Authenticate with Azure AD for access (2023)

  • Article

The recommended way to access your cluster is by authenticating to theAzure Active Directory (Azure AD) service; doing so guarantees privacy of the accessing principal's directory credentials.

To do so, the client performs a two-steps process:

  1. In the first step, the client:
    1. Communicates with the Azure AD service.
    2. Authenticates to the Azure AD service.
    3. Requests an access token issued specifically for your cluster.
  2. In the second step, the client issues requests to your cluster, providing the access token acquired in the first step as a proof of identity to your cluster.

The request is then executed on behalf of the security principal for which Azure AD issued the access token.All authorization checks are performed using this identity.

In most cases, the recommendation is to use one of the Kusto SDKs to access theservice programmatically, as they remove much of the hassle of implementing theflow (and much more). For more information, see the .NET SDK.The authentication properties are then set by the Kusto connection string.If that isn't possible, continue reading for detailed information on how to implement this flow yourself.

The main authenticating scenarios are:

  • A client application authenticating a signed-in user.In this scenario, an interactive (client) application triggers an Azure AD promptto the user for credentials (such as username and password).See user authentication,

  • A "headless" application.In this scenario, an application is running with no user present to providecredentials. Instead the application authenticates as "itself" to Azure ADusing some credentials it has been configured with.See application authentication.

  • On-behalf-of authentication.In this scenario, sometimes called the "web service" or "web app" scenario,the application gets an Azure AD access token from another application, and then"converts" it to another Azure AD access token that can be used to access your cluster.In other words, the application acts as a mediator between the user or applicationthat provided credentials and the engine service.See on-behalf-of authentication.

Specifying the Azure AD resource

When acquiring an access token from Azure AD, the client must indicate which Azure AD resourcethe token should be issued to. The Azure AD resource of an endpoint is theURI of the endpoint, barring the port information and the path. For example:

Alternatively, clients may also request an access token with a cloud-static resource ID, such as

(Video) Authenticating App Users with Azure Active Directory

(for public cloud services). Clients doing so must make sure that they only send this access tokento a Kusto service endpoint, based on the host name suffix (here, the access token to untrusted service endpoints might result in token leakage, allowing thereceiving service to perform operations on any Kusto service endpoint to which theprincipal has access.

Specifying the Azure AD tenant ID

Azure AD is a multi-tenant service, and every organization can create an object calleddirectory in Azure AD. The directory object holds security-related objects suchas user accounts, applications, and groups. Azure AD often refers to the directoryas a tenant. Azure AD tenants are identified by a GUID (tenant ID). In manycases, Azure AD tenants can also be identified by the domain name of the organization.

For example, an organization called "Contoso" might have the tenant ID4da81d62-e0a8-4899-adad-4349ca6bfe24 and the domain name

Specifying the Azure AD authority endpoint

Azure AD has many endpoints for authentication:

  • When the tenant hosting the principal being authenticated is known(in other words, when one knows which Azure AD directory the user or applicationare in), the Azure AD endpoint is{tenantId}.Here, {tenantId} is either the organization's tenant ID in Azure AD, or itsdomain name (for example,

  • When the tenant hosting the principal being authenticated isn't known,the "common" endpoint can be used by replacing the {tenantId} abovewith the value common.


The Azure AD service endpoint used for authentication is also called Azure AD authority URLor simply Azure AD authority.


The Azure AD service endpoint changes in national clouds. When working with a clusterdeployed in a national cloud, please set the corresponding national cloud Azure AD service endpoint.To change the endpoint, set an environment variable AadAuthorityUri to the required URI.

Azure AD local token cache

While using the Kusto SDK, the Azure AD tokens are stored on the local machine in aper-user token cache (a file called %APPDATA%\Kusto\ which canonly be accessed or decrypted by the signed-in user.) The cache is inspectedfor tokens before prompting the user for credentials, reducing thenumber of times a user is prompted for credentials.

(Video) How to Authenticate an Azure AD, Configure Azure Web App to Use Azure Active Directory


The Azure AD token cache reduces the number of interactive prompts, but doesn'treduce them completely. Additionally, users cannot anticipate in advance whenthey will be prompted for credentials.This means that one must not attempt to use a user account to authenticate ifthere's a need to support non-interactive logons (such as when scheduling tasksfor example), because when the time comes for prompting the logged on user forcredentials that prompt will fail if running under non-interactive logon.

User authentication

The easiest way to access your cluster with user authentication is to use the Kusto SDKand set the Federated Authentication property of the connection string totrue. The first time the SDK is used to send a request to the service the userwill be presented with a sign-in form to enter the Azure AD credentials. Following asuccessful authentication the request will be sent.

Applications that don't use the Kusto SDK can still use the Microsoft Authentication Library (MSAL) instead of implementing the Azure AD service security protocol client. See Azure AD and OpenID Connectfor an example of doing so from a .NET application.

If your application is intended to serve as front-end and authenticate users for an Azure Data Explorer cluster, the application must be granted delegated permissions on Azure Data Explorer.The full step-by-step process is described in Configure delegated permissions for the application registration.

The following brief code snippet demonstrates using Microsoft Authentication Library (MSAL) to acquire an Azure AD user token to access a cluster (launches sign-in UI):

var kustoUri = "https://<clusterName>.<region>";// Create a public authentication client for Azure AD:var authClient = PublicClientApplicationBuilder.Create("<appId>") .WithAuthority($"<appTenant>") .WithRedirectUri("<appRedirectUri>") .Build();// Acquire user token for the interactive user for Azure Data Explorer:var result = authClient.AcquireTokenInteractive( new[] { $"{kustoUri}/.default" } // Define scopes for accessing Azure Data Explorer cluster).ExecuteAsync().Result;// Extract Bearer access token var bearerToken = result.AccessToken;// Create an HTTP request and set the Authorization header on your request:var request = WebRequest.Create(new Uri(kustoUri));request.Headers.Set(HttpRequestHeader.Authorization, string.Format(CultureInfo.InvariantCulture, "{0} {1}", "Bearer", bearerToken));

Application authentication

The following brief code snippet demonstrates using Microsoft Authentication Library (MSAL) to acquire an Azure AD application token to access a cluster. In this flow no prompt is presented, andthe application must be registered with Azure AD and equipped with credentials neededto perform application authentication (such as an app key issued by Azure AD,or an X509v2 certificate that has been pre-registered with Azure AD).

var kustoUri = "https://<clusterName>.<region>";// Create a confidential authentication client for Azure AD:var authClient = ConfidentialClientApplicationBuilder.Create("<appId>") .WithAuthority($"<appTenant>") .WithClientSecret("<appKey>") // can be replaced by .WithCertificate to authenticate with an X.509 certificate .Build();// Acquire aplpication token for Azure Data Explorer:var result = authClient.AcquireTokenForClient( new[] { $"{kustoUri}/.default" } // Define scopes for accessing Azure Data Explorer cluster).ExecuteAsync().Result;// Extract Bearer access token var bearerToken = result.AccessToken;// Create an HTTP request and set the Authorization header on your request:var request = WebRequest.Create(new Uri(kustoUri));request.Headers.Set(HttpRequestHeader.Authorization, string.Format(CultureInfo.InvariantCulture, "{0} {1}", "Bearer", bearerToken));

On-behalf-of authentication

In this scenario, an application was sent an Azure AD access token for some arbitraryresource managed by the application, and it uses that token to acquire a new Azure ADaccess token for the resource so that the application could access Kustoon behalf of the principal indicated by the original Azure AD access token.

This flow is called theOAuth2 token exchange flow.It generally requires multiple configuration steps with Azure AD, and in some cases(depending on the Azure AD tenant configuration) might require special consent fromthe administrator of the Azure AD tenant.

Step 1: Establish trust relationship between your application and your cluster

  1. Open the Azure portal and make sure that you'resigned-in to the correct tenant (see top/right corner for the identityused to sign in to the portal).

  2. On the resources pane, select Azure Active Directory, then App registrations.

    (Video) Azure AD Authentication Methods and Policies

  3. Locate the application that uses the on-behalf-of flow and open it.

  4. Select API permissions, then Add a permission.

  5. Search for the application named Azure Data Explorer and select it.

  6. Select user_impersonation / Access Kusto.

  7. Select Add permission.

Step 2: Perform token exchange in your server code

// Create a confidential authentication client for Azure AD:var authClient = ConfidentialClientApplicationBuilder.Create("<appId>") .WithAuthority($"<appTenant>") .WithClientSecret("<appKey>") // can be replaced by .WithCertificate to authenticate with an X.509 certificate .Build();// Acquire on-behalf-of user token for the interactive user for Azure Data Explorer based on provided token:var result = authClient.AcquireTokenOnBehalfOf( new[] { "https://<clusterName>.<region>" }, // Define scopes for accessing Azure Data Explorer cluster new UserAssertion("<userAccessToken>") // Encode the "original" token that will be used for exchange).ExecuteAsync().Result;var accessTokenForAdx = result.AccessToken;

Step 3: Provide the token to Kusto client library and execute queries

// Create KustoConnectionStringBuilder using the previously acquired Azure AD tokenvar connectionStringBuilder = new KustoConnectionStringBuilder("https://<clusterName>.<region>") .WithAadUserTokenAuthentication(accessTokenForAdx);// Create an ADX query client base on the conneciton string objectusing var queryClient = KustoClientFactory.CreateCslQueryProvider(connectionStringBuilder);// Execute queryvar queryResult = await queryClient.ExecuteQueryAsync("<databaseName>", "<query>", null);

Web Client (JavaScript) authentication and authorization

Azure AD application configuration

In addition to the standard steps for setting up an Azure AD application, you'll also need to enable the single-page application (SPA) setting on your Azure AD application. This enables OAuth authorization code flow with PKCE for obtaining tokens used by MSAL.js 2.0 (MSAL 1.0 used a less secure implicit grant flow). Use the MSAL 2.0 steps in the SPA app registration scenario to configure the app accordingly.


When the client is a JavaScript code running in the user's browser, the auth code flow is used. The authentication flow consists of two stages:

  1. The app is redirected to sign in to Azure AD. Once signed in, Azure AD redirects back to the app with an authorization code in the URI.

  2. The app makes a request to the token endpoint to get the access token. The token is valid for 24 hour during which the client can reuse it by acquiring the token silently.

    (Video) AZ-900 Episode 25 | Azure Identity Services | Authentication, Authorization & Active Directory (AD)

Like in the native client flow, there should be two Azure AD applications (server and client) with a configured relationship between them.


  • The ID token is obtained by calling the PublicClientApplication.loginRedirect() method, and access tokens are obtained by calling PublicClientApplication.acquireTokenSilent(), or PublicClientApplication.acquireTokenRedirect() in case silent acquisition failed. MSAL 2.0 also supports PublicClientApplicationloginPopup(), but some browser block pop-ups which makes it less useful than a redirect.
  • MSAL 2.0 requires signing in (also known as getting an ID token) before any access token calls are made.

MSAL.js 2.0 has detailed sample apps for different frameworks such as React and Angular. For an example of how to use MSAL.js 2.0 to authenticate to a cluster using a React application, see the MSAL.js 2.0 React sample. For other frameworks, check the MSAL.js 2.0 documentation to find a sample app.

The following is a framework-independent code sample for connecting to the Help cluster.

  1. Create an instance of the MSAL PublicClientApplication:

    import * as msal from "@azure/msal-browser";const msalConfig = { auth: { clientId: "<AAD client application ID>", authority: "<AAD tenant ID>", },};const msalInstance = new msal.PublicClientApplication(msalConfig);


    Make sure your application always calls handleRedirectPromise() whenever the page loads. This is because Azure AD adds the authorization code as part of the URI and the handleRedirectPromise() function extracts the authorization code from URI and caches it.

    await msalInstance.handleRedirectPromise();
  2. Add the code to sign in if the MSAL doesn't have any locally cached accounts. Note the use of scopes to redirect to the Azure AD page for providing your app with the permission required to access your cluster.

    const myAccounts = msalInstance.getAllAccounts();// If no account is logged in, redirect the user to log in.// no need for a return statement here, because the browser will redirect the user to the login page.if (myAccounts === undefined || myAccounts.length === 0) { try { await msalInstance.loginRedirect({ scopes: [""], }); } catch (err) { console.err(err); // handle error }}
  3. Add the code to call msalInstance.acquireTokenSilent() to get the actual access token required to access the specified cluster. If silent token acquisition fails, call acquireTokenRedirect() to get a new token.

     const account = myAccounts[0]; const name =; window.document.getElementById("main").innerHTML = `HI ${name}!`; const accessTokenRequest = { account, scopes: [""], }; let acquireTokenResult = undefined; try { acquireTokenResult = await msalInstance.acquireTokenSilent( accessTokenRequest ); } catch (error) { // if our access / refresh / id token is expired we need redirect to AAD to get a new one. if (error instanceof InteractionRequiredAuthError) { await msalInstance.acquireTokenRedirect(accessTokenRequest); } } const accessToken = acquireTokenResult.accessToken;
  4. Finally, add code to make requests to the specified cluster. You must add the token in the Authorization attribute in the request header for the authentication to succeed. For example, the following code makes a request to run a query against the Samples database in the Help cluster.

    const fetchResult = await fetch( "", { headers: { Authorization: `Bearer ${accessToken}`, "Content-Type": "application/json", }, method: "POST", body: JSON.stringify({ db: "Samples", csl: "StormEvents | count", }), } ); const jsonResult = await fetchResult.json(); // the following line extracts the first cell in the result data const count = jsonResult.filter((x) => x.TableKind == "PrimaryResult")[0].Rows[0][0];


Authenticate with Azure AD for access? ›

In the Azure portal menu, select Resource groups, or search for and select Resource groups from any page. In Resource groups, find and select your resource group. In Overview, select your app's management page. On your app's left menu, select Authentication, and then click Add identity provider.

How to authenticate access to account by using Azure AD identities? ›

With Azure AD, access to a resource is a two-step process:
  1. First, the security principal's identity is authenticated and an OAuth 2.0 token is returned. ...
  2. Next, the token is passed as part of a request to the Blob service and used by the service to authorize access to the specified resource.
Mar 17, 2023

Which three authentication methods can Azure AD users use? ›

Available verification methods
  • Microsoft Authenticator.
  • Authenticator Lite (in Outlook)
  • Windows Hello for Business.
  • FIDO2 security key.
  • OATH hardware token (preview)
  • OATH software token.
  • SMS.
  • Voice call.
Mar 14, 2023

How do I authenticate an app using Azure AD? ›

In the Azure portal menu, select Resource groups, or search for and select Resource groups from any page. In Resource groups, find and select your resource group. In Overview, select your app's management page. On your app's left menu, select Authentication, and then click Add identity provider.

Can Azure AD be used to manage access to on-premises application? ›

Which features work in Azure AD? Manage your cloud and on-premises apps using Application Proxy, single sign-on, the My Apps portal, and Software as a Service (SaaS) apps. For more information, see How to provide secure remote access to on-premises applications and Application Management documentation.

How do I authenticate a user against Active Directory? ›

AD authentication is a Windows-based system that authenticates and authorizes users, endpoints, and services to Active Directory. IT teams can use AD authentication to streamline user and rights management while achieving centralized control over devices and user configurations through the AD Group Policy feature.

How do I authenticate a user in Active Directory? ›

How Does Authentication Work in Active Directory?
  1. The client requests an authentication ticket from the AD server.
  2. The AD server returns the ticket to the client.
  3. The client sends this ticket to the Endpoint Server.
  4. The Server then returns an acknowledgment of authentication to the client.

What type of authentication does Azure AD provide? ›

Azure AD Multi-Factor Authentication (MFA) adds additional security over only using a password when a user signs in. The user can be prompted for additional forms of authentication, such as to respond to a push notification, enter a code from a software or hardware token, or respond to an SMS or phone call.

What are the default authentication methods for Azure AD? ›

Authentication methods

Security defaults users are required to register for and use Azure AD Multifactor Authentication using the Microsoft Authenticator app using notifications. Users may use verification codes from the Microsoft Authenticator app but can only register using the notification option.

Is Azure AD used for authentication and authorization? ›

Azure Active Directory (Azure AD) is a centralized identity provider in the cloud. Delegating authentication and authorization to it enables scenarios such as: Conditional Access policies that require a user to be in a specific location. Multi-Factor Authentication which requires a user to have a specific device.

What is the difference between authentication and authorization in Azure? ›

In simple terms, authentication is the process of verifying who a user is, while authorization is the process of verifying what they have access to.

How to enable Basic authentication in Azure Active Directory? ›

Basic Authentication Sign-in Log in Azure AD
  1. Open the Azure Portal;
  2. Go to the Azure Active Directory -> Sign-in logs;
  3. Select the date range Last 1 month;
  4. Add filter by field Client App;
  5. Select all Legacy Authentication Clients for this filter.
Sep 29, 2021

What is the difference between authentication and authorization? ›

Authentication and authorization are two vital information security processes that administrators use to protect systems and information. Authentication verifies the identity of a user or service, and authorization determines their access rights.

Can Azure Active Directory be used to manage access? ›

Azure AD lets you use groups to manage access to applications, data, and resources. Resources can be: Part of the Azure AD organization, such as permissions to manage objects through roles in Azure AD. External to the organization, such as for Software as a Service (SaaS) apps.

Which Azure Active Directory feature is used to provide access? ›

Conditional access is the tool used by Azure AD to bring together signals, make decisions, and enforce organizational policies.

Is Azure AD an authorization server? ›

Azure AD: Azure AD is the authorization server, also known as the Identity Provider (IdP). It securely handles anything to do with the user's information, their access, and the trust relationship. It's responsible for issuing the tokens that grant and revoke access to resources.

What is the difference between Windows authentication and AD authentication? ›

Windows authentication enables the separation of duties. The Active Directory (AD) team manages the AD users. Whereas, the DBA adds AD users in the SQL instances and provides appropriate permissions. Active Directory helps to create Windows groups.

What are the advantages of authenticating to Active Directory? ›

Benefits of Active Directory. Active Directory simplifies life for administrators and end users while enhancing security for organizations. Administrators enjoy centralized user and rights management, as well as centralized control over computer and user configurations through the AD Group Policy feature.

How does LDAP authentication work? ›

When a user tries to access a resource, a request is sent to the LDAP authentication server. The LDAP server validates the entered username-password against the data in the directory. If there is a match, it then checks whether the user is authorized to access the requested resource.

What methods can be used to authenticate a user? ›

5 Common Authentication Types
  • Password-based authentication. Passwords are the most common methods of authentication. ...
  • Multi-factor authentication. ...
  • Certificate-based authentication. ...
  • Biometric authentication. ...
  • Token-based authentication.

How did you authenticate and authorize a user? ›

Authentication works through passwords, one-time pins, biometric information, and other information provided or entered by the user. Authorization works through settings that are implemented and maintained by the organization. Authentication is the first step of a good identity and access management process.

How do I give authenticated users permissions? ›

Set Permissions for Authenticated Users

Type auth and click OK to return the Authenticated Users group. Select Authenticated Users, then click Allow for Full Control. Click OK to set permissions for authenticated users, then OK again to close the properties page.

How does Active Directory differ from Azure AD authentication? ›

Credentials in Active Directory are based on passwords, certificate authentication, and smartcard authentication. Passwords are managed using password policies that are based on password length, expiry, and complexity. Azure AD uses intelligent password protection for cloud and on-premises.

What is the difference between Active Directory and Azure AD? ›

Azure AD is not simply a cloud version of AD as the name might suggest. Although it performs some of the same functions, it is quite different. Azure Active Directory is a secure online authentication store, which can contain users and groups.

What is the difference between Active Directory and Azure Active Directory? ›

Active Directory (AD) is great at managing traditional on-premise infrastructure and applications. Azure AD is great at managing user access to cloud applications. You can use both together, or if you want to have a purely cloud-based environment you can just use Azure AD.

What are the 4 types of authentication? ›

The most common authentication methods are Password Authentication Protocol (PAP), Authentication Token, Symmetric-Key Authentication, and Biometric Authentication.

What is basic authentication for a user in Azure? ›

The basic authentication protocol

The client side sends authentication credentials to the server using the Authorization header that is constructed like this: "username:password" format is used to combine username and password into one string. The resulting string is then encoded using Base64.

What are the three types of authentication? ›

Authentication factors can be classified into three groups: something you know: a password or personal identification number (PIN); something you have: a token, such as bank card; something you are: biometrics, such as fingerprints and voice recognition.

Does Azure AD require MFA to join? ›

To secure user sign-in events in Azure AD, you can require multi-factor authentication (MFA). Enabling Azure AD Multi-Factor Authentication using Conditional Access policies is the recommended approach to protect users.

Which is more important authentication or authorization? ›

In secure environments, authorization must always follow authentication. Users should first prove that their identities are genuine before an organization's administrators grant them access to the requested resources.

What is authentication vs authorization vs access control? ›

The authentication of a user involves the verification of the provided credentials against those present in the database; authorization is the process by which a system determines whether the user possesses substantial enough privileges to access the requested resources or not, and access control is the process by ...

What is authentication and authorization in Active Directory? ›

What is AD authorization? AD authorization process is used to secure the AD resources from unauthorized access. After a user is authenticated using the AD authentication process, the resources that the user can access are also defined.

How can you get access to Azure Active Directory? ›

Access Azure Active Directory
  1. Go to and sign in with your work or student account.
  2. In the left navigation pane in the Azure portal, click Azure Active Directory. The Azure Active Directory admin center is displayed.
Feb 16, 2023

How to do authentication in Azure Function? ›

Enable App Service Authentication
  1. Go to the resource page of your function app on Azure portal.
  2. Select Settings -> Authentication.
  3. Select Add identity provider.
  4. Select Microsoft from the Identity provider list. ...
  5. Select Add to complete the settings.
Feb 28, 2023

What type of authentication is used by Azure AD managed identities? ›

Azure AD returns a JSON Web Token (JWT) access token. Your code sends the access token on a call to a service that supports Azure AD authentication.

Which service is used in Azure for authentication & authorization of identities? ›

Azure App Service provides built-in authentication and authorization capabilities (sometimes referred to as "Easy Auth"), so you can sign in users and access data by writing minimal or no code in your web app, RESTful API, and mobile back end, and also Azure Functions.

How do I access my storage account using managed identity? ›

  1. Prerequisites. ...
  2. Create a storage account. ...
  3. Create a blob container in the storage account. ...
  4. Grant your VM's system-assigned managed identity access to use a storage SAS. ...
  5. Get an access token using the VM's identity and use it to call Azure Resource Manager. ...
  6. Get a SAS credential from Azure Resource Manager to make storage calls.
Mar 15, 2023

What are Azure AD authentication methods pass through? ›

Azure Active Directory (Azure AD) Pass-through Authentication allows your users to sign in to both on-premises and cloud-based applications by using the same passwords. Pass-through Authentication signs users in by validating their passwords directly against on-premises Active Directory.


1. Azure AD Authentication Strengths Unleashed!
(Andy Malone MVP)
2. API Authentication with OAuth using Azure AD
(Azure Power Lunch)
3. Authenticate to Azure AD with a Yubikey!
(Ben Stegink - Intelligink)
4. Azure App Service Authentication - Inbuild with Azure AD
(Pachehra Talks)
5. Azure AD Joined SSO Access to AD Joined Resources!
(John Savill's Technical Training)
6. Integrate Azure SQL with Azure Active Directory
Top Articles
Latest Posts
Article information

Author: Chrissy Homenick

Last Updated: 20/06/2023

Views: 6067

Rating: 4.3 / 5 (74 voted)

Reviews: 81% of readers found this page helpful

Author information

Name: Chrissy Homenick

Birthday: 2001-10-22

Address: 611 Kuhn Oval, Feltonbury, NY 02783-3818

Phone: +96619177651654

Job: Mining Representative

Hobby: amateur radio, Sculling, Knife making, Gardening, Watching movies, Gunsmithing, Video gaming

Introduction: My name is Chrissy Homenick, I am a tender, funny, determined, tender, glorious, fancy, enthusiastic person who loves writing and wants to share my knowledge and understanding with you.