Skip to content

Commit

Permalink
Merging changes synced from https://github.com/MicrosoftDocs/dataexpl…
Browse files Browse the repository at this point in the history 
…orer-docs-pr (branch live)
  • Loading branch information
Learn Build Service GitHub App authored and Learn Build Service GitHub App committed Jan 15, 2025
2 parents e6806b2 + dc1e6f8 commit 97a4916
Show file tree
Hide file tree
Showing 14 changed files with 244 additions and 55 deletions.
116 changes: 116 additions & 0 deletions data-explorer/azure-data-explorer-dashboard-share.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,116 @@
---
title: Share Azure Data Explorer dashboards
description: Learn how to share Azure Data Explorer dashboards
ms.reviewer: gabil
ms.topic: how-to
ms.date: 01/14/2025
---
# Share dashboards

A dashboard is a collection of tiles, optionally organized in pages, where each tile has an underlying query and a visual representation. For more information on creating dashboards, see [Visualize data with Azure Data Explorer dashboards](azure-data-explorer-dashboards.md).

In this document, you'll learn how to grant permissions and manage permissions to share a dashboard with other users.

> [!IMPORTANT]
> To access the dashboard, a dashboard viewer needs the following:
>
> * Dashboard link for access
> * Dashboard permissions
> * Access to the underlying database in the Azure Data Explorer cluster
In general, dashboards are shared in two steps: Grant permissions, and share the dashboard link. When granting permissions to a user in a different tenant, the user must additionally accept the invitation to access the dashboard.

## Manage permissions

1. Browse to your [Azure Data Explorer dashboards](azure-data-explorer-dashboards.md) and toggle mode from **Viewing** to **Editing**.
1. Select the **Share** menu item in the top bar of the dashboard.
1. Select **Manage permissions** from the drop-down.

:::image type="content" source="media/adx-dashboards/share-dashboard.png" alt-text="Screenshot of the share dashboard drop-down.":::

## Grant permissions

Permissions can be granted to users [within your tenant](#grant-permissions-to-users-within-your-tenant) or to [users in a different tenant](#grant-permissions-to-users-in-a-different-tenant).

### Grant permissions to users within your tenant

In the **Dashboard permissions** pane:

1. Enter the Microsoft Entra user or Microsoft Entra group in **Add new members**.
1. In the **Permission** level, select one of the following values: **Can view** or **Can edit**.
1. Select **Add**.

:::image type="content" source="media/dashboard-explore-data/dashboard-permissions.png" alt-text="Manage dashboard permissions.":::

### Grant permissions to users in a different tenant

> [!IMPORTANT]
> Cross-tenant sharing is disabled by default. To enable cross-tenant sharing, a tenant admin must enable it in the Azure Data Explorer WebUI [settings](web-customize-settings.md#enable-cross-tenant-dashboard-sharing).
>
> If a tenant admin enables cross-tenant sharing and later disables cross-tenant sharing, all dashboards shared while the feature was active will remain accessible.
In the **Dashboard permissions** pane:

1. Select the **Share** menu item in the top bar of the dashboard.
1. Under **Share with external user**, enter the user's email address.

> [!NOTE]
> * You can share with individual Microsoft Entra ID users, security groups, or Microsoft accounts (MSA).
> * You can't share with distribution groups.
1. Choose if you want to allow the user to edit the dashboard. If so, check the **Allow edit permission** box.

> [!NOTE]
> An invitee with edit permissions can share the dashboard with users from their own tenant, or use this invitation flow to to invite users from other tenants.
1. Select **Create invitation**.

:::image type="content" source="media/dashboard-explore-data/share-external-user.png" alt-text="Screenshot of sharing an Azure Data Explorer dashboard to an external tenant.":::

1. Send the invitation link to the user. The user must [accept the invitation](#accept-an-invitation) to access the dashboard.

> [!IMPORTANT]
> * Once an invitation is sent, it can't be revoked. You can wait until the invitation expires, or you can revoke access once the invitee has accepted the invitation.
> * The lifetime of an invitation is three days. After that, the invitation expires and a user who didn't accept the invitation can't access the dashboard.
After sharing the dashboard, you can see who you've shared with in the **Dashboard permissions** pane.

#### Accept an invitation

When the user clicks on the invitation link, they see a page with the following information:

* The dashboard name
* What to expect when they accept the invitation

:::image type="content" source="media/dashboard-explore-data/invitation.png" alt-text="Screenshot of dashboard invitation. ":::

The user can then accept the invitation and sign in to access the dashboard.

> [!IMPORTANT]
> The user must accept the invitation while signed in to their home tenant.
> [!NOTE]
> If you're accepting on behalf of a security group, you must be a member of the group to accept the invitation. Once the first member of the group accepts the invitation, all members of the group can use the [shared link](#share-the-dashboard-link) to access the dashboard.
## Change a user permission level

To change a user permission level in the **Dashboard permissions** pane:

1. Either use the search box or scroll the user list to find the user.
1. Change the **Permission** level as needed.
1. To remove a user, select the trash icon next to the user.

:::image type="content" source="media/adx-dashboards/dashboard-permissions.png" alt-text="Screenshot of dashboard permissions dialog":::

## Share the dashboard link

To share the dashboard link, do one of the following:

* Select **Share** and then select **Copy link**.
* In the **Dashboard permissions** window, select **Copy link**.

## Related content

* [Explore data in dashboard tiles](dashboard-explore-data.md)
* [Visualize data with Azure Data Explorer dashboards](azure-data-explorer-dashboards.md)
* [Quickstart: Visualize sample data dashboards](web-ui-samples-dashboards.md)
45 changes: 2 additions & 43 deletions data-explorer/azure-data-explorer-dashboards.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ title: Visualize data with the Azure Data Explorer dashboard
description: Learn how to visualize data with the Azure Data Explorer dashboard
ms.reviewer: gabil
ms.topic: how-to
ms.date: 03/03/2024
ms.date: 01/14/2025
---

# Visualize data with Azure Data Explorer dashboards
Expand Down Expand Up @@ -140,48 +140,6 @@ You can view the query in either editing or viewing mode. Editing the underlying
> [!NOTE]
> Any edits made to the query using this flow won't be reflected in the original dashboard.
## Share dashboards

Use the share menu to [grant permissions](#grant-permissions) for a Microsoft Entra user or Microsoft Entra group to access the dashboard, [change a user's permission level](#change-a-user-permission-level), and [share the dashboard link](#share-the-dashboard-link).

> [!IMPORTANT]
> To access the dashboard, a dashboard viewer needs the following:
>
> * Dashboard link for access
> * Dashboard permissions
> * Access to the underlying database in the Azure Data Explorer cluster
### Manage permissions

1. Select the **Share** menu item in the top bar of the dashboard.
1. Select **Manage permissions** from the drop-down.

:::image type="content" source="media/adx-dashboards/share-dashboard.png" alt-text="Share dashboard drop-down.":::

### Grant permissions

To grant permissions to a user in the **Dashboard permissions** pane:

1. Enter the Microsoft Entra user or Microsoft Entra group in **Add new members**.
1. In the **Permission** level, select one of the following values: **Can view** or **Can edit**.
1. Select **Add**.

:::image type="content" source="media/adx-dashboards/dashboard-permissions.png" alt-text="Manage dashboard permissions.":::

### Change a user permission level

To change a user permission level in the **Dashboard permissions** pane:

1. Either use the search box or scroll the user list to find the user.
1. Change the **Permission** level as needed.

### Share the dashboard link

To share the dashboard link, do one of the following:

* Select **Share** and then select **Copy link**
* In the **Dashboard permissions** window, select **Copy link**.

## Export dashboards

Use the file menu to export a dashboard to a JSON file. Exporting dashboard can be useful in the following scenarios:
Expand Down Expand Up @@ -301,3 +259,4 @@ However, database editors might want to limit the minimum refresh rate that any
* [Use parameters in Azure Data Explorer dashboards](dashboard-parameters.md)
* [Customize Azure Data Explorer dashboard visuals](dashboard-customize-visuals.md)
* [Explore data in dashboard tiles (preview)](dashboard-explore-data.md)
* [Share dashboards](azure-data-explorer-dashboard-share.md)
9 changes: 7 additions & 2 deletions data-explorer/ingest-data-cosmos-db-connection.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ title: Ingest data from Azure Cosmos DB into Azure Data Explorer
description: Learn how to ingest (load) data into Azure Data Explorer from Cosmos DB.
ms.reviewer: vplauzon
ms.topic: how-to
ms.date: 06/15/2023
ms.date: 01/07/2025
---

# Ingest data from Azure Cosmos DB into Azure Data Explorer
Expand All @@ -12,6 +12,11 @@ Azure Data Explorer supports [data ingestion](ingest-data-overview.md) from [Azu

Each data connection listens to a specific Cosmos DB container and ingests data into a specified table (more than one connection can ingest in a single table). The ingestion method supports streaming ingestion (when enabled) and queued ingestion.

The two main scenarios for using the Cosmos DB change feed data connection are:

* Replicating a Cosmos DB container for analytical purposes. For more information, see [Get latest versions of Azure Cosmos DB documents](ingest-data-cosmos-db-queries.md).
* Analyzing the document changes in a Cosmos DB container. For more information, see [Considerations](#considerations).

In this article, you'll learn how to set up a Cosmos DB change feed data connection to ingest data into Azure Data Explorer with System Managed Identity. Review the [considerations](#considerations) before you start.

Use the following steps to set up a connector:
Expand Down Expand Up @@ -381,7 +386,7 @@ The following considerations apply to the Cosmos DB change feed:
- Deleting and recreating a Cosmos DB container isn't supported
Azure Data Explorer keeps track of the change feed by checkpointing the "position" it is at in the feed. This is done using continuation token on each physical partitions of the container. When a container is deleted/recreated, those continuation token are invalid and aren't reset: you must delete and recreate the data connection.
Azure Data Explorer keeps track of the change feed by checkpointing the "position" it is at in the feed. This is done using continuation token on each physical partitions of the container. When a container is deleted/recreated, the continuation token is invalid and isn't reset. In this case, you must delete and recreate the data connection.
## Estimate cost
Expand Down
Binary file modified data-explorer/media/adx-dashboards/dashboard-permissions.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added data-explorer/media/dashboard-explore-data/dashboard-permissions.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added data-explorer/media/dashboard-explore-data/invitation.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added data-explorer/media/dashboard-explore-data/share-external-user.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added ...ork-restrict-access/networking-public-access-selectedIpAddresses-configured.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added ...curity-network-restrict-access/networking-public-access-selectedIpAddresses.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added data-explorer/media/web-customize-settings/dashboard-sharing.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
93 changes: 90 additions & 3 deletions data-explorer/security-network-restrict-public-access.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,20 +16,107 @@ To allow, limit, or prevent public access to your cluster, follow these steps:

1. In the [Azure portal](https://ms.portal.azure.com/), go to your cluster.

1. From the left-hand menu, under **Security + Networking**, select **Networking**. If you select the *Enabled from selected IP addresses* option, you must the specify the IP address or CIDR using the IPv4 address format.
1. From the left-hand menu, under **Security + Networking**, select **Networking**. If you select the *Enabled from selected IP addresses* option, you must specify the IP address or CIDR using the IPv4 address format.

:::image type="content" source="media/security-network-restrict-access/networking-public-access.png" alt-text="Screenshot of the networking public access page." lightbox="media/security-network-restrict-access/networking-public-access.png":::

1. Within the **Public network access** area, select one of the following three options:

* **Enabled from all networks**: This option allows access from public networks.

* **Enabled from selected IP addresses**: This option allows you to define a firewall allowlist of IP addresses that can connect to the public endpoint your cluster.
* **Enabled from selected IP addresses**: This option allows you to define a firewall allowlist of IP addresses, Classless Inter-Domain Routing (CIDR) notation, or [service tags](/azure/virtual-network/service-tags-overview) that can connect to the public endpoint of your cluster. In CIDR notation, the IP address is followed by a slash and a number that represents the subnet mask. For more information, see [Specify selected IP addresses](#specify-selected-ip-addresses).

* **Disabled**: This option prevents access to the cluster from public networks and instead requires connection through a private endpoint.

1. Select **Save**.

### Specify selected IP addresses

The **Enabled from selected IP addresses** option provides flexibility in managing network access to your cluster by offering multiple ways to define the IP addresses that can connect. You can specify individual IP addresses, use CIDR notation to define a range of IP addresses, or utilize [service tags](/azure/virtual-network/service-tags-overview), which represent a group of IP address prefixes from specific Azure services. The following [examples](#examples) show how each can be specified.

#### Examples

The following examples show how to specify IP addresses, CIDR notations, and service tags.

##### Individual IP addresses

The following example specifies a single IP address in the format `xxx.xxx.xxx.xxx`.

```plaintext
192.168.1.10
```

##### CIDR notation

The following example specifies a range of IP addresses from `192.168.1.0` to `192.168.1.255` using CIDR notation. The `/24` indicates that the first 24 bits, or three octets, represent the network part of the address, while the last eight bits are used for the host addresses within the network from `0` to `255`.

```plaintext
192.168.1.0/24
```

##### Service tags

The following example uses a service tag to allow access to the Azure Storage IP address range from the Azure Data Center in the West US region.

```plaintext
Storage.WestUS
```

For a full list of service tags, see [Available service tags](/azure/virtual-network/service-tags-overview#available-service-tags).

#### Configure selected IP addresses

You can configure the selected IP addresses either through the Azure portal or by modifying the ARM template. Choose the method that best aligns with your workflow, requirements, and network access management needs.

#### [Azure portal](#tab/portal)

> [!CAUTION]
> To configure [service tags](/azure/virtual-network/service-tags-overview#available-service-tags) use the **ARM template**.
1. Go to your cluster in the [Azure portal](https://portal.azure.com/).
1. Under **Security + networking** > **Networking** > **Public access**, select **Enabled from selected IP addresses**.

:::image type="content" source="media/security-network-restrict-access/networking-public-access-selectedIpAddresses.png" lightbox="media/security-network-restrict-access/networking-public-access-selectedIpAddresses.png" alt-text="Screenshot of the network configuration page, showing the enabled from selected IP addresses option without any address range configured.":::

1. Configure the IP addresses or CIDR ranges that you want to allow to connect to the cluster.

:::image type="content" source="media/security-network-restrict-access/networking-public-access-selectedIpAddresses-configured.png" lightbox="media/security-network-restrict-access/networking-public-access-selectedIpAddresses-configured.png" alt-text="Screenshot of the network configuration page, showing the selected IP addresses specified for Enabled from selected IP addresses. They are specified as individual IP address and in CIDR notation.":::

1. Select **Save** to submit the configuration.

#### [ARM template](#tab/arm)

1. Locate the [**allowedIpRangeList** cluster property](/azure/templates/microsoft.kusto/clusters?pivots=deployment-language-arm-template#clusterproperties-1) in your cluster's ARM template.

```json
"properties": {
...
"publicNetworkAccess": "Enabled",
"allowedIpRangeList": [],
...
}
```

1. Add IP addresses, CIDRs, or service tags to the `allowedIpRangeList` property.

```json
"properties": {
...
"publicNetworkAccess": "Enabled",
"allowedIpRangeList": [
"192.168.1.10",
"192.168.2.0/24",
"PowerBI",
"LogicApps"
],
...
}
```

1. [**Deploy**](/azure/azure-resource-manager/templates/deployment-tutorial-local-template?tabs=azure-powershell) the ARM template.

---

## Related content

* [Troubleshooting Private Endpoints in Azure Data Explorer](security-network-private-endpoint-troubleshoot.md)
2 changes: 2 additions & 0 deletions data-explorer/toc.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -401,6 +401,8 @@ items:
href: dashboard-visuals.md
- name: Visualize sample data dashboards
href: web-ui-samples-dashboards.md
- name: Share dashboards
href: azure-data-explorer-dashboard-share.md
- name: Power BI
items:
- name: Use data in Power BI
Expand Down
16 changes: 15 additions & 1 deletion data-explorer/web-customize-settings.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
title: 'Customize settings in the Azure Data Explorer web UI'
description: In this guide, you'll learn how to customize your settings in the Azure Data Explorer web UI.
ms.topic: how-to
ms.date: 05/28/2023
ms.date: 01/14/2025
---

# Customize settings in the Azure Data Explorer web UI
Expand Down Expand Up @@ -106,6 +106,20 @@ For highlighted error levels, the column must be of [data type](/kusto/query/sca
* information
* verbose, verb, d

## Enable cross-tenant dashboard sharing

To enable cross-tenant sharing, a tenant admin must enable it in the Azure Data Explorer WebUI settings. This setting allows you to share dashboards with users in a different tenant.

For more information, see [Grant permissions to users in a different tenant](azure-data-explorer-dashboard-share.md#grant-permissions-to-users-in-a-different-tenant).

Under **Settings** > **Share Dashboards Across Tenants**, toggle to **On**.

:::image type="content" source="media/web-customize-settings/dashboard-sharing.png" alt-text="Screenshot of enabling dashboard sharing in settings.":::

> [!IMPORTANT]
> If a tenant admin enables cross-tenant sharing and later disables cross-tenant sharing, all dashboards shared while the feature was active will remain accessible.

## Related content

* [Query data in the web UI](web-ui-query-overview.md)
Expand Down
Loading

0 comments on commit 97a4916

Please sign in to comment.