diff --git a/data-explorer/ingest-data-event-grid-overview.md b/data-explorer/ingest-data-event-grid-overview.md index bfe1e3b652..068db3c911 100644 --- a/data-explorer/ingest-data-event-grid-overview.md +++ b/data-explorer/ingest-data-event-grid-overview.md @@ -19,13 +19,16 @@ For general information about data ingestion in Azure Data Explorer, see [Azure ## Event Grid data connection authentication mechanisms * [Managed Identity](managed-identities-overview.md) based data connection (recommended): Using a managed identity-based data connection is the most secure way to connect to data sources. It provides full control over the ability to fetch data from a data source. -Setup of an Event Grid data connection using managed identity requires the following steps: + + Setup of an Event Grid data connection using managed identity requires the following steps and permissions: + 1. Make sure you have [EventGrid Contributor](/azure/role-based-access-control/built-in-roles/integration#eventgrid-contributor) role assignment on the Azure subscribtion of the source data storage account. 1. [Add a managed identity to your cluster](configure-managed-identities-cluster.md). 1. [Grant permissions to the managed identity on the data source](ingest-data-managed-identity.md#grant-permissions-to-the-managed-identity). To fetch data from Azure Storage, the managed identity must have at least [Storage Blob Data Reader](/azure/role-based-access-control/built-in-roles#storage-blob-data-reader) permissions on the Azure Storage account. 1. Grant permissions to the managed identity on the event hub. To fetch blob notifications from the event hub, the managed identity must have [Azure Event Hubs Data Receiver](/azure/role-based-access-control/built-in-roles#azure-event-hubs-data-receiver) permissions on the Azure Event Hubs. 1. Set a [managed identity policy](/kusto/management/managed-identity-policy?view=azure-data-explorer&preserve-view=true) on the target databases. 1. Create a data connection using managed identity authentication to fetch data. + > [!Note] > > * The event hub consumer group *must* be unique per consumer. Create a dedicated consumer group for every Azure Data Explorer data connection.