Managed Identity policy

Applies to: ✅ Azure Data Explorer

ManagedIdentity is a policy that controls which managed identities can be used for what purposes. For example, you can configure a policy that allows a specific managed identity to be used for accessing a storage account for ingestion purposes.

This policy can be enabled at the cluster and database levels. The policy is additive, meaning that for every operation that involves a managed identity, the operation will be permitted if the usage is allowed at either the cluster or database level.

Permissions

Creating or altering a managed identity policy requires AllDatabasesAdmin permissions.

The ManagedIdentity policy object

A cluster or database may have zero or more ManagedIdentity policy objects associated with it. Each ManagedIdentity policy object has the following user-definable properties: DisplayName and AllowedUsages. Other properties are automatically populated from the managed identity associated with the specified ObjectId and displayed for convenience.

The following table describes the properties of the ManagedIdentity policy object:

Property Type Required Description
ObjectId string ✔️ Either the actual object ID of the managed identity or the reserved keyword system to reference the System Managed Identity of the cluster on which the command is run.
ClientId string Not applicable The client ID of the managed identity.
TenantId string Not applicable The tenant ID of the managed identity.
DisplayName string Not applicable The display name of the managed identity.
IsSystem bool Not applicable A Boolean value indicating true if the identity is a System Managed Identity; false if otherwise.
AllowedUsages string ✔️ A list of comma-separated allowed usage values for the managed identity. See managed identity usages.

The following is an example of a ManagedIdentity policy object:

{
  "ObjectId": "<objectID>",
  "ClientId": "<clientID>",
  "TenantId": "<tenantID",
  "DisplayName": "myManagedIdentity",
  "IsSystem": false,
  "AllowedUsages": "NativeIngestion, ExternalTable"
}

Managed identity usages

The following values specify authentication to a usage using the configured managed identity:

Value Description
All All current and future usages are allowed.
AutomatedFlows Run a Continuous Export or Update Policy automated flow on behalf of a managed identity.
DataConnection Authenticate to data connections to an Event Hub or an Event Grid.
ExternalTable Authenticate to external tables using connection strings configured with a managed identity.
NativeIngestion Authenticate to an SDK for native ingestion from an external source.
SandboxArtifacts Authenticate to external artifacts referenced in sandboxed plugins (e.g., Python) with a managed identity. This usage needs to be defined on the cluster level managed identity policy.
SqlRequest Authenticate to an external database using the sql_request or cosmosdb_request plugin with a managed identity.