MicrosoftDocs
diff --git a/‎articles/data-explorer/customer-managed-keys-csharp.md
Lines changed: 91 additions & 0 deletions b/‎articles/data-explorer/customer-managed-keys-csharp.md
Lines changed: 91 additions & 0 deletions
diff --git a/‎articles/data-explorer/customer-managed-keys-resource-manager.md
Lines changed: 80 additions & 0 deletions b/‎articles/data-explorer/customer-managed-keys-resource-manager.md
Lines changed: 80 additions & 0 deletions
diff --git a/‎articles/data-explorer/manage-cluster-security.md
Lines changed: 4 additions & 6 deletions b/‎articles/data-explorer/manage-cluster-security.md
Lines changed: 4 additions & 6 deletions
diff --git a/‎articles/data-explorer/managed-identities.md
Lines changed: 138 additions & 0 deletions b/‎articles/data-explorer/managed-identities.md
Lines changed: 138 additions & 0 deletions
@@ -0,0 +1,91 @@
+---
+title: Configure customer-managed-keys using C#
+description: This article describes how to configure customer-managed keys encryption on your data in Azure Data Explorer.
+author: saguiitay
+ms.author: itsagui
+ms.reviewer: orspodek
+ms.service: data-explorer
+ms.topic: conceptual
+ms.date: 01/06/2020
+---
+
+# Configure customer-managed-keys using C#
+
+> [!div class="op_single_selector"]
+> * [C#](create-cluster-database-csharp.md)
+> * [Azure Resource Manager template](create-cluster-database-resource-manager.md)
+
+[!INCLUDE [data-explorer-configure-customer-managed-keys](../../includes/data-explorer-configure-customer-managed-keys.md)]
+
+## Configure encryption with customer-managed keys
+
+This section shows you how to configure customer-managed keys encryption using the Azure Data Explorer C# client. 
+
+### Prerequisites
+
+* If you don't have Visual Studio 2019 installed, you can download and use the **free** [Visual Studio 2019 Community Edition](https://www.visualstudio.com/downloads/). Make sure that you enable **Azure development** during the Visual Studio setup.
+
+* If you don't have an Azure subscription, create a [free Azure account](https://azure.microsoft.com/free/) before you begin.
+
+### Install C# Nuget
+
+* Install the [Azure Data Explorer (Kusto) nuget package](https://www.nuget.org/packages/Microsoft.Azure.Management.Kusto/).
+
+* Install the [Microsoft.IdentityModel.Clients.ActiveDirectory nuget package](https://www.nuget.org/packages/Microsoft.IdentityModel.Clients.ActiveDirectory/) for authentication.
+
+### Authentication
+
+To run the examples in this article, [create an Azure AD application](/azure/active-directory/develop/howto-create-service-principal-portal) and service principal that can access resources. You can add role assignment at the subscription scope and get the required `Directory (tenant) ID`, `Application ID`, and `Client Secret`.
+
+### Configure cluster
+
+By default, Azure Data Explorer encryption uses Microsoft-managed keys. Configure your Azure Data Explorer cluster to use customer-managed keys and specify the key to associate with the cluster.
+
+1. Update your cluster by using the following code:
+
+    ```csharp
+    var tenantId = "xxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxxx";//Directory (tenant) ID
+    var clientId = "xxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxxx";//Application ID
+    var clientSecret = "xxxxxxxxxxxxxx";//Client Secret
+    var subscriptionId = "xxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxxx";
+    var authenticationContext = new AuthenticationContext($"https://login.windows.net/{tenantId}");
+    var credential = new ClientCredential(clientId, clientSecret);
+    var result = await authenticationContext.AcquireTokenAsync(resource: "https://management.core.windows.net/", clientCredential: credential);
+
+    var credentials = new TokenCredentials(result.AccessToken, result.AccessTokenType);
+
+    var kustoManagementClient = new KustoManagementClient(credentials)
+    {
+        SubscriptionId = subscriptionId
+    };
+
+    var resourceGroupName = "testrg";
+    var clusterName = "mykustocluster";
+    var keyName = "myKey";
+    var keyVersion = "5b52b20e8d8a42e6bd7527211ae32654";
+    var keyVaultUri = "https://mykeyvault.vault.azure.net/";
+    var keyVaultProperties = new KeyVaultProperties (keyName, keyVersion, keyVaultUri);
+    var clusterUpdate = new ClusterUpdate(keyVaultProperties: keyVaultProperties);
+    await kustoManagementClient.Clusters.UpdateAsync(resourceGroupName, clusterName, clusterUpdate);
+    ```
+
+1. Run the following command to check if your cluster was successfully updated:
+
+    ```csharp
+    kustoManagementClient.Clusters.Get(resourceGroupName, clusterName);
+    ```
+
+    If the result contains `ProvisioningState` with the `Succeeded` value, then your cluster was successfully updated.
+
+## Update the key version
+
+When you create a new version of a key, you'll need to update the cluster to use the new version. First, call `Get-AzKeyVaultKey` to get the latest version of the key. Then update the cluster's key vault properties to use the new version of the key, as shown in [Configure cluster](#configure-cluster).
+
+## Next steps
+
+* [Secure Azure Data Explorer clusters in Azure](security.md)
+* [Configure managed identities for your Azure Data Explorer cluster](managed-identities.md)
+* [Secure your cluster in Azure Data Explorer - Azure portal](manage-cluster-security.md) by enabling encryption at rest.
+* [Configure customer-managed-keys using the Azure Resource Manager template](customer-managed-keys-resource-manager.md)
+
+
@@ -0,0 +1,80 @@
+---
+title: Configure customer-managed-keys in Azure Data Explorer using the Azure Resource Manager template
+description: This article describes how to configure customer-managed keys encryption on your data in Azure Data Explorer using the Azure Resource Manager template.
+author: saguiitay
+ms.author: itsagui
+ms.reviewer: orspodek
+ms.service: data-explorer
+ms.topic: conceptual
+ms.date: 01/06/2020
+---
+
+# Configure customer-managed-keys using the Azure Resource Manager template
+
+> [!div class="op_single_selector"]
+> * [C#](create-cluster-database-csharp.md)
+> * [Azure Resource Manager template](create-cluster-database-resource-manager.md)
+
+[!INCLUDE [data-explorer-configure-customer-managed-keys](../../includes/data-explorer-configure-customer-managed-keys.md)]
+
+## Configure encryption with customer-managed keys
+
+In this section, you configure customer-managed keys using Azure Resource Manager templates. By default, Azure Data Explorer encryption uses Microsoft-managed keys. In this step, configure your Azure Data Explorer cluster to use customer-managed keys and specify the key to associate with the cluster.
+
+You can deploy the Azure Resource Manager template by using the Azure portal or using PowerShell.
+
+```json
+{
+  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "clusterName": {
+      "type": "string",
+      "defaultValue": "[concat('kusto', uniqueString(resourceGroup().id))]",
+      "metadata": {
+        "description": "Name of the cluster to create"
+      }
+    },
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "Location for all resources."
+      }
+    }
+  },
+  "variables": {},
+  "resources": [
+    {
+      "name": "[parameters('clusterName')]",
+      "type": "Microsoft.Kusto/clusters",
+      "sku": {
+        "name": "Standard_D13_v2",
+        "tier": "Standard",
+        "capacity": 2
+      },
+      "apiVersion": "2019-09-07",
+      "location": "[parameters('location')]",
+      "properties": {
+        "keyVaultProperties": {
+          "keyVaultUri": "<keyVaultUri>",
+          "keyName": "<keyName>",
+          "keyVersion": "<keyVersion"
+        }
+      }
+    }
+  ]
+}
+```
+
+## Update the key version
+
+When you create a new version of a key, you'll need to update the cluster to use the new version. First, call `Get-AzKeyVaultKey` to get the latest version of the key. Then update the cluster's key vault properties to use the new version of the key, as shown in [Configure encryption with customer-managed keys](#configure-encryption-with-customer-managed-keys).
+
+## Next steps
+
+* [Secure Azure Data Explorer clusters in Azure](security.md)
+* [Configure managed identities for your Azure Data Explorer cluster](managed-identities.md)
+* [Secure your cluster in Azure Data Explorer - Azure portal](manage-cluster-security.md) by enabling encryption at rest.
+* [Configure customer-managed-keys using C#](customer-managed-keys-csharp.md)
+
@@ -9,15 +9,13 @@ ms.topic: conceptual
 ms.date: 08/20/2019
 ---
 
-# Secure your cluster in Azure Data Explorer
+# Secure your cluster in Azure Data Explorer - Azure portal
 
-[Azure Disk Encryption](/azure/security/azure-security-disk-encryption-overview) helps protect and safeguard your data to meet your organizational security and compliance commitments. It provides volume encryption for the OS and data disks of your cluster virtual machines. It also integrates with [Azure Key Vault](/azure/key-vault/) which allows us to control and manage the disk encryption keys and secrets, and ensure all data on the VM disks is encrypted at rest while in Azure Storage. 
-
-Your cluster security settings allow you to enable disk encryption on your cluster.
+[Azure Disk Encryption](/azure/security/azure-security-disk-encryption-overview) helps protect and safeguard your data to meet your organizational security and compliance commitments. It provides volume encryption for the OS and data disks of your cluster virtual machines. It also integrates with [Azure Key Vault](/azure/key-vault/), which allows us to control and manage the disk encryption keys and secrets, and ensure all data on the VM disks is encrypted. 
 
-## Enable encryption at rest
+## Enable encryption at rest in the Azure portal
 
-Enabling [encryption at rest](/azure/security/fundamentals/encryption-atrest) on your cluster provides data protection for stored data (at rest). 
+Your cluster security settings allow you to enable disk encryption on your cluster. Enabling [encryption at rest](/azure/security/fundamentals/encryption-atrest) on your cluster provides data protection for stored data (at rest). 
 
 1. In the Azure portal, go to your Azure Data Explorer cluster resource. Under the **Settings** heading, select **Security**. 
 
 
@@ -0,0 +1,138 @@
+---
+title: How to configure managed identities for Azure Data Explorer cluster
+description: Learn how to configure managed identities for Azure Data Explorer cluster.
+author: saguiitay
+ms.author: itsagui
+ms.reviewer: orspodek
+ms.service: data-explorer
+ms.topic: conceptual
+ms.date: 01/06/2020
+---
+
+# Configure managed identities for your Azure Data Explorer cluster
+
+A [managed identity from Azure Active Directory](/azure/active-directory/managed-identities-azure-resources/overview) allows your cluster to easily access other AAD-protected resources such as Azure Key Vault. The identity is managed by the Azure platform and doesn't require you to provision or rotate any secrets. This article shows you how to create a managed identity for Azure Data Explorer clusters. 
+
+> [!Note]
+> Managed identities for Azure Data Explorer won't behave as expected if your app is migrated across subscriptions or tenants. The app will need to obtain a new identity, which can be done by disabling and re-enabling the feature using [remove an identity](#remove-an-identity). Access policies of downstream resources will also need to be updated to use the new identity.
+
+## Add a system-assigned identity
+
+Your cluster can be assigned a **system-assigned identity** that is tied to your cluster, and is deleted if your cluster is deleted. A cluster can only have one system-assigned identity. Creating a cluster with a system-assigned identity requires an additional property to be set on the cluster.
+
+### Add a system-assigned identity using C#
+
+To set up a managed identity using the Azure Data Explorer C# client, do the following:
+
+* Install the [Azure Data Explorer (Kusto) NuGet package](https://www.nuget.org/packages/Microsoft.Azure.Management.Kusto/).
+* Install the [Microsoft.IdentityModel.Clients.ActiveDirectory NuGet package](https://www.nuget.org/packages/Microsoft.IdentityModel.Clients.ActiveDirectory/) for authentication.
+* To run the following example, [create an Azure AD application](/azure/active-directory/develop/howto-create-service-principal-portal) and service principal that can access resources. You can add role assignment at the subscription scope and get the required `Directory (tenant) ID`, `Application ID`, and `Client Secret`.
+
+#### Create or update your cluster
+
+1. Create or update your cluster using the `Identity` property:
+
+    ```csharp
+    var tenantId = "xxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxxx";//Directory (tenant) ID
+    var clientId = "xxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxxx";//Application ID
+    var clientSecret = "xxxxxxxxxxxxxx";//Client Secret
+    var subscriptionId = "xxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxxx";
+    var authenticationContext = new AuthenticationContext($"https://login.windows.net/{tenantId}");
+    var credential = new ClientCredential(clientId, clientSecret);
+    var result = await authenticationContext.AcquireTokenAsync(resource: "https://management.core.windows.net/", clientCredential: credential);
+    
+    var credentials = new TokenCredentials(result.AccessToken, result.AccessTokenType);
+    
+    var kustoManagementClient = new KustoManagementClient(credentials)
+    {
+        SubscriptionId = subscriptionId
+    };
+    
+    var resourceGroupName = "testrg";
+    var clusterName = "mykustocluster";
+    var location = "Central US";
+    var skuName = "Standard_D13_v2";
+    var tier = "Standard";
+    var capacity = 5;
+    var sku = new AzureSku(skuName, tier, capacity);
+    var identity = new Identity(IdentityType.SystemAssigned);
+    var cluster = new Cluster(location, sku, identity: identity);
+    await kustoManagementClient.Clusters.CreateOrUpdateAsync(resourceGroupName, clusterName, cluster);
+    ```
+    
+2. Run the following command to check if your cluster was successfully created or updated with an identity:
+
+    ```csharp
+    kustoManagementClient.Clusters.Get(resourceGroupName, clusterName);
+    ```
+
+    If the result contains `ProvisioningState` with the `Succeeded` value, then the cluster was created or updated, and should have the following properties:
+   
+    ```csharp
+    var principalId = cluster.Identity.PrincipalId;
+    var tenantId = cluster.Identity.TenantId;
+    ```
+
+    `PrincipalId` and `TenantId` are replaced with GUIDs. The `TenantId` property identifies the AAD tenant to which the identity belongs. The `PrincipalId` is a unique identifier for the cluster's new identity. Within AAD, the service principal has the same name that you gave to your App Service or Azure Functions instance.
+
+### Add a system-assigned identity using an Azure Resource Manager template
+
+An Azure Resource Manager template can be used to automate deployment of your Azure resources. To learn more about deploying to Azure Data Explorer, see [Create an Azure Data Explorer cluster and database by using an Azure Resource Manager template](create-cluster-database-resource-manager.md).
+
+Adding the system-assigned type tells Azure to create and manage the identity for your cluster. Any resource of type `Microsoft.Kusto/clusters` can be created with an identity by including the following property in the resource definition: 
+
+```json
+"identity": {
+    "type": "SystemAssigned"
+}    
+```
+
+For example:
+
+```json
+{
+    "apiVersion": "2019-09-07",
+    "type": "Microsoft.Kusto/clusters",
+    "name": "[variables('clusterName')]",
+    "location": "[resourceGroup().location]",
+    "identity": {
+        "type": "SystemAssigned"
+    },
+    "properties": {
+        "trustedExternalTenants": [],
+        "virtualNetworkConfiguration": null,
+        "optimizedAutoscale": null,
+        "enableDiskEncryption": false,
+        "enableStreamingIngest": false,
+    }
+}
+```
+
+When the cluster is created, it has the following additional properties:
+
+```json
+"identity": {
+    "type": "SystemAssigned",
+    "tenantId": "<TENANTID>",
+    "principalId": "<PRINCIPALID>"
+}
+```
+
+`<TENANTID>` and `<PRINCIPALID>` are replaced with GUIDs. The `TenantId` property identifies the AAD tenant to which the identity belongs. The `PrincipalId` is a unique identifier for the cluster's new identity. Within AAD, the service principal has the same name that you gave to your App Service or Azure Functions instance.
+
+## Remove an identity
+
+Removing a system-assigned identity will also delete it from AAD. System-assigned identities are also automatically removed from AAD when the cluster resource is deleted. A system-assigned identity can be removed by disabling the feature:
+
+```json
+"identity": {
+    "type": "None"
+}
+```
+
+## Next steps
+
+* [Secure Azure Data Explorer clusters in Azure](security.md)
+* [Secure your cluster in Azure Data Explorer - Azure portal](manage-cluster-security.md) by enabling encryption at rest.
+ * [Configure customer-managed-keys using C#](customer-managed-keys-csharp.md)
+ * [Configure customer-managed-keys using the Azure Resource Manager template](customer-managed-keys-resource-manager.md)