Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Use Conditional Access with Azure Data Explorer to reduce unauthorized access risk by requiring extra verification for selected users during data administration operations.
Conditional Access policies evaluate sign-in context and apply controls such as multifactor authentication (MFA).
In this article, you configure a policy in Microsoft Entra ID that requires MFA for selected users of the Azure Data Explorer web UI.
Prerequisites
- A Microsoft Entra ID P1 or P2 license. For licensing details, see Compare available features of Microsoft Entra ID.
- At least the Conditional Access Administrator role.
Note
Conditional Access policies apply at the tenant level, so they affect all clusters in the tenant. These policies apply to Azure Data Explorer data administration operations and don't affect resource administration operations.
Configure Conditional Access
Use the following steps to create a policy that requires MFA for selected users in Azure Data Explorer.
Sign in to the Azure portal as at least a Conditional Access Administrator.
In the Azure portal, go to Microsoft Entra ID > Security > Conditional Access.
Select New policy.
Give your policy a name. Use a meaningful naming standard.
Under Assignments, select Users and groups. Under Include > Select users and groups, select Users and groups, add the user or group you want to include for Conditional Access, and then select Select.
Under Cloud apps or actions, select Cloud apps. Under Include, select Select apps to see a list of all apps available for Conditional Access. Select Azure Data Explorer > Select.
Note
In some cases, the application name might be displayed as KustoService.
Under Conditions, set the conditions that you want to apply for all device platforms, and then select Done. For more information, see Microsoft Entra Conditional Access: Conditions.
Under Access controls, select Grant, select Require multi-factor authentication, and then select Select.
Set Enable policy to On, and then select Save.
Verify the policy by asking an assigned user to access the Azure Data Explorer web UI. The user is prompted for MFA.