Επεξεργασία

Κοινή χρήση μέσω


Configure managed identities for your Azure Data Explorer cluster

A managed identity from Microsoft Entra ID allows your cluster to access other Microsoft Entra protected resources such as Azure Key Vault. The identity is managed by the Azure platform and doesn't require you to provision or rotate any secrets.

This article shows you how to add and remove managed identities on your cluster. For more information on managed identities, see Managed identities overview.

Note

Managed identities for Azure Data Explorer won't behave as expected if your Azure Data Explorer cluster is migrated across subscriptions or tenants. The app will need to obtain a new identity, which can be done by removing a system-assigned identity and then adding a system-assigned identity. Access policies of downstream resources will also need to be updated to use the new identity.

For code samples based on previous SDK versions, see the archived article.

Types of managed identities

Your Azure Data Explorer cluster can be granted two types of identities:

  • System-assigned identity: Tied to your cluster and deleted if your resource is deleted. A cluster can only have one system-assigned identity.

  • User-assigned identity: A standalone Azure resource that can be assigned to your cluster. A cluster can have multiple user-assigned identities.

Add a system-assigned identity

Assign a system-assigned identity that is tied to your cluster, and is deleted if your cluster is deleted. A cluster can only have one system-assigned identity. Creating a cluster with a system-assigned identity requires an additional property to be set on the cluster. Add the system-assigned identity using the Azure portal, C#, or Resource Manager template as detailed below.

Add a system-assigned identity using the Azure portal

Sign in to the Azure portal.

New Azure Data Explorer cluster

  1. Create an Azure Data Explorer cluster

  2. In the Security tab > System assigned identity, select On. To remove the system assigned identity, select Off.

  3. Select Next : Tags > or Review + create to create the cluster.

    Add system assigned identity to new cluster.

Existing Azure Data Explorer cluster

  1. Open an existing Azure Data Explorer cluster.

  2. Select Settings > Identity in left pane of portal.

  3. In the Identity pane > System assigned tab:

    1. Move the Status slider to On.
    2. Select Save
    3. In the pop-up window, select Yes

    Add system assigned identity.

  4. After a few minutes, the screen shows:

    • Object ID - Used for customer-managed keys
    • Permissions - Select relevant role assignments

    System assigned identity on.

Remove a system-assigned identity

Removing a system-assigned identity will also delete it from Microsoft Entra ID. System-assigned identities are also automatically removed from Microsoft Entra ID when the cluster resource is deleted. A system-assigned identity can be removed by disabling the feature. Remove the system-assigned identity using the Azure portal, C#, or Resource Manager template as detailed below.

Remove a system-assigned identity using the Azure portal

  1. Sign in to the Azure portal.

  2. Select Settings > Identity in left pane of portal.

  3. In the Identity pane > System assigned tab:

    1. Move the Status slider to Off.
    2. Select Save
    3. In the pop-up window, select Yes to disable the system-assigned identity. The Identity pane reverts to same condition as before the addition of the system-assigned identity.

    System assigned identity off.

Add a user-assigned identity

Assign a user-assigned managed identity to your cluster. A cluster can have more than one user-assigned identity. Creating a cluster with a user-assigned identity requires an additional property to be set on the cluster. Add the user-assigned identity using the Azure portal, C#, or Resource Manager template as detailed below.

Add a user-assigned identity using the Azure portal

  1. Sign in to the Azure portal.

  2. Create a user-assigned managed identity resource.

  3. Open an existing Azure Data Explorer cluster.

  4. Select Settings > Identity in left pane of portal.

  5. In the User assigned tab, select Add.

  6. Search for the identity you created earlier and select it. Select Add.

    Add user assigned identity.

Remove a user-assigned managed identity from a cluster

Remove the user-assigned identity using the Azure portal, C#, or Resource Manager template as detailed below.

Remove a user-assigned managed identity using the Azure portal

  1. Sign in to the Azure portal.

  2. Select Settings > Identity in left pane of portal.

  3. Select the User assigned tab.

  4. Search for the identity you created earlier and select it. Select Remove.

    Remove user assigned identity.

  5. In the pop-up window, select Yes to remove the user-assigned identity. The Identity pane reverts to same condition as before the addition of the user-assigned identity.