Authenticate to Azure AD for access (2023)

  • Article

The recommended method for accessing your cluster is to authenticate usingAzure Active Directory (Azure AD)Service; This ensures the confidentiality of the directory credentials of the accessing recipient.

To do this, the buyer carries out the procedure in two stages:

  1. In the first step, the customer must:
    1. Communicates with the Azure AD service.
    2. Authenticates to Azure AD.
    3. Requires an access token issued specifically for your cluster.
  2. In the second step, the client sends requests to your cluster and provides the access token obtained in the first step as proof of identity for your cluster.

The request is then executed on behalf of the security principal for which Azure AD issued the access token. All authorization checks are performed with this identity.

In most cases, the recommendation is to use one of the Kusto SDKs for programmatic access to the service, as they save a lot of effort when implementing the flow (and then a lot more). For more information see.NET SDK.The authentication properties are then setCusto connecting string.If this is not possible, read on for detailed information on how to implement this flow yourself.

The main authentication scenarios are:

  • A client application that verifies the authenticity of the logged-in user.In this scenario, an interactive (client) application initiates an Azure AD query to the user for credentials (eg username and password). Please reach outuser authentication,

  • "Headless" application..In this scenario, the application runs without the user present to provide credentials. Instead, the application authenticates to Azure AD as "itself" using some of the credentials it was configured with. Please reach outApplication authentication.

  • Authentication on behalf of the customer.In this scenario, sometimes called a "web service" or "web application" scenario, an application obtains an Azure AD access token from another application and then "converts" it into another Azure AD access token that can be used to access your application cluster . In other words, the application acts as an intermediary between the user or the credentialing application and the engine services. Please reach outAuthentication on behalf.

Specify an Azure AD resource

When obtaining an access token from Azure AD, the client must specify whichAzure AD resourcesto which the token should be issued. An Azure AD endpoint resource is the URI of the endpoint, excluding the port and path information. For example:

Alternatively, clients can also request an access token with the ID of a static cloud resource, e.g.

(Video) Authenticate to Azure AD with a Yubikey!

(for public cloud services). Clients that do this must ensure that they only send this access token to the Kusto service endpoint based on the hostname suffix ( access tokens to untrusted service endpoints can result in token leakage, allowing the receiving service to perform operations on any Kusto service endpoint to which the principal has access.

Provide the Azure AD tenant ID

Azure AD is a multi-tenant service and each organization can have an object named "directoryin Azure AD. The directory object contains security-related objects such as user accounts, applications, and groups. Azure AD often refers to the directory asThe renter. Azure AD tenants are identified by a GUID (Tenant ID). In many cases, Azure AD tenants can also be identified by the organization's domain name.

For example, an organization named "Contoso" might have a tenant ID4da81d62-e0a8-4899-adad-4349ca6bfe24and domain

Specify the Azure AD authorization endpoint

Azure AD has many authentication endpoints:

  • If the tenant hosting the principal to be authenticated is known (in other words, if it is known in which Azure AD directory the user or application resides), it is an Azure AD endpoint{tenantId}.Here,{tenantId}is the tenant ID of the organization in Azure AD or the domain name (

  • If the tenant hosting the principal to be authenticated is not known, a "shared" endpoint can be used instead{tenantId}up with valuetogether.


The Azure AD endpoint used for authentication is also calledURL autoriteta Azure ADor simplyAzure AD authorization.


Azure AD service endpoint changes in national clouds. If you are working with a cluster deployed in a national cloud, set up the appropriate Azure AD service endpoint for the national cloud. To change the endpoint, set an environment variableAadAuthorityUrito the requested URI.

Local Azure AD-Token-Cache

When you use the Kusto SDK, Azure AD tokens are stored on your local computer in a per-user token cache (a file named ".").%APPDATA%\Kusto\ only a logged in user can access or decrypt.) The cache is checked for tokens before the user is prompted for credentials. This reduces the number of times the user is prompted for credentials.

(Video) How to Authenticate an Azure AD, Configure Azure Web App to Use Azure Active Directory


The Azure AD token cache reduces the number of interactive queries, but does not reduce them completely. In addition, users cannot predict in advance when they will be prompted for credentials. This means that the authentication user account should not be attempted when non-interactive login support is required (eg when scheduling tasks), since at that time it is intended to authenticate the logged-in user's query for their credentials. This query fails when run under a non-interactive login.

user authentication

The easiest way to access your cluster with user authentication is to use the Kusto SDK and setupfederal authenticationconnection string propertySHE'S RIGHT. When using the SDK for the first time to send a request to a service, the user is presented with a login form to enter their Azure AD credentials. After successful authentication, the request is sent.

Applications that do not use the Kusto SDK can continue to use itMicrosoft Authentication Library (MSAL)instead of deploying the Azure AD security protocol client. SeeAzure AD i OpenID ConnectHere is an example of this from a .NET application.

If your application needs to act as an interface and authenticate users in an Azure Data Explorer cluster, the application must be granted delegated permissions to Azure Data Explorer. The complete step-by-step procedure is described belowConfigure delegated permissions for application registration.

The following short code snippet demonstrates its useMicrosoft Authentication Library (MSAL)To get an Azure AD user token to access the cluster (triggers the login interface):

var kustoUri = "";// Create a public authentication client for Azure AD:var authClient = PublicClientApplicationBuilder.Create("") .WithAuthority( $"") .WithRedirectUri("").Build();// Acquire user token for interactive Azure Data Explorer user:var result = authClient. AcquireTokenInteractive( new[] { $"{kustoUri}/.default" } // Define scopes to access Azure Data Explorer cluster ).ExecuteAsync().Result;// Extract bearer access token var bearerToken = result.AccessToken;// Create an HTTP request and set the authorization header for your request:var request = WebRequest .Create(new Uri(kustoUri)) ;request. Headers.Set(HttpRequestHeader.Authorization, string.Format(CultureInfo.InvariantCulture, "{0} {1 }", "Bearer", bearerToken));

Application authentication

The following short code snippet demonstrates its useMicrosoft Authentication Library (MSAL)to purchase an Azure AD application token to access the cluster. There are no prompts in this flow, and the application must be registered with Azure AD and must have the credentials required to perform application authentication (eg Azure AD-issued application key or Azure AD-registered X509v2 certificate pre-registered).

var kustoUri = "";// Creating a confidential authentication client for Azure AD:var authClient = ConfidentialClientApplicationBuilder.Create("") .WithAuthority( $"") .WithClientSecret("") // can be replaced with .WithCertificate to authenticate with an X.509 certificate .Build();// Acquire an application token for Azure Data Explorer:var result = authClient.AcquireTokenForClient( new[] { $"{ kustoUri}/ .default" } // Define the scopes to access the Azure Data Explorer cluster).ExecuteAsync().Result;// Extract the bearer access token var bearerToken = result.AccessToken;// Make an HTTP request and set the authorization header for your request : var request = WebRequest.Create(new Uri(kustoUri)); request.Headers.Set(HttpRequestHeader.Authorization, string. Format(CultureInfo.InvariantCulture, "{0} {1}", "Bearer", bearerToken));

Authentication on behalf of the customer

In this scenario, the application is sent an Azure AD access token for any resource managed by the application and uses that token to obtain a new Azure AD access token for the resource so that the application can do so on behalf of the one specified by the application principal can access Kustoon Original Azure AD access tokens.

This flow is calledOAuth2 token exchange flowIn general, there are multiple configuration steps to be performed with Azure AD, and in some cases (depending on the Azure AD tenant configuration) specific consent from the Azure AD tenant administrator may be required.

Step 1: Establish a trust relationship between your application and your cluster

  1. open itAzure-Portaland make sure you are logged in to the correct tenant (the identity you used to log in to the portal can be found in the top/right corner).

  2. In the resource pane, select an optionAzure Active Directory, ThenApplication registrations.

    (Video) AZ-900 Episode 25 | Azure Identity Services | Authentication, Authorization & Active Directory (AD)

  3. Find and open the application that uses the "On behalf" flow.

  4. ChooseAPI permissions, ThenAdd permission.

  5. Search for the mentioned applicationAzure Data Explorerand select it.

  6. Chooseuser_impersonation / Access to Kust.

  7. ChooseAdd permission.

Step 2: Perform the token exchange in your server code

// Create an Azure AD confidential client for authentication:var authClient = ConfidentialClientApplicationBuilder.Create("") .WithAuthority($"") .WithClientSecret("") // can be replaced with .WithCertificate to authenticate with authClient.AcquireTokenOnBehalfOf( new[] { "" }, // define the scope to access the Azure Data Explorer cluster new UserAssertion("" ) // Encoding the "original" token used for the exchange).ExecuteAsync().Result; var accessTokenForAdx = result.AccessToken;

Step 3: Provide the token to the Kusto client library and run the queries

// Create a KustoConnectionStringBuilder using the previously purchased Azure AD token variable connectionStringBuilder = new KustoConnectionStringBuilder("") .WithAadUserTokenAuthentication(accessTokenForAdx);// Create the ADX client query base on the connection string object with var queryClient = KustoClientFactory.CreateCslQueryProvider(connectionStringBuilder);// Execute the queryvar queryResult = await queryClient.ExecuteQueryAsync("", "", nula);

Web client authentication (JavaScript) and authorization

Azure AD application configuration

In addition to the standardstepsTo deploy an Azure AD application, you must also enable the Single Page Application (SPA) setting in your Azure AD application. This allows the OAuth authorization code to flow using PKCE to retrieve the token it usesMSAL.js 2.0(MSAL 1.0 used a less secure implicit allocation flow). Use MSAL 2.0 steps inSPA application registration scenarioto configure the application accordingly.


If the client is JavaScript code running in the user's browser, the authentication code flow is used. The authentication process consists of two phases:

  1. The application is redirected to sign in to Azure AD. After login, Azure AD redirects back to the application with the authorization code in the URI.

  2. The application sends a request to the token endpoint to obtain an access token. The token is valid for 24 hours. During this time, the client can reuse it by tacitly acquiring tokens.

    (Video) Azure Files AD Authentication Integration

As in the native client flow, there should be two Azure AD applications (server and client) with a configured relationship between them.


  • The ID token is obtained by callingPublicClientApplication.loginRedirect()-Method and access token are obtained by callingPublicClientApplication.acquireTokenSilent(), orPublicClientApplication.acquireTokenRedirect()in case the silent acquisition fails. MSAL 2.0 also supports itPublicClientApplicationLoginPopup(), but some browsers block pop-ups, making it less useful than redirects.
  • MSAL 2.0 requires a login (also known as obtaining an ID token) before making a call to an access token.

MSAL.js 2.0 contains detailed sample applications for various frameworks such as React and Angular. For an example of using MSAL.js 2.0 to authenticate in a cluster using a React application, seeMSAL.js 2.0 React sample. For other frameworks, see the MSAL.js 2.0 documentation for an example application.

The following is a framework-independent code samplePlease helpCluster.

  1. Create an instance of MSALPublicClientApplication:

    import * kao msal iz „@azure/msal-browser“;const msalConfig = { auth: { clientId: „", authorization: "", },};const msalInstance = nova msal.PublicClientApplication(msalConfig);


    Make sure your application always callshandleRedirectPromise()whenever the page loads. This is because Azure AD adds the authorization code as part of the URIhandleRedirectPromise()The function extracts the authorization code from the URI and caches it.

    Awaiting msalInstance.handleRedirectPromise();
  2. Add login code if MSAL does not have locally cached accounts. Note the use of redirect scopes on the Azure AD side to give your application the permission it needs to access your cluster.

    const myAccounts = msalInstance.getAllAccounts();// If no account is logged in, redirects user to login. // No return statement needed here as the browser will redirect the user to the login page. if (myAccounts === undefined || myAccounts.length === 0) { try { waiting msalInstance.loginRedirect({ Ranges: [""], }); } Catch (err) { console.err(err); // error handling }}
  3. Add an invitation codemsalInstance.acquireTokenSilent()to obtain the actual access token required to access the specified cluster. If silent token collection fails, callgetTokenRedirect()to get a new token.

    const account = myAccounts[0]; const name =; window.document.getElementById("main").innerHTML = `HI ${name}!`; const accessTokenRequest = { account, scope: [""], }; let acceptTokenResult = undefined; try { acquireTokenResult = await msalInstance.acquireTokenSilent( accessTokenRequest); } Catch ( error ) { // If our access/update/ID token has expired, we need to redirect to AAD to get a new one. if (InteractionRequiredAuthError error instance) { await msalInstance.acquireTokenRedirect(accessTokenRequest); } } const accessToken = acceptTokenResult.accessToken;
  4. Finally, add the code to send the request to the specified cluster. You must add a tokenlicenseAn attribute in the request header for successful authentication. For example, the following code makes a request to run a querypracticedatabase inPlease helpCluster.

    const fetchResult = await fetch( "", { headers: { Authorization: `Holder ${accessToken}`, "Content-Type": "application/json ", }, method: "POST", body: JSON.stringify({ db: "Samples", csl: "StormEvents | count", }), } ); const jsonResult = await fetchResult.json(); // Die folgende Zeile extrahiert die erste Zelle in den Ergebnisdaten const count = jsonResult.filter((x) => x.TableKind == "PrimaryResult")[0].Rows[0][0];


How do I authenticate using Azure Active Directory? ›

You can customize the app registration in Azure AD once it's created.
  1. Sign in to the Azure portal and navigate to your app.
  2. Select Authentication in the menu on the left. ...
  3. Select Microsoft in the identity provider dropdown.

Which three authentication methods can Azure AD users use? ›

Available verification methods
  • Microsoft Authenticator.
  • Authenticator Lite (in Outlook)
  • Windows Hello for Business.
  • FIDO2 security key.
  • OATH hardware token (preview)
  • OATH software token.
  • SMS.
  • Voice call.
Mar 14, 2023

How do I enable Azure AD pass through authentication? ›

Sign in to the Entra admin center with the Hybrid Identity Administrator credentials for your tenant. Select Azure Active Directory. Select Azure AD Connect. Verify that the Pass-through authentication feature appears as Enabled.

How do I allow authenticate permissions in Active Directory? ›

You can apply the "Allowed to authenticate" permission to a OU, by configuring the permission to apply to all descendant computer objects; this will assign the permission to all computers in the OU. Right-click on the OU, select Properties, then Security, then click on "Advanced".

How to authenticate access to account by using Azure AD identities? ›

With Azure AD, access to a resource is a two-step process:
  1. First, the security principal's identity is authenticated and an OAuth 2.0 token is returned. ...
  2. Next, the token is passed as part of a request to the Blob service and used by the service to authorize access to the specified resource.
Mar 17, 2023

What are the 4 types of authentication? ›

The most common authentication methods are Password Authentication Protocol (PAP), Authentication Token, Symmetric-Key Authentication, and Biometric Authentication.

What are the three types of authentication? ›

Authentication factors can be classified into three groups: something you know: a password or personal identification number (PIN); something you have: a token, such as bank card; something you are: biometrics, such as fingerprints and voice recognition.

What are strong authentication methods? ›

Strong authentication methods typically involve dynamically generated OTPs or certificate- and context-based authentication. The OTP employs a security device in the user's possession and a back-end server.

What are Azure AD authentication capabilities? ›

Azure AD Multi-Factor Authentication (MFA) adds additional security over only using a password when a user signs in. The user can be prompted for additional forms of authentication, such as to respond to a push notification, enter a code from a software or hardware token, or respond to an SMS or phone call.

What is basic authentication in Azure AD? ›

Disabling Basic Authentication
  1. Go to Azure Active Directory, Security, Conditional Access.
  2. Select “New policy”
  3. Name the policy “Basic Authentication Reporting”
  4. Under “Users or workload identities,” select “All users” (or you could create a group of users to pilot with)
Sep 6, 2022

How many types of authentication are there in Azure? ›

Microsoft offers the following three passwordless authentication options that integrate with Azure Active Directory (Azure AD): Windows Hello for Business. Microsoft Authenticator app. FIDO2 security keys.

What is the difference between pass-through authentication and federation? ›

Pass-through Authentication and federation rely on on-premises infrastructure. For pass-through authentication, the on-premises footprint includes the server hardware and networking the Pass-through Authentication agents require. For federation, the on-premises footprint is even larger.

What is pass thru authentication? ›

The pass-through mechanism authenticates a user on the authenticating server, even if the user entry or password is on a different server. You can run a bind or compare operation against the authenticating server, even if the user entry or the credential is not on the server.

What is the difference between passthrough authentication and password hash? ›

Password hash synchronization—Synchronizes the hash of a user's Azure AD and on-premise Active Directory passwords. Pass-through authentication—Allows users to authenticate with the same password on both Azure AD and on-premise Active Directory.

What is the difference between authentication and authorization in Active Directory? ›

Authentication and authorization are two vital information security processes that administrators use to protect systems and information. Authentication verifies the identity of a user or service, and authorization determines their access rights.

How do I give authenticated users full control? ›

Set Permissions for Authenticated Users

Type auth and click OK to return the Authenticated Users group. Select Authenticated Users, then click Allow for Full Control. Click OK to set permissions for authenticated users, then OK again to close the properties page.

How do I authenticate a user against Active Directory? ›

AD authentication is a Windows-based system that authenticates and authorizes users, endpoints, and services to Active Directory. IT teams can use AD authentication to streamline user and rights management while achieving centralized control over devices and user configurations through the AD Group Policy feature.

What are the authentication methods in Azure AD API? ›

Authentication methods in Azure AD include password and phone (for example, SMS and voice calls), which are manageable in Microsoft Graph beta endpoint today, among many others such as FIDO2 security keys and the Microsoft Authenticator app.

What is the most used authentication method? ›

1. Password-based authentication. Also known as knowledge-based authentication, password-based authentication relies on a username and password or PIN. The most common authentication method, anyone who has logged in to a computer knows how to use a password.

Which is the most powerful authentication method among the four? ›

After traditional password-based login, Multi-Factor Authentication is the most trusted authentication mechanism. For improved security, password-based traditional authentication and Multi-Factor Authentication methods are usually used simultaneously.

What is the most secure authentication method? ›

3 Most Secure Authentication Methods
  • One-Time Password (OTP) An OTP and its sibling, time-based one-time passwords (TOTP), are unique temporary passwords. ...
  • Biometrics Authentication. If there's one thing that you always have with you, it's your body. ...
  • Continuous Authentication. ...
  • The Three Factors of Authentication.
Jun 20, 2022

Which three authentication methods can Azure AD users use to reset their password? ›

The following authentication methods are available for SSPR: Mobile app notification. Mobile app code. Email.

What are the two most commonly used authentication factors? ›

Authentication using two or more factors to achieve authentication. Factors include: (i) something you know (e.g., password/personal identification number [PIN]); (ii) something you have (e.g., cryptographic identification device, token); or (iii) something you are (e.g., biometric).

What are the 3 ways of 2 factor authentication? ›

Let's explore the most popular forms of 2FA that you can use to secure your accounts today: SMS, OTP, and FIDO U2F.

What is strong authentication in Azure? ›

Authentication strength is based on the Authentication methods policy, where administrators can scope authentication methods for specific users and groups to be used across Azure Active Directory (Azure AD) federated applications.

What is the simplest authentication method? ›

HTTP Basic authentication is a simple authentication method for the client to provide a username and a password when making a request. This is the simplest possible way to enforce access control as it doesn't require cookies, sessions or anything else.

What is types 3 authentication best described as? ›

Type 3 – Something You Are – includes any part of the human body that can be offered for verification, such as fingerprints, palm scanning, facial recognition, retina scans, iris scans, and voice verification.

What is Azure AD authentication and authorization? ›

Azure Active Directory (Azure AD) is a centralized identity provider in the cloud. Delegating authentication and authorization to it enables scenarios such as: Conditional Access policies that require a user to be in a specific location. Multi-Factor Authentication which requires a user to have a specific device.

What type of authentication does Azure agent use? ›

By default, an Azure DevOps agent supports three different types of authentications: personal access tokens (PAT), negotiate, and windows credentials. According to the chosen authentication type, we can use a token or a combination of username and password.

What is the default authentication method for Active Directory? ›

Which Type of Authentication is Used in Active Directory? AD Authentication is a process that typically follows Kerberos protocol, where users have to log in using their credentials to gain access to resources.

What is the default authentication in AD? ›

The login attribute is the name used for the bind to the Active Directory database. The default login attribute is sAMAccountName. If you use sAMAccountName, you do not need to specify a value for the DN of Searching User and Password of Searching User settings.

What are the 3 types of authentication in asp net? ›

ASP.NET supports Forms Authentication, Passport Authentication, and Windows authentication providers. The mode is set to one of the authentication modes: Windows, Forms, Passport, or None.

How many levels of authentication are there? ›

Generally, there are three levels of authentication. The level of authentication your organization implements depends on the degree of confidentiality of the information stored, accessed, or used.

How do I verify my domain in Azure AD? ›

Verify the domain name with Azure AD
  1. Sign in with a user account that is a global administrator of your Azure AD directory.
  2. Open your directory and select the Domains tab.
  3. Select the domain name that you want to verify and select Verify on the command bar.
  4. Select Verify in the dialog box to complete the verification.
Feb 1, 2021

Is Azure AD used for authentication and authorization? ›

Azure Active Directory (Azure AD) is a centralized identity provider in the cloud. Delegating authentication and authorization to it enables scenarios such as: Conditional Access policies that require a user to be in a specific location. Multi-Factor Authentication which requires a user to have a specific device.

How do I check my Azure AD access? ›

You can also access the Azure Active Directory admin center from the Microsoft 365 admin center. In the left navigation pane of the Microsoft 365 admin center, click Admin centers > Azure Active Directory.

How do I verify Active Directory? ›

How can I tell if Active Directory is functioning properly? Run dcdiag to check on the status of Active Directory. This tool provides 30 tests on domain controllers. You have to run it in a Command Prompt window that has been run as Administrator.

How do I connect my local domain to Azure AD? ›

Install Azure AD Connect
  1. Start the Azure AD Connect installation. ...
  2. Choose Express Settings. ...
  3. Connect to Azure AD. ...
  4. (optional) Accept trusted site error. ...
  5. Login at Microsoft 365. ...
  6. Enter local Domain Administrator Account. ...
  7. Verify the domains. ...
  8. Finish the installation.
Apr 19, 2022

What is the difference between AD authentication and authorization? ›

Authentication and authorization are two vital information security processes that administrators use to protect systems and information. Authentication verifies the identity of a user or service, and authorization determines their access rights.

What is the difference between authentication and authorization in Azure? ›

In simple terms, authentication is the process of verifying who a user is, while authorization is the process of verifying what they have access to.

What is the difference between authentication and authorization in AD? ›

So, what is the difference between authentication and authorization? Simply put, authentication is the process of verifying who someone is, whereas authorization is the process of verifying what specific applications, files, and data a user has access to.

What are the authentication methods in Active Directory? ›

Active Directory supports only simple and SASL authentication mechanisms. The former is for LDAP simple binds, while the latter is for LDAP SASL binds (as documented in [RFC2829]). In addition, Active Directory supports a third mechanism named "Sicily" that is primarily intended for compatibility with legacy systems.

What type of authentication Azure AD provides? ›

Azure AD Multi-Factor Authentication (MFA) adds additional security over only using a password when a user signs in. The user can be prompted for additional forms of authentication, such as to respond to a push notification, enter a code from a software or hardware token, or respond to an SMS or phone call.

What are the advantages of authenticating to Active Directory? ›

Benefits of Active Directory. Active Directory simplifies life for administrators and end users while enhancing security for organizations. Administrators enjoy centralized user and rights management, as well as centralized control over computer and user configurations through the AD Group Policy feature.


1. API Authentication with OAuth using Azure AD
(Azure Power Lunch)
2. Azure AD Joined SSO Access to AD Joined Resources!
(John Savill's Technical Training)
3. Authenticating App Users with Azure Active Directory
4. Azure App Service Authentication - Inbuild with Azure AD
(Pachehra Talks)
5. Azure Active Directory (AD, AAD) Tutorial | Identity and Access Management Service
(Adam Marczak - Azure for Everyone)
6. Demo: Azure AD Authentication for Azure SQL | Azure SQL for beginners (Ep. 25)
(Microsoft Developer)
Top Articles
Latest Posts
Article information

Author: Greg O'Connell

Last Updated: 06/29/2023

Views: 5229

Rating: 4.1 / 5 (42 voted)

Reviews: 81% of readers found this page helpful

Author information

Name: Greg O'Connell

Birthday: 1992-01-10

Address: Suite 517 2436 Jefferey Pass, Shanitaside, UT 27519

Phone: +2614651609714

Job: Education Developer

Hobby: Cooking, Gambling, Pottery, Shooting, Baseball, Singing, Snowboarding

Introduction: My name is Greg O'Connell, I am a delightful, colorful, talented, kind, lively, modern, tender person who loves writing and wants to share my knowledge and understanding with you.