Cross-tenant data connection

  • Article

When you need to create a data connection for an Azure Event Hubs or Azure Event Grid service in a different tenant, use our API to build the connection.

In the following example, you'll use PowerShell to create a cross-tenant Event Hubs data connection and auxiliary tokens to authenticate.

Prerequisites

Assign role to Tenant2 in Event Hubs

  1. In the Azure portal, browse to your Event Hubs namespace.

  2. In the left menu, select Access control (IAM) > Add role assignments

    Screenshot of Event Hubs namespace.

  3. In the Add role assignment window, fill out the following information, and then select Save.

    Screenshot of Add role assignment window in the Azure portal.

    Setting Suggested value
    Role Azure Event Hubs Data Owner
    Assign access to User, group, or service principal
    Select The email address of the user in Tenant2

  4. When you receive an email invite on the selected address (acc2@domain2.com account), accept the invitation.

Get an access token for Tenant1

Before you begin, you'll need the Get-AzCachedAccessToken function to get the access token for Tenant1. The source code for the function can be found in the PowerShell gallery. You can include this code in your personal PowerShell profile to make it easier to call, or you can run it and then use it in these steps.

  1. Run the following command to connect to Tenant1:

    Connect-AzAccount -Environment AzureChinaCloud

  2. Add a variable with the token for Tenant1:

    $tokenfromtenant1 = Get-AzCachedAccessToken

  3. Add an auxiliary token variable for Tenant1:

    $auxpat="Bearer $tokenfromtenant1"

  4. Grant acc1@domain1.com access to the cluster.

  5. Set the cluster's subscription ID:

    Set-AzContext -SubscriptionId "<subscription ID>"

  6. Add a variable with the token for Tenant2:

    $tokenfromtenant2 = Get-AzCachedAccessToken

  7. Add a pat variable to be used as the primary token:

    $pat="Bearer $tokenfromtenant2"

  8. Add an HTTP body request variable to use when invoking the web request:

    $requestbody ='{"location": "China East 2","kind": "EventHub","properties": { "eventHubResourceId": "/subscriptions/<subscription ID>/resourceGroups/<resource group name>/providers/Microsoft.EventHub/namespaces/<event hub namespace name>/eventhubs/<event hub name>","consumerGroup": "$Default","dataFormat": "JSON", "tableName": "<ADX table name>", "mappingRuleName": "<ADX table mapping name>"}}'

  9. Add a URI variable to use when invoking the web request:

    $adxdcuri="https://management.chinacloudapi.cn/subscriptions/<subscription ID>/resourceGroups/<resource group name>/providers/Microsoft.Kusto/clusters/<adx cluster name>/databases/<adx db name>/dataconnections/<adx data connection name>?api-version=2020-02-15"

  10. Add acc1@domain1.com as a contributor in the cluster.

  11. Invoke the following web request that uses the previously defined variables.

    Invoke-WebRequest -Headers @{Authorization = $pat; 'x-ms-authorization-auxiliary' = $auxpat} -Uri $adxdcuri -Body $requestbody -Method PUT -ContentType 'application/json'

You should now be able to see the newly created data connection in the Azure portal.

Note

If the access used to build the data connection is revoked on Event Hubs, make sure you delete the data connection. Otherwise, Azure Data Explorer will continue to ingest data even if access on Event Hubs is revoked.

Related content