Home
%3CLINGO-SUB%20id%3D%22lingo-sub-352411%22%20slang%3D%22en-US%22%3EHowTo%3A%20Creating%20an%20AAD%20Application%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-352411%22%20slang%3D%22en-US%22%3E%3CP%3EWhile%20AAD%20user%20authentication%20is%20very%20easy%20(as%20users%20are%20defined%20in%20AAD%20by%20the%20tenant%20admin%2C%20such%20as%20MSIT%20in%20case%20of%20Microsoft)%2C%20AAD%20application%20authentication%20is%20somewhat%20more%20complex%2C%20because%20it%20requires%20creating%20and%20registering%20the%20application%20with%20AAD.%20As%20this%20process%20is%20unfamiliar%20to%20many%20people%2C%20it%20is%20described%20here%20in%20some%20details.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAAD%20application%20authentication%20is%20useful%20for%20applications%20that%20need%20to%20access%20Kusto%20without%20a%20user%20being%20logged-on%20or%20present%20(e.g.%2C%20an%20unattended%20service%20or%20a%20scheduled%20flow).%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20700px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F83499i55C9E88FB6AB85CB%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Image.png%22%20title%3D%22Image.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EClient%20applications%20and%20middle-tier%20applications%20that%20have%20an%20interactive%20user%20context%20should%20avoid%20this%20model%2C%20as%20authorization%20is%20performed%20based%20on%20the%20AAD%20application%20identity%20instead%20of%20user%20identity%2C%20so%20the%20calling%20application%20will%20need%20to%20implement%20its%20own%20authorization%20logic%20to%20prevent%20misuse.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId-1510039807%22%20id%3D%22toc-hId-1535150653%22%3EApplication%20Authentication%20use%20cases%3C%2FH3%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20can%20distinguish%20two%20main%20scenarios%20that%20make%20use%20of%20application%20authentication%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EApplications%20that%20are%20intended%20to%20contact%20the%20Kusto%20service%20directly%20and%20on%20their%20own%20behalf%3C%2FLI%3E%0A%3CLI%3EApplications%20that%20will%20authenticate%20their%20users%20to%20Kusto%20(delegated%20authentication)%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3COL%3E%0A%3CLI%3EProvisioning%20a%20new%20application%3C%2FLI%3E%0A%3CLI%3ESet%20permissions%20to%20the%20application%20on%20Kusto%20cluster%3C%2FLI%3E%0A%3CLI%3EApplication%20can%20now%20access%20Kusto%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ELearn%20more%20on%20HowTo%20Create%20an%20AAD%20Application%20using%20Azure%20Data%20Explorer%20on%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fkusto%2Fmanagement%2Faccess-control%2Fhow-to-provision-aad-app%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20Data%20Explorer%20access%20control%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CI%3E%3CSPAN%20style%3D%22font-size%3A%2011.0pt%3B%20font-family%3A%20'Calibri'%2Csans-serif%3B%22%3E%E2%80%9CJoin%20the%20conversation%20on%20the%20%3CA%20href%3D%22https%3A%2F%2Femea01.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Ftechcommunity.microsoft.com%252Ft5%252FAzure-Data-Explorer%252Fbd-p%252FKusto%26amp%3Bdata%3D02%257C01%257Ctzgitlin%2540microsoft.com%257C9f50757c112e45322d5608d697587c18%257C72f988bf86f141af91ab2d7cd011db47%257C1%257C0%257C636862803655308273%26amp%3Bsdata%3DSuximQlW7qkiSzSZyJHW9SP4vX1calRCPs4P2HTneII%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20Data%20Explorer%20community%3C%2FA%3E%E2%80%9D.%20%3C%2FSPAN%3E%3C%2FI%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-352411%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23000000%3B%20font-family%3A%20Segoe%20UI%2CSegoeUI%2CSegoe%20WP%2CHelvetica%20Neue%2CHelvetica%2CTahoma%2CArial%2Csans-serif%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3EWhile%20AAD%20user%20authentication%20is%20very%20easy%20(as%20users%20are%20defined%20in%20AAD%20by%20the%20tenant%20admin%2C%20such%20as%20MSIT%20in%20case%20of%20Microsoft)%2C%20AAD%20application%20authentication%20is%20somewhat%20more%20complex%2C%20because%20it%20requires%20creating%20and%20registering%20the%20application%20with%20AAD.%20As%20this%20process%20is%20unfamiliar%20to%20many%20people%2C%20it%20is%20described%20here%20in%20some%20details.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-352411%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Eadx%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20Data%20Explorer%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EHow%20to%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EKusto%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E

While AAD user authentication is very easy (as users are defined in AAD by the tenant admin, such as MSIT in case of Microsoft), AAD application authentication is somewhat more complex, because it requires creating and registering the application with AAD. As this process is unfamiliar to many people, it is described here in some details.

 

AAD application authentication is useful for applications that need to access Kusto without a user being logged-on or present (e.g., an unattended service or a scheduled flow).

Image.png

Client applications and middle-tier applications that have an interactive user context should avoid this model, as authorization is performed based on the AAD application identity instead of user identity, so the calling application will need to implement its own authorization logic to prevent misuse.

 

Application Authentication use cases

 

We can distinguish two main scenarios that make use of application authentication:

 

  • Applications that are intended to contact the Kusto service directly and on their own behalf
  • Applications that will authenticate their users to Kusto (delegated authentication)
  1. Provisioning a new application
  2. Set permissions to the application on Kusto cluster
  3. Application can now access Kusto

 

Learn more on HowTo Create an AAD Application using Azure Data Explorer on Azure Data Explorer access control.

 

“Join the conversation on the Azure Data Explorer community”.