Authenticate to Azure AD for access (2023)

The recommended method for accessing your cluster is to authenticate usingAzure Active Directory (Azure AD)Service; This ensures the confidentiality of the directory credentials of the accessing recipient.

To do this, the buyer carries out the procedure in two stages:

1. In the first step, the customer must:
   1. Communicates with the Azure AD service.
   2. Authenticates to Azure AD.
   3. Requires an access token issued specifically for your cluster.
2. In the second step, the client sends requests to your cluster and provides the access token obtained in the first step as proof of identity for your cluster.

The request is then executed on behalf of the security principal for which Azure AD issued the access token. All authorization checks are performed with this identity.

In most cases, the recommendation is to use one of the Kusto SDKs for programmatic access to the service, as they save a lot of effort when implementing the flow (and then a lot more). For more information see.NET SDK.The authentication properties are then setCusto connecting string.If this is not possible, read on for detailed information on how to implement this flow yourself.

The main authentication scenarios are:

• A client application that verifies the authenticity of the logged-in user.In this scenario, an interactive (client) application initiates an Azure AD query to the user for credentials (eg username and password). Please reach outuser authentication,

• "Headless" application..In this scenario, the application runs without the user present to provide credentials. Instead, the application authenticates to Azure AD as "itself" using some of the credentials it was configured with. Please reach outApplication authentication.

• Authentication on behalf of the customer.In this scenario, sometimes called a "web service" or "web application" scenario, an application obtains an Azure AD access token from another application and then "converts" it into another Azure AD access token that can be used to access your application cluster . In other words, the application acts as an intermediary between the user or the credentialing application and the engine services. Please reach outAuthentication on behalf.

Specify an Azure AD resource

When obtaining an access token from Azure AD, the client must specify whichAzure AD resourcesto which the token should be issued. An Azure AD endpoint resource is the URI of the endpoint, excluding the port and path information. For example:

https://help.kusto.windows.net

Alternatively, clients can also request an access token with the ID of a static cloud resource, e.g.

https://kusto.kusto.windows.net

(for public cloud services). Clients that do this must ensure that they only send this access token to the Kusto service endpoint based on the hostname suffix ( herekusto.windows.net).Sending access tokens to untrusted service endpoints can result in token leakage, allowing the receiving service to perform operations on any Kusto service endpoint to which the principal has access.

Provide the Azure AD tenant ID

Azure AD is a multi-tenant service and each organization can have an object named "directoryin Azure AD. The directory object contains security-related objects such as user accounts, applications, and groups. Azure AD often refers to the directory asThe renter. Azure AD tenants are identified by a GUID (Tenant ID). In many cases, Azure AD tenants can also be identified by the organization's domain name.

For example, an organization named "Contoso" might have a tenant ID4da81d62-e0a8-4899-adad-4349ca6bfe24and domain namecontoso.com.

Specify the Azure AD authorization endpoint

Azure AD has many authentication endpoints:

• If the tenant hosting the principal to be authenticated is known (in other words, if it is known in which Azure AD directory the user or application resides), it is an Azure AD endpointhttps://login.microsoftonline.com/{tenantId}.Here,{tenantId}is the tenant ID of the organization in Azure AD or the domain name (egcontoso.com).

• If the tenant hosting the principal to be authenticated is not known, a "shared" endpoint can be used instead{tenantId}up with valuetogether.

Local Azure AD-Token-Cache

When you use the Kusto SDK, Azure AD tokens are stored on your local computer in a per-user token cache (a file named ".").%APPDATA%\Kusto\userTokenCache.data(Which only a logged in user can access or decrypt.) The cache is checked for tokens before the user is prompted for credentials. This reduces the number of times the user is prompted for credentials.

user authentication

The easiest way to access your cluster with user authentication is to use the Kusto SDK and setupfederal authenticationconnection string propertySHE'S RIGHT. When using the SDK for the first time to send a request to a service, the user is presented with a login form to enter their Azure AD credentials. After successful authentication, the request is sent.

Applications that do not use the Kusto SDK can continue to use itMicrosoft Authentication Library (MSAL)instead of deploying the Azure AD security protocol client. SeeAzure AD i OpenID ConnectHere is an example of this from a .NET application.

If your application needs to act as an interface and authenticate users in an Azure Data Explorer cluster, the application must be granted delegated permissions to Azure Data Explorer. The complete step-by-step procedure is described belowConfigure delegated permissions for application registration.

The following short code snippet demonstrates its useMicrosoft Authentication Library (MSAL)To get an Azure AD user token to access the cluster (triggers the login interface):

var kustoUri = "https://..kusto.windows.net";// Create a public authentication client for Azure AD:var authClient = PublicClientApplicationBuilder.Create("") .WithAuthority( $"https://login.microsoftonline.com/") .WithRedirectUri("").Build();// Acquire user token for interactive Azure Data Explorer user:var result = authClient. AcquireTokenInteractive( new[] { $"{kustoUri}/.default" } // Define scopes to access Azure Data Explorer cluster ).ExecuteAsync().Result;// Extract bearer access token var bearerToken = result.AccessToken;// Create an HTTP request and set the authorization header for your request:var request = WebRequest .Create(new Uri(kustoUri)) ;request. Headers.Set(HttpRequestHeader.Authorization, string.Format(CultureInfo.InvariantCulture, "{0} {1 }", "Bearer", bearerToken));

Application authentication

The following short code snippet demonstrates its useMicrosoft Authentication Library (MSAL)to purchase an Azure AD application token to access the cluster. There are no prompts in this flow, and the application must be registered with Azure AD and must have the credentials required to perform application authentication (eg Azure AD-issued application key or Azure AD-registered X509v2 certificate pre-registered).

var kustoUri = "https://..kusto.windows.net";// Creating a confidential authentication client for Azure AD:var authClient = ConfidentialClientApplicationBuilder.Create("") .WithAuthority( $"https://login.microsoftonline.com/") .WithClientSecret("") // can be replaced with .WithCertificate to authenticate with an X.509 certificate .Build();// Acquire an application token for Azure Data Explorer:var result = authClient.AcquireTokenForClient( new[] { $"{ kustoUri}/ .default" } // Define the scopes to access the Azure Data Explorer cluster).ExecuteAsync().Result;// Extract the bearer access token var bearerToken = result.AccessToken;// Make an HTTP request and set the authorization header for your request : var request = WebRequest.Create(new Uri(kustoUri)); request.Headers.Set(HttpRequestHeader.Authorization, string. Format(CultureInfo.InvariantCulture, "{0} {1}", "Bearer", bearerToken));

Authentication on behalf of the customer

In this scenario, the application is sent an Azure AD access token for any resource managed by the application and uses that token to obtain a new Azure AD access token for the resource so that the application can do so on behalf of the one specified by the application principal can access Kustoon Original Azure AD access tokens.

This flow is calledOAuth2 token exchange flowIn general, there are multiple configuration steps to be performed with Azure AD, and in some cases (depending on the Azure AD tenant configuration) specific consent from the Azure AD tenant administrator may be required.

Step 1: Establish a trust relationship between your application and your cluster

1. open itAzure-Portaland make sure you are logged in to the correct tenant (the identity you used to log in to the portal can be found in the top/right corner).

2. In the resource pane, select an optionAzure Active Directory, ThenApplication registrations.

   (Video) AZ-900 Episode 25 | Azure Identity Services | Authentication, Authorization & Active Directory (AD)

3. Find and open the application that uses the "On behalf" flow.

4. ChooseAPI permissions, ThenAdd permission.

5. Search for the mentioned applicationAzure Data Explorerand select it.

6. Chooseuser_impersonation / Access to Kust.

7. ChooseAdd permission.

Step 2: Perform the token exchange in your server code

// Create an Azure AD confidential client for authentication:var authClient = ConfidentialClientApplicationBuilder.Create("") .WithAuthority($"https://login.microsoftonline.com/") .WithClientSecret("") // can be replaced with .WithCertificate to authenticate with authClient.AcquireTokenOnBehalfOf( new[] { "https://..kusto.windows.net/.default" }, // define the scope to access the Azure Data Explorer cluster new UserAssertion("" ) // Encoding the "original" token used for the exchange).ExecuteAsync().Result; var accessTokenForAdx = result.AccessToken;

Step 3: Provide the token to the Kusto client library and run the queries

// Create a KustoConnectionStringBuilder using the previously purchased Azure AD token variable connectionStringBuilder = new KustoConnectionStringBuilder("https://..kusto.windows.net") .WithAadUserTokenAuthentication(accessTokenForAdx);// Create the ADX client query base on the connection string object with var queryClient = KustoClientFactory.CreateCslQueryProvider(connectionStringBuilder);// Execute the queryvar queryResult = await queryClient.ExecuteQueryAsync("", "", nula);

Web client authentication (JavaScript) and authorization

Azure AD application configuration

In addition to the standardstepsTo deploy an Azure AD application, you must also enable the Single Page Application (SPA) setting in your Azure AD application. This allows the OAuth authorization code to flow using PKCE to retrieve the token it usesMSAL.js 2.0(MSAL 1.0 used a less secure implicit allocation flow). Use MSAL 2.0 steps inSPA application registration scenarioto configure the application accordingly.

details

If the client is JavaScript code running in the user's browser, the authentication code flow is used. The authentication process consists of two phases:

1. The application is redirected to sign in to Azure AD. After login, Azure AD redirects back to the application with the authorization code in the URI.

2. The application sends a request to the token endpoint to obtain an access token. The token is valid for 24 hours. During this time, the client can reuse it by tacitly acquiring tokens.

   (Video) Azure Files AD Authentication Integration

As in the native client flow, there should be two Azure AD applications (server and client) with a configured relationship between them.

MSAL.js 2.0 contains detailed sample applications for various frameworks such as React and Angular. For an example of using MSAL.js 2.0 to authenticate in a cluster using a React application, seeMSAL.js 2.0 React sample. For other frameworks, see the MSAL.js 2.0 documentation for an example application.

The following is a framework-independent code samplePlease helpCluster.

1. Create an instance of MSALPublicClientApplication:

   import * kao msal iz „@azure/msal-browser“;const msalConfig = { auth: { clientId: „", authorization: "https://login.microsoftonline.com/", },};const msalInstance = nova msal.PublicClientApplication(msalConfig);

   Important

   Make sure your application always callshandleRedirectPromise()whenever the page loads. This is because Azure AD adds the authorization code as part of the URIhandleRedirectPromise()The function extracts the authorization code from the URI and caches it.

   Awaiting msalInstance.handleRedirectPromise();

2. Add login code if MSAL does not have locally cached accounts. Note the use of redirect scopes on the Azure AD side to give your application the permission it needs to access your cluster.

   const myAccounts = msalInstance.getAllAccounts();// If no account is logged in, redirects user to login. // No return statement needed here as the browser will redirect the user to the login page. if (myAccounts === undefined || myAccounts.length === 0) { try { waiting msalInstance.loginRedirect({ Ranges: ["https://help.kusto.windows.net/.default"], }); } Catch (err) { console.err(err); // error handling }}

3. Add an invitation codemsalInstance.acquireTokenSilent()to obtain the actual access token required to access the specified cluster. If silent token collection fails, callgetTokenRedirect()to get a new token.

   const account = myAccounts[0]; const name = account.name; window.document.getElementById("main").innerHTML = `HI ${name}!`; const accessTokenRequest = { account, scope: ["https://help.kusto.windows.net/.default"], }; let acceptTokenResult = undefined; try { acquireTokenResult = await msalInstance.acquireTokenSilent( accessTokenRequest); } Catch ( error ) { // If our access/update/ID token has expired, we need to redirect to AAD to get a new one. if (InteractionRequiredAuthError error instance) { await msalInstance.acquireTokenRedirect(accessTokenRequest); } } const accessToken = acceptTokenResult.accessToken;

4. Finally, add the code to send the request to the specified cluster. You must add a tokenlicenseAn attribute in the request header for successful authentication. For example, the following code makes a request to run a querypracticedatabase inPlease helpCluster.

   const fetchResult = await fetch( "https://help.kusto.windows.net/v2/rest/query", { headers: { Authorization: `Holder ${accessToken}`, "Content-Type": "application/json ", }, method: "POST", body: JSON.stringify({ db: "Samples", csl: "StormEvents | count", }), } ); const jsonResult = await fetchResult.json(); // Die folgende Zeile extrahiert die erste Zelle in den Ergebnisdaten const count = jsonResult.filter((x) => x.TableKind == "PrimaryResult")[0].Rows[0][0];