      "type": "UserAssigned",
      "userAssignedIdentities": {
         "<RESOURCEID>": {
            "principalId": "<PRINCIPALID>",
            "clientId": "<CLIENTID>"
         }
      }
   }
}

The PrincipalId is a unique identifier for the identity that's used for Azure AD administration. The ClientId is a unique identifier for the application's new identity that's used for specifying which identity to use during runtime calls.

Note

A cluster can have both system-assigned and user-assigned identities at the same time. In this case, the type property would be SystemAssigned,UserAssigned.

Remove a user-assigned managed identity from a cluster

Remove the user-assigned identity using the Azure portal, C#, or Resource Manager template as detailed below.

Remove a user-assigned managed identity using the Azure portal

Sign in to the Azure portal.
Select Settings > Identity in left pane of portal.
Select the User assigned tab.
Search for the identity you created earlier and select it. Select Remove.
In the pop-up window, select Yes to remove the user-assigned identity. The Identity pane reverts to same condition as before the addition of the user-assigned identity.

Remove a user-assigned identity using C#

Run the following to remove the user-assigned identity:

var clusterUpdate = new ClusterUpdate(
    identity: new Identity(
        IdentityType.UserAssigned,
        userAssignedIdentities: new Dictionary<string, IdentityUserAssignedIdentitiesValue>(1)
        {
            { userIdentityResourceId, null }
        }
    )
);
await kustoManagementClient.Clusters.UpdateAsync(resourceGroupName, clusterName, clusterUpdate);

Remove a user-assigned identity using an Azure Resource Manager template

Run the following to remove the user-assigned identity:

{
   "identity": {
      "type": "UserAssigned",
      "userAssignedIdentities": {
         "<RESOURCEID>": null
      }
   }
}

Note

To remove identities, set their values to null. All other existing identities won't be affected.
To remove all user-assigned identities the type property would be None,
If the cluster had both system-assigned and user-assigned identities at the same time, the type property would be SystemAssigned,UserAssigned with the identities to remove, or SystemAssigned to remove all user-assigned identities.

Next steps

Secure Azure Data Explorer clusters in Azure
Secure your cluster using Disk Encryption by enabling encryption at rest.
Configure customer-managed-keys using C#
Configure customer-managed-keys using the Azure Resource Manager template

Configure managed identities for your Azure Data Explorer cluster

Add a system-assigned identity

Add a system-assigned identity using the Azure portal

New Azure Data Explorer cluster

Existing Azure Data Explorer cluster

Remove a system-assigned identity

Remove a system-assigned identity using the Azure portal

Add a user-assigned identity

Add a user-assigned identity using the Azure portal

Remove a user-assigned managed identity from a cluster

Remove a user-assigned managed identity using the Azure portal

Next steps

Additional resources