MicrosoftDocs · learn-build-service-prod · Aug 5, 2025 · Aug 3, 2025 · Aug 3, 2025 · Aug 5, 2025
diff --git a/data-explorer/kusto/management/data-export/export-data-to-storage.md b/data-explorer/kusto/management/data-export/export-data-to-storage.md
@@ -55,13 +55,23 @@ You must have at least [Database Viewer](../../access-control/role-based-access-
 The authentication method is based on the connection string provided, and the permissions required vary depending on the authentication method.
 
 The following table lists the supported authentication methods and the permissions needed for exporting data to external storage by storage type.
-
+::: moniker range="microsoft-fabric"
+|Authentication method|Azure Blob Storage / Data Lake Storage Gen2|Data Lake Storage Gen1|
+|--|--|--|
+|[Impersonation](../../api/connection-strings/storage-connection-strings.md#impersonation)|Storage Blob Data Contributor|Contributor|
+|[Shared Access (SAS) token](../../api/connection-strings/storage-connection-strings.md#shared-access-sas-token)|Write|Write|
+|[Microsoft Entra access token](../../api/connection-strings/storage-connection-strings.md#microsoft-entra-access-token)|No extra permissions required|No extra permissions required|
+|[Storage account access key](../../api/connection-strings/storage-connection-strings.md#storage-account-access-key)|No extra permissions required|No extra permissions required|
+::: moniker-end
+::: moniker range="azure-data-explorer"
 |Authentication method|Azure Blob Storage / Data Lake Storage Gen2|Data Lake Storage Gen1|
 |--|--|--|
 |[Impersonation](../../api/connection-strings/storage-connection-strings.md#impersonation)|Storage Blob Data Contributor|Contributor|
+|[Managed Identity](../../api/connection-strings/storage-connection-strings.md#managed-identity)|Storage Blob Data Contributor|Contributor|
 |[Shared Access (SAS) token](../../api/connection-strings/storage-connection-strings.md#shared-access-sas-token)|Write|Write|
 |[Microsoft Entra access token](../../api/connection-strings/storage-connection-strings.md#microsoft-entra-access-token)|No extra permissions required|No extra permissions required|
 |[Storage account access key](../../api/connection-strings/storage-connection-strings.md#storage-account-access-key)|No extra permissions required|No extra permissions required|
+::: moniker-end
 
 ## Returns
 

diff --git a/data-explorer/kusto/management/managed-identity-policy.md b/data-explorer/kusto/management/managed-identity-policy.md
@@ -58,7 +58,9 @@ The following values specify authentication to a `usage` using the configured ma
 | `AutomatedFlows`| Run a [Continuous Export](data-export/continuous-data-export.md) or [Update Policy](update-policy.md) automated flow on behalf of a managed identity. |
 | `AzureAI`| Authenticate to an Azure OpenAI service using the [ai_embeddings plugin](../query/ai-embeddings-plugin.md) with a managed identity. |
 | `DataConnection` | Authenticate to data connections to an Event Hub or an Event Grid. |
-|`ExternalTable` | Authenticate to external tables using connection strings configured with a managed identity. |
+| `ExportRequest` | Authenticate to an external storage export destination. |
+| `ExternalDataRequest` | Authenticate to an external data source using the externaldata operator / infer storage schema plugin. |
+| `ExternalTable` | Authenticate to external tables using connection strings configured with a managed identity. |
 | `NativeIngestion` |  Authenticate to an SDK for native ingestion from an external source. |
 | `SandboxArtifacts`| Authenticate to external artifacts referenced in sandboxed plugins (e.g., Python) with a managed identity. This usage needs to be defined on the cluster level managed identity policy. |
 | `SqlRequest`| Authenticate to an external database using the *sql_request* or *cosmosdb_request* plugin with a managed identity. |
diff --git a/data-explorer/kusto/query/externaldata-operator.md b/data-explorer/kusto/query/externaldata-operator.md
@@ -11,12 +11,22 @@ ms.date: 01/27/2025
 
 The `externaldata` operator returns a table whose schema is defined in the query itself, and whose data is read from an external storage artifact, such as a blob in Azure Blob Storage or a file in Azure Data Lake Storage.
 
+::: moniker range="azure-data-explorer"
+> [!NOTE]
+> The `externaldata` operator supports:
+> * a specific set of storage services, as listed under [Storage connection strings](../api/connection-strings/storage-connection-strings.md).
+> * shared Access Signature (SAS) key, Access key, Microsoft Entra Token, and Managed Identity authentication methods. For more information, see [Storage authentication methods](../api/connection-strings/storage-connection-strings.md#storage-authentication-methods).
+
+::: moniker-end
+
+::: moniker range="microsoft-fabric"
 > [!NOTE]
 > The `externaldata` operator supports:
->
 > * a specific set of storage services, as listed under [Storage connection strings](../api/connection-strings/storage-connection-strings.md).
 > * shared Access Signature (SAS) key, Access key, and Microsoft Entra Token authentication methods. For more information, see [Storage authentication methods](../api/connection-strings/storage-connection-strings.md#storage-authentication-methods).
 
+::: moniker-end
+
 ::: moniker range="azure-monitor || microsoft-sentinel"
 
 > [!NOTE]
@@ -79,8 +89,7 @@ The following example shows how to find all records in a table whose `UserID` co
 ```kusto
 Users
 | where UserID in ((externaldata (UserID:string) [
-    @"https://storageaccount.blob.core.windows.net/storagecontainer/users.txt" 
-      h@"?...SAS..." // Secret token needed to access the blob
+    @"https://storageaccount.blob.core.windows.net/storagecontainer/users.txt;managed_identity=..."
     ]))
 | ...
 ```

diff --git a/data-explorer/kusto/query/infer-storage-schema-plugin.md b/data-explorer/kusto/query/infer-storage-schema-plugin.md
@@ -17,12 +17,23 @@ In the [properties of the request](#supported-properties-of-the-request), you sp
 
 The following table lists the supported authentication methods and any required permissions by storage type.
 
+::: moniker range="azure-data-explorer"
 |Authentication method|Azure Blob Storage / Data Lake Storage Gen2|Data Lake Storage Gen1|
 |--|--|--|
 |[Impersonation](../api/connection-strings/storage-connection-strings.md#impersonation)|Storage Blob Data Reader|Reader|
+|[Managed Identity](../api/connection-strings/storage-connection-strings.md#managed-identity)|Storage Blob Data Reader|Reader|
 |[Shared Access (SAS) token](../api/connection-strings/storage-connection-strings.md#shared-access-sas-token)|List + Read|This authentication method isn't supported in Gen1.|
 |[Microsoft Entra access token](../api/connection-strings/storage-connection-strings.md#microsoft-entra-access-token)||
 |[Storage account access key](../api/connection-strings/storage-connection-strings.md#storage-account-access-key)||This authentication method isn't supported in Gen1.|
+::: moniker-end
+::: moniker range="microsoft-fabric"
+|Authentication method|Azure Blob Storage / Data Lake Storage Gen2|Data Lake Storage Gen1|
+|--|--|--|
+|[Impersonation](../api/connection-strings/storage-connection-strings.md#impersonation)|Storage Blob Data Reader|Reader|
+|[Shared Access (SAS) token](../api/connection-strings/storage-connection-strings.md#shared-access-sas-token)|List + Read|This authentication method isn't supported in Gen1.|
+|[Microsoft Entra access token](../api/connection-strings/storage-connection-strings.md#microsoft-entra-access-token)||
+|[Storage account access key](../api/connection-strings/storage-connection-strings.md#storage-account-access-key)||This authentication method isn't supported in Gen1.|
+::: moniker-end
 
 ## Syntax