Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Applies to: ✅ Azure Data Explorer
To interact with your database over HTTPS, the principal making the request
must authenticate by using the HTTP Authorization request header.
Syntax
Authorization: Bearer AccessToken
Learn more about syntax conventions.
Parameters
| Name | Type | Required | Description | 
|---|---|---|---|
| AccessToken | string | ✔️ | A Microsoft Entra access token for the service. | 
Get an access token
There are many different methods to get a Microsoft Entra access token. To learn more, see user authentication and application authentication.
Get an access token for a user principal using the Azure CLI
The following steps return an access token for the user principal making the request. Make sure the user principal has access to the resource you plan to access. For more information, see role-based access control.
- Sign in to the Azure CLI. - az login --output table
- Find the row where the column - Defaultis- true. Confirm that the subscription in that row is the subscription for which you want to create your Microsoft Entra access token. To find subscription information, see get subscription and tenant IDs in the Azure portal. If you need to switch to a different subscription, run one of the following commands.- az account set --subscription <SUBSCRIPTION_ID>- az account set --name "<SUBSCRIPTION_NAME>"
- Run the following command to get the access token. - az account get-access-token \ --resource "https://api.kusto.chinacloudapi.cn" \ --query "accessToken"
Get an access token for a service principal using the Azure CLI
Microsoft Entra service principals represent applications or services that need access to resources, usually in non-interactive scenarios such as API calls. The following steps guide you through creating a service principal and getting a bearer token for this principal.
- Sign in to the Azure CLI. - az login --output table
- Find the row where the column - Defaultis- true. Confirm that the subscription in that row is the subscription under which you want to create the service principal. To find subscription information, see get subscription and tenant IDs in the Azure portal. If you need to switch to a different subscription, run one of the following commands.- az account set --subscription <SUBSCRIPTION_ID>- az account set --name "<SUBSCRIPTION_NAME>"
- Create a service principal. This following command creates a Microsoft Entra service principal and returns the - appId,- displayName,- password, and- tenantIdfor the service principal.- az ad sp create-for-rbac -n <SERVICE_PRINCIPAL_NAME>
- Grant the application principal access to your database. For example, in the context of your database, use the following command to add the principal as a user. - .add database <DATABASE> users ('aadapp=<appId>;<tenantId>')- To learn about the different roles and how to assign them, see security roles management. 
- Send an HTTP request to request an access token. Replace - <tenantId>,- <appId>, and- <password>with the values obtained from the previous command. This request returns a JSON object containing the access token, which you can use as the value for the- Authorizationheader in your requests.- curl -X POST https://login.partner.microsoftonline.cn/<tenantId>/oauth2/token \ -F grant_type=client_credentials \ -F client_id=<appId> \ -F client_secret=<password> \ -F resource=https://api.kusto.chinacloudapi.cn
Related content
- Authentication overview
- To learn how to perform On-behalf-of (OBO) authentication or Single Page Application (SPA) authentication, see How to authenticate with Microsoft Authentication Library (MSAL).