Create a Microsoft Entra application registration in Azure Data Explorer

Microsoft Entra application authentication is used for applications, such as an unattended service or a scheduled flow, that need to access Azure Data Explorer without a user present. If you're connecting to an Azure Data Explorer database using an application, such as a web app, you should authenticate using service principal authentication. This article details how to create and register a Microsoft Entra service principal and then authorize it to access an Azure Data Explorer database.

Create Microsoft Entra application registration

Microsoft Entra application authentication requires creating and registering an application with Microsoft Entra ID. A service principal is automatically created when the application registration is created in a Microsoft Entra tenant.

The app registration can either be created in the Azure portal, or programatically with Azure CLI. Choose the tab that fits your scenario.

Portal
Azure CLI

Register the app

Sign in to Azure portal and open Microsoft Entra ID.
In the left navigation pane, go to Manage. Select App registrations and then New registration.
Enter a name for the application, such as "example-app".
Select a supported account type, which determines who can use the application.
Under Redirect URI, select Web for the type of application you want to create. The URI is optional and is left blank in this case.
Select Register.

Set up authentication

Two types of authentication are available for service principals: password-based authentication (application secret) and certificate-based authentication. The following section describes using password-based authentication for the application's credentials. You can alternatively use an X509 certificate to authenticate your application. For more information, see How to configure Microsoft Entra certificate-based authentication.

In this section, you copy the following values: Application ID and key value. Paste these values somewhere, like a text editor, for use in the step configure client credentials to the database.

Browse to the Overview section.
Copy the Application (client) ID and the Directory (tenant) ID.

Note

You need the application ID and the tenant ID to authorize the service principal to access the database.
In the left navigation pane, go to Manage. Select Certificates & secrets and New client secret.
Enter a description and expiration.
Select Add.
Copy the key value.

Note

When you leave this page, you can't access the key value.

You created your Microsoft Entra application and service principal.

Sign in to your Azure subscription via Azure CLI. Then authenticate in the browser.
```
az login
```
Choose the subscription to host the principal. This step is needed when you have multiple subscriptions.
```
az account set --subscription YOUR_SUBSCRIPTION_GUID
```

Create the service principal. In this example, the service principal is called my-service-principal.

az ad sp create-for-rbac -n "my-service-principal" --role Contributor --scopes /subscriptions/{SubID}

From the returned JSON data, copy the appId, password, and tenant for future use.

{
  "appId": "00001111-aaaa-2222-bbbb-3333cccc4444",
  "displayName": "my-service-principal",
  "name": "my-service-principal",
  "password": "00001111-aaaa-2222-bbbb-3333cccc4444",
  "tenant": "00001111-aaaa-2222-bbbb-3333cccc4444"
}

You've created your Microsoft Entra application and service principal.

Configure delegated permissions for the application - optional

If your application needs to access your database by using the credentials of the calling user, configure delegated permissions for your application. For example, if you're building a web API and you want to authenticate by using the credentials of the user who is calling your API.

If you only need access to an authorized data resource, you can skip this section and continue to Grant a service principal access to the database.

Browse to the API permissions section of your App registration.
Select Add a permission.
Select APIs my organization uses.
Search for and select Azure Data Explorer.
In Delegated permissions, select the user_impersonation box.
Select Add permissions.

Grant a service principal access to the database

After creating your application registration, grant the corresponding service principal access to your database. The following example grants viewer access. For other roles, see Manage database permissions.

Use the values of Application ID and Tenant ID as copied in a previous step.
Execute the following command in your query editor, replacing the placeholder values ApplicationID and TenantID with your actual values:
```
.add database <DatabaseName> viewers ('aadapp=<ApplicationID>;<TenantID>') '<Notes>'
```
For example:
```
.add database Logs viewers ('aadapp=1234abcd-e5f6-g7h8-i9j0-1234kl5678mn;9876abcd-e5f6-g7h8-i9j0-1234kl5678mn') 'App Registration'
```
The last parameter is a string that shows up as notes when you query the roles associated with a database.

Note

After creating the application registration, you might need to wait several minutes until it can be referenced. If you receive an error that the application isn't found, wait and try again.

For more information on roles, see Role-based access control.

Use application credentials to access a database

Use the application credentials to programmatically access your database by using the client library.

. . .
string applicationClientId = "<myClientID>";
string applicationKey = "<myApplicationKey>";
string authority = "<myApplicationTenantID>";
. . .
var kcsb = new KustoConnectionStringBuilder($"https://{clusterName}.kusto.windows.net/{databaseName}")
    .WithAadApplicationKeyAuthentication(
        applicationClientId,
        applicationKey,
        authority);
var client = KustoClientFactory.CreateCslQueryProvider(kcsb);
var queryResult = client.ExecuteQuery($"{query}");

Note

Specify the application ID and key of the application registration (service principal) that you created earlier.

For more information, see How to authenticate with Microsoft Authentication Library (MSAL) in apps and use Azure Key Vault with .NET Core web app.

Troubleshooting

Invalid resource error

If your application authenticates users or applications for access, set up delegated permissions for the service application. Declare that your application can authenticate users or applications for access. If you don't, an error occurs when you attempt authentication. The error message is similar to the following message:

AADSTS650057: Invalid resource. The client has requested access to a resource which is not listed in the requested permissions in the client's application registration...

Follow the instructions in configure delegated permissions for the application.

Your Microsoft Entra tenant administrator might enact a policy that prevents tenant users from giving consent to applications. This situation results in an error similar to the following error when a user tries to sign in to your application:

AADSTS65001: The user or administrator has not consented to use the application with ID '<App ID>' named 'App Name'

Contact your Microsoft Entra administrator to grant consent for all users in the tenant, or enable user consent for your specific application.

Feedback

Was this page helpful?

Last updated on 2026-01-13