Use managed identities for Data Explorer clusters#

Security · Data Explorer · Rule · 2022_03 · Important

Configure Data Explorer clusters to use managed identities to access Azure resources securely.

Description#

A managed identity allows your cluster to access other Azure AD-protected resources such as Azure Storage. The identity is managed by the Azure platform and doesn't require you to provision or rotate any secrets.

Using Azure managed identities have the following benefits:

You don't need to store or manage credentials. Azure automatically generates tokens and performs rotation.
You can use managed identities to authenticate to any Azure service that supports Azure AD authentication.
Managed identities can be used without any additional cost.

Recommendation#

Consider configuring a managed identity for each Azure Data Explorer cluster. Also consider using managed identities to authenticate to related Azure services.

Examples#

Configure with Azure template#

To deploy clusters that pass this rule:

Set the identity.type to SystemAssigned or UserAssigned.
If identity.type is UserAssigned, reference the identity with identity.userAssignedIdentities.

For example:

Azure Template snippet

{
    "type": "Microsoft.Kusto/clusters",
    "apiVersion": "2021-08-27",
    "name": "[parameters('name')]",
    "location": "[parameters('location')]",
    "sku": {
        "name": "Standard_D11_v2",
        "tier": "Standard"
    },
    "identity": {
        "type": "SystemAssigned"
    },
    "properties": {
        "enableDiskEncryption": true
    }
}

Configure with Bicep#