Managed identities overview

A managed identity from Azure Active Directory allows your cluster to easily access other Azure AD-protected resources such as Azure Storage. The identity is managed by the Azure platform and doesn't require you to provision or rotate any secrets.

Your Azure Data Explorer cluster can be granted two types of identities:

  • System-assigned identity: Tied to your cluster and deleted if your resource is deleted. A cluster can only have one system-assigned identity.
  • User-assigned identity: A standalone Azure resource that can be assigned to your cluster. A cluster can have multiple user-assigned identities.

Managed identity authentication can be used in Azure Data Explorer for various supported flows. To authenticate with managed identities, follow these steps:

  1. Configure a managed identity for your cluster
  2. Configure the managed identity policy
  3. Use managed identity in supported workflows

Configure a managed identity for your cluster

Your cluster needs permissions to act on behalf of the given managed identity. This assignment can be given for both system-assigned and user-assigned managed identities. For instructions, see Configure managed identities for your Azure Data Explorer cluster.

Configure the managed identity policy

To use the managed identity, you need to configure the managed identity policy to allow this identity. For instructions, see Managed Identity policy.

The managed identity policy control commands are:

Use in supported workflows

After assigning the managed identity to your cluster and configuring the relevant managed identity policy usage, you can start using managed identity authentication in the following workflows: