I'm trying to improve authentication to my Kusto clusters from my functions once they're deployed into production environment. Locally, I connect thru AZ CLI authentication, but I've found out that my organization generated a user assigned managed identity for my Kusto cluster.
I have a principalId and a clientId. How do I authenticate using the managed identity?
TIA
See example for use of MI Auth in the below link.
Please mind MIs only work when running in Azure in a host that this MI was attached to.
https://github.com/Azure/azure-kusto-python/blob/80cd8b61b681069e461141c98f4d7e29cdb4a783/azure-kusto-data/tests/sample.py#L61
Maybe you got not a manged identity but a application identity. This is a service account in azure ad.
That way, you can get a oauth2 token and use it to query the service.
Related
I am following this post and I have added Azure AD User to my Azure PostgreSQL. When I use admin user I can connect to the server but when I change to use Azure AD-based authentication, it always got error Token get failed .... I think I'm lost, please help me. Thanks in advance.
Not sure about the reason because you didn't provide details about how you configure the AAD-based authentication.
But there is a new, simpler way to sign-in with AAD account.
Please refer to New, simpler way to sign-in to Azure Database for PostgreSQL - Single Server using Azure AD.
You just need to configure the Azure AD Administrator in the Azure Portal.
Remember that when you try to sign in in Azure Data Studio, you need to specify the username as AADuser#{your AAD domain}.com#{PostgreSQL server name}
Could anyone provide some instruction on how you would go about assigning a Managed Service Identity to a Remotely-hosted Web app?
My application is registered in AAD to enable the use of authentication. I want to remove the appSecret from appsettings and store that in the KeyVault and access the KeyVault using the MSI.
I have looked at the MS docs and followed a few guides, but have not, as of yet, managed to successfully retrieve my secret.
In the first instance, I just wanted to store a secret and get that back, and once that was working, get the client secret using the same approach.
Managed identity only works when you host your app in Azure.
This is because it works as a local endpoint inside the Azure instances.
I have written a very simple Azure Function in PowerShell. I have enabled it as multi-tenant which is also fine.
If I wanted to use : connect-msolOnline for example (in the PowerShell script) to connect to an office365 service, how could I get the account that you are asked to provide when you access the API which is secured by AzureAD so I can connect to the tenancy with account given .
Being asked to log on when you hit the API is fine (as it is multi-tenancy) but getting that credential to use in the PowerShell script is the problem I am facing.
Any ideas anyone?
Looking through documentation of Connect-MsolService, it expects PSCredential. For fetching and storing the account name and password you can use App Settings or another option is using Key vault.
Related documentation:
App settings: Deploying secrets to Azure
Key Vault: Getting Started with Key Vault
is it possible to connect to Azure SQL Database by using Managed Service Identity? I'd like to rip out SQL credentials.
Thank you for your advises!
Best
Yes, it is possible. See this article for reference.
If you want to use a Managed Service Identity in Azure function you can have a look at this article:
How to use Azure Managed Service Identity (public preview) in App Service and Azure Functions
To authenticate to SQL with a Managed Service Identity you can have look at this article:
Azure SQL authentication with a Managed Service Identity
It should be enough to achieve what you need.
Microsoft allows use of the Authentication command in Azure SQL to connect to the database using an Azure AD account.
https://azure.microsoft.com/en-us/documentation/articles/sql-database-aad-authentication/
Under heading 7.1. Connecting using integrated (Windows) authentication
How can I use this on an Azure App Service?
Note: I am specifically trying NOT to include the password as the next heading shows. I specifically want integrated.
If my understanding of the documentation is correct, you can achieve this yourself using Token Based authentication. It shouldn't require anything special from Azure App Service. See here for details and sample code:
https://blogs.msdn.microsoft.com/sqlsecurity/2016/02/09/token-based-authentication-support-for-azure-sql-db-using-azure-ad-auth/
The new token-based authentication method allows middle-tier services to obtain a token from Azure AD and use it to connect to Azure SQL Database.
Azure App Service machines are not part of your domain, so this isn't going to work. This was designed to let domain joined clients connect to SQL.
SQL Username/password is the only option left.
Update: see Chris Post about the new token based features