Edit

Configure Conditional Access for Azure Data Explorer

Use Conditional Access with Azure Data Explorer to reduce unauthorized access risk by requiring extra verification for selected users during data administration operations.

Conditional Access policies evaluate sign-in context and apply controls such as multifactor authentication (MFA).

In this article, you configure a policy in Microsoft Entra ID that requires MFA for selected users of the Azure Data Explorer web UI.

Prerequisites

Note

Conditional Access policies apply at the tenant level, so they affect all clusters in the tenant. These policies apply to Azure Data Explorer data administration operations and don't affect resource administration operations.

Configure Conditional Access

Use the following steps to create a policy that requires MFA for selected users in Azure Data Explorer.

  1. Sign in to the Azure portal as at least a Conditional Access Administrator.

  2. In the Azure portal, go to Microsoft Entra ID > Security > Conditional Access.

  3. Select New policy.

    Screenshot of the Security page, showing the Conditional Access tab.

  4. Give your policy a name. Use a meaningful naming standard.

  5. Under Assignments, select Users and groups. Under Include > Select users and groups, select Users and groups, add the user or group you want to include for Conditional Access, and then select Select.

    Screenshot of the users and groups section, showing the assignment of users.

  6. Under Cloud apps or actions, select Cloud apps. Under Include, select Select apps to see a list of all apps available for Conditional Access. Select Azure Data Explorer > Select.

    Note

    In some cases, the application name might be displayed as KustoService.

    Screenshot of the cloud apps section, showing the selection of the Azure Data Explorer app.

  7. Under Conditions, set the conditions that you want to apply for all device platforms, and then select Done. For more information, see Microsoft Entra Conditional Access: Conditions.

    Screenshot of the conditions section, showing the assignment of conditions.

  8. Under Access controls, select Grant, select Require multi-factor authentication, and then select Select.

    Screenshot of the access controls section, showing the granting access requirements.

  9. Set Enable policy to On, and then select Save.

    Screenshot of the enable policy section, showing the policy being turned on.

  10. Verify the policy by asking an assigned user to access the Azure Data Explorer web UI. The user is prompted for MFA.

    Screenshot of the multifactor authentication prompt shown to a user during sign-in.