diff --git a/data-explorer/azure-data-explorer-dashboard-share.md b/data-explorer/azure-data-explorer-dashboard-share.md new file mode 100644 index 0000000000..fa9057967e --- /dev/null +++ b/data-explorer/azure-data-explorer-dashboard-share.md @@ -0,0 +1,116 @@ +--- +title: Share Azure Data Explorer dashboards +description: Learn how to share Azure Data Explorer dashboards +ms.reviewer: gabil +ms.topic: how-to +ms.date: 01/14/2025 +--- +# Share dashboards + +A dashboard is a collection of tiles, optionally organized in pages, where each tile has an underlying query and a visual representation. For more information on creating dashboards, see [Visualize data with Azure Data Explorer dashboards](azure-data-explorer-dashboards.md). + +In this document, you'll learn how to grant permissions and manage permissions to share a dashboard with other users. + +> [!IMPORTANT] +> To access the dashboard, a dashboard viewer needs the following: +> +> * Dashboard link for access +> * Dashboard permissions +> * Access to the underlying database in the Azure Data Explorer cluster + +In general, dashboards are shared in two steps: Grant permissions, and share the dashboard link. When granting permissions to a user in a different tenant, the user must additionally accept the invitation to access the dashboard. + +## Manage permissions + +1. Browse to your [Azure Data Explorer dashboards](azure-data-explorer-dashboards.md) and toggle mode from **Viewing** to **Editing**. +1. Select the **Share** menu item in the top bar of the dashboard. +1. Select **Manage permissions** from the drop-down. + + :::image type="content" source="media/adx-dashboards/share-dashboard.png" alt-text="Screenshot of the share dashboard drop-down."::: + +## Grant permissions + +Permissions can be granted to users [within your tenant](#grant-permissions-to-users-within-your-tenant) or to [users in a different tenant](#grant-permissions-to-users-in-a-different-tenant). + +### Grant permissions to users within your tenant + +In the **Dashboard permissions** pane: + +1. Enter the Microsoft Entra user or Microsoft Entra group in **Add new members**. +1. In the **Permission** level, select one of the following values: **Can view** or **Can edit**. +1. Select **Add**. + +:::image type="content" source="media/dashboard-explore-data/dashboard-permissions.png" alt-text="Manage dashboard permissions."::: + +### Grant permissions to users in a different tenant + +> [!IMPORTANT] +> Cross-tenant sharing is disabled by default. To enable cross-tenant sharing, a tenant admin must enable it in the Azure Data Explorer WebUI [settings](web-customize-settings.md#enable-cross-tenant-dashboard-sharing). +> +> If a tenant admin enables cross-tenant sharing and later disables cross-tenant sharing, all dashboards shared while the feature was active will remain accessible. + +In the **Dashboard permissions** pane: + +1. Select the **Share** menu item in the top bar of the dashboard. +1. Under **Share with external user**, enter the user's email address. + + > [!NOTE] + > * You can share with individual Microsoft Entra ID users, security groups, or Microsoft accounts (MSA). + > * You can't share with distribution groups. + +1. Choose if you want to allow the user to edit the dashboard. If so, check the **Allow edit permission** box. + + > [!NOTE] + > An invitee with edit permissions can share the dashboard with users from their own tenant, or use this invitation flow to to invite users from other tenants. + +1. Select **Create invitation**. + + :::image type="content" source="media/dashboard-explore-data/share-external-user.png" alt-text="Screenshot of sharing an Azure Data Explorer dashboard to an external tenant."::: + +1. Send the invitation link to the user. The user must [accept the invitation](#accept-an-invitation) to access the dashboard. + +> [!IMPORTANT] +> * Once an invitation is sent, it can't be revoked. You can wait until the invitation expires, or you can revoke access once the invitee has accepted the invitation. +> * The lifetime of an invitation is three days. After that, the invitation expires and a user who didn't accept the invitation can't access the dashboard. + +After sharing the dashboard, you can see who you've shared with in the **Dashboard permissions** pane. + +#### Accept an invitation + +When the user clicks on the invitation link, they see a page with the following information: + +* The dashboard name +* What to expect when they accept the invitation + +:::image type="content" source="media/dashboard-explore-data/invitation.png" alt-text="Screenshot of dashboard invitation. "::: + +The user can then accept the invitation and sign in to access the dashboard. + +> [!IMPORTANT] +> The user must accept the invitation while signed in to their home tenant. + +> [!NOTE] +> If you're accepting on behalf of a security group, you must be a member of the group to accept the invitation. Once the first member of the group accepts the invitation, all members of the group can use the [shared link](#share-the-dashboard-link) to access the dashboard. + +## Change a user permission level + +To change a user permission level in the **Dashboard permissions** pane: + +1. Either use the search box or scroll the user list to find the user. +1. Change the **Permission** level as needed. +1. To remove a user, select the trash icon next to the user. + +:::image type="content" source="media/adx-dashboards/dashboard-permissions.png" alt-text="Screenshot of dashboard permissions dialog"::: + +## Share the dashboard link + +To share the dashboard link, do one of the following: + +* Select **Share** and then select **Copy link**. +* In the **Dashboard permissions** window, select **Copy link**. + +## Related content + +* [Explore data in dashboard tiles](dashboard-explore-data.md) +* [Visualize data with Azure Data Explorer dashboards](azure-data-explorer-dashboards.md) +* [Quickstart: Visualize sample data dashboards](web-ui-samples-dashboards.md) \ No newline at end of file diff --git a/data-explorer/azure-data-explorer-dashboards.md b/data-explorer/azure-data-explorer-dashboards.md index f3fdaa09a2..dfaffaff94 100644 --- a/data-explorer/azure-data-explorer-dashboards.md +++ b/data-explorer/azure-data-explorer-dashboards.md @@ -3,7 +3,7 @@ title: Visualize data with the Azure Data Explorer dashboard description: Learn how to visualize data with the Azure Data Explorer dashboard ms.reviewer: gabil ms.topic: how-to -ms.date: 03/03/2024 +ms.date: 01/14/2025 --- # Visualize data with Azure Data Explorer dashboards @@ -140,48 +140,6 @@ You can view the query in either editing or viewing mode. Editing the underlying > [!NOTE] > Any edits made to the query using this flow won't be reflected in the original dashboard. -## Share dashboards - -Use the share menu to [grant permissions](#grant-permissions) for a Microsoft Entra user or Microsoft Entra group to access the dashboard, [change a user's permission level](#change-a-user-permission-level), and [share the dashboard link](#share-the-dashboard-link). - -> [!IMPORTANT] -> To access the dashboard, a dashboard viewer needs the following: -> -> * Dashboard link for access -> * Dashboard permissions -> * Access to the underlying database in the Azure Data Explorer cluster - -### Manage permissions - -1. Select the **Share** menu item in the top bar of the dashboard. -1. Select **Manage permissions** from the drop-down. - - :::image type="content" source="media/adx-dashboards/share-dashboard.png" alt-text="Share dashboard drop-down."::: - -### Grant permissions - -To grant permissions to a user in the **Dashboard permissions** pane: - -1. Enter the Microsoft Entra user or Microsoft Entra group in **Add new members**. -1. In the **Permission** level, select one of the following values: **Can view** or **Can edit**. -1. Select **Add**. - -:::image type="content" source="media/adx-dashboards/dashboard-permissions.png" alt-text="Manage dashboard permissions."::: - -### Change a user permission level - -To change a user permission level in the **Dashboard permissions** pane: - -1. Either use the search box or scroll the user list to find the user. -1. Change the **Permission** level as needed. - -### Share the dashboard link - -To share the dashboard link, do one of the following: - -* Select **Share** and then select **Copy link** -* In the **Dashboard permissions** window, select **Copy link**. - ## Export dashboards Use the file menu to export a dashboard to a JSON file. Exporting dashboard can be useful in the following scenarios: @@ -301,3 +259,4 @@ However, database editors might want to limit the minimum refresh rate that any * [Use parameters in Azure Data Explorer dashboards](dashboard-parameters.md) * [Customize Azure Data Explorer dashboard visuals](dashboard-customize-visuals.md) * [Explore data in dashboard tiles (preview)](dashboard-explore-data.md) +* [Share dashboards](azure-data-explorer-dashboard-share.md) \ No newline at end of file diff --git a/data-explorer/ingest-data-cosmos-db-connection.md b/data-explorer/ingest-data-cosmos-db-connection.md index 6c1d46517b..4ddd32c9d2 100644 --- a/data-explorer/ingest-data-cosmos-db-connection.md +++ b/data-explorer/ingest-data-cosmos-db-connection.md @@ -3,7 +3,7 @@ title: Ingest data from Azure Cosmos DB into Azure Data Explorer description: Learn how to ingest (load) data into Azure Data Explorer from Cosmos DB. ms.reviewer: vplauzon ms.topic: how-to -ms.date: 06/15/2023 +ms.date: 01/07/2025 --- # Ingest data from Azure Cosmos DB into Azure Data Explorer @@ -12,6 +12,11 @@ Azure Data Explorer supports [data ingestion](ingest-data-overview.md) from [Azu Each data connection listens to a specific Cosmos DB container and ingests data into a specified table (more than one connection can ingest in a single table). The ingestion method supports streaming ingestion (when enabled) and queued ingestion. +The two main scenarios for using the Cosmos DB change feed data connection are: + +* Replicating a Cosmos DB container for analytical purposes. For more information, see [Get latest versions of Azure Cosmos DB documents](ingest-data-cosmos-db-queries.md). +* Analyzing the document changes in a Cosmos DB container. For more information, see [Considerations](#considerations). + In this article, you'll learn how to set up a Cosmos DB change feed data connection to ingest data into Azure Data Explorer with System Managed Identity. Review the [considerations](#considerations) before you start. Use the following steps to set up a connector: @@ -381,7 +386,7 @@ The following considerations apply to the Cosmos DB change feed: - Deleting and recreating a Cosmos DB container isn't supported - Azure Data Explorer keeps track of the change feed by checkpointing the "position" it is at in the feed. This is done using continuation token on each physical partitions of the container. When a container is deleted/recreated, those continuation token are invalid and aren't reset: you must delete and recreate the data connection. + Azure Data Explorer keeps track of the change feed by checkpointing the "position" it is at in the feed. This is done using continuation token on each physical partitions of the container. When a container is deleted/recreated, the continuation token is invalid and isn't reset. In this case, you must delete and recreate the data connection. ## Estimate cost diff --git a/data-explorer/media/adx-dashboards/dashboard-permissions.png b/data-explorer/media/adx-dashboards/dashboard-permissions.png index f332bf7a9f..35f54e3c89 100644 Binary files a/data-explorer/media/adx-dashboards/dashboard-permissions.png and b/data-explorer/media/adx-dashboards/dashboard-permissions.png differ diff --git a/data-explorer/media/dashboard-explore-data/dashboard-permissions.png b/data-explorer/media/dashboard-explore-data/dashboard-permissions.png new file mode 100644 index 0000000000..1d37d68c61 Binary files /dev/null and b/data-explorer/media/dashboard-explore-data/dashboard-permissions.png differ diff --git a/data-explorer/media/dashboard-explore-data/invitation.png b/data-explorer/media/dashboard-explore-data/invitation.png new file mode 100644 index 0000000000..5be30aad9f Binary files /dev/null and b/data-explorer/media/dashboard-explore-data/invitation.png differ diff --git a/data-explorer/media/dashboard-explore-data/share-external-user.png b/data-explorer/media/dashboard-explore-data/share-external-user.png new file mode 100644 index 0000000000..9e905cb608 Binary files /dev/null and b/data-explorer/media/dashboard-explore-data/share-external-user.png differ diff --git a/data-explorer/media/security-network-restrict-access/networking-public-access-selectedIpAddresses-configured.png b/data-explorer/media/security-network-restrict-access/networking-public-access-selectedIpAddresses-configured.png new file mode 100644 index 0000000000..11fbe6e061 Binary files /dev/null and b/data-explorer/media/security-network-restrict-access/networking-public-access-selectedIpAddresses-configured.png differ diff --git a/data-explorer/media/security-network-restrict-access/networking-public-access-selectedIpAddresses.png b/data-explorer/media/security-network-restrict-access/networking-public-access-selectedIpAddresses.png new file mode 100644 index 0000000000..7620402865 Binary files /dev/null and b/data-explorer/media/security-network-restrict-access/networking-public-access-selectedIpAddresses.png differ diff --git a/data-explorer/media/web-customize-settings/dashboard-sharing.png b/data-explorer/media/web-customize-settings/dashboard-sharing.png new file mode 100644 index 0000000000..b8f0b397b7 Binary files /dev/null and b/data-explorer/media/web-customize-settings/dashboard-sharing.png differ diff --git a/data-explorer/security-network-restrict-public-access.md b/data-explorer/security-network-restrict-public-access.md index 199f7f455f..06f5eb7bce 100644 --- a/data-explorer/security-network-restrict-public-access.md +++ b/data-explorer/security-network-restrict-public-access.md @@ -16,20 +16,107 @@ To allow, limit, or prevent public access to your cluster, follow these steps: 1. In the [Azure portal](https://ms.portal.azure.com/), go to your cluster. -1. From the left-hand menu, under **Security + Networking**, select **Networking**. If you select the *Enabled from selected IP addresses* option, you must the specify the IP address or CIDR using the IPv4 address format. +1. From the left-hand menu, under **Security + Networking**, select **Networking**. If you select the *Enabled from selected IP addresses* option, you must specify the IP address or CIDR using the IPv4 address format. :::image type="content" source="media/security-network-restrict-access/networking-public-access.png" alt-text="Screenshot of the networking public access page." lightbox="media/security-network-restrict-access/networking-public-access.png"::: 1. Within the **Public network access** area, select one of the following three options: - + * **Enabled from all networks**: This option allows access from public networks. - * **Enabled from selected IP addresses**: This option allows you to define a firewall allowlist of IP addresses that can connect to the public endpoint your cluster. + * **Enabled from selected IP addresses**: This option allows you to define a firewall allowlist of IP addresses, Classless Inter-Domain Routing (CIDR) notation, or [service tags](/azure/virtual-network/service-tags-overview) that can connect to the public endpoint of your cluster. In CIDR notation, the IP address is followed by a slash and a number that represents the subnet mask. For more information, see [Specify selected IP addresses](#specify-selected-ip-addresses). * **Disabled**: This option prevents access to the cluster from public networks and instead requires connection through a private endpoint. 1. Select **Save**. +### Specify selected IP addresses + +The **Enabled from selected IP addresses** option provides flexibility in managing network access to your cluster by offering multiple ways to define the IP addresses that can connect. You can specify individual IP addresses, use CIDR notation to define a range of IP addresses, or utilize [service tags](/azure/virtual-network/service-tags-overview), which represent a group of IP address prefixes from specific Azure services. The following [examples](#examples) show how each can be specified. + +#### Examples + +The following examples show how to specify IP addresses, CIDR notations, and service tags. + +##### Individual IP addresses + +The following example specifies a single IP address in the format `xxx.xxx.xxx.xxx`. + +```plaintext +192.168.1.10 +``` + +##### CIDR notation + +The following example specifies a range of IP addresses from `192.168.1.0` to `192.168.1.255` using CIDR notation. The `/24` indicates that the first 24 bits, or three octets, represent the network part of the address, while the last eight bits are used for the host addresses within the network from `0` to `255`. + +```plaintext +192.168.1.0/24 +``` + +##### Service tags + +The following example uses a service tag to allow access to the Azure Storage IP address range from the Azure Data Center in the West US region. + +```plaintext +Storage.WestUS +``` + +For a full list of service tags, see [Available service tags](/azure/virtual-network/service-tags-overview#available-service-tags). + +#### Configure selected IP addresses + +You can configure the selected IP addresses either through the Azure portal or by modifying the ARM template. Choose the method that best aligns with your workflow, requirements, and network access management needs. + +#### [Azure portal](#tab/portal) + +> [!CAUTION] +> To configure [service tags](/azure/virtual-network/service-tags-overview#available-service-tags) use the **ARM template**. + +1. Go to your cluster in the [Azure portal](https://portal.azure.com/). +1. Under **Security + networking** > **Networking** > **Public access**, select **Enabled from selected IP addresses**. + + :::image type="content" source="media/security-network-restrict-access/networking-public-access-selectedIpAddresses.png" lightbox="media/security-network-restrict-access/networking-public-access-selectedIpAddresses.png" alt-text="Screenshot of the network configuration page, showing the enabled from selected IP addresses option without any address range configured."::: + +1. Configure the IP addresses or CIDR ranges that you want to allow to connect to the cluster. + + :::image type="content" source="media/security-network-restrict-access/networking-public-access-selectedIpAddresses-configured.png" lightbox="media/security-network-restrict-access/networking-public-access-selectedIpAddresses-configured.png" alt-text="Screenshot of the network configuration page, showing the selected IP addresses specified for Enabled from selected IP addresses. They are specified as individual IP address and in CIDR notation."::: + +1. Select **Save** to submit the configuration. + +#### [ARM template](#tab/arm) + +1. Locate the [**allowedIpRangeList** cluster property](/azure/templates/microsoft.kusto/clusters?pivots=deployment-language-arm-template#clusterproperties-1) in your cluster's ARM template. + + ```json + "properties": { + ... + "publicNetworkAccess": "Enabled", + "allowedIpRangeList": [], + ... + } + ``` + +1. Add IP addresses, CIDRs, or service tags to the `allowedIpRangeList` property. + + ```json + "properties": { + ... + "publicNetworkAccess": "Enabled", + "allowedIpRangeList": [ + "192.168.1.10", + "192.168.2.0/24", + "PowerBI", + "LogicApps" + ], + ... + } + ``` + +1. [**Deploy**](/azure/azure-resource-manager/templates/deployment-tutorial-local-template?tabs=azure-powershell) the ARM template. + +--- + ## Related content * [Troubleshooting Private Endpoints in Azure Data Explorer](security-network-private-endpoint-troubleshoot.md) diff --git a/data-explorer/toc.yml b/data-explorer/toc.yml index da5f50840c..e1b47533f7 100644 --- a/data-explorer/toc.yml +++ b/data-explorer/toc.yml @@ -401,6 +401,8 @@ items: href: dashboard-visuals.md - name: Visualize sample data dashboards href: web-ui-samples-dashboards.md + - name: Share dashboards + href: azure-data-explorer-dashboard-share.md - name: Power BI items: - name: Use data in Power BI diff --git a/data-explorer/web-customize-settings.md b/data-explorer/web-customize-settings.md index 0264fe4173..541371566a 100644 --- a/data-explorer/web-customize-settings.md +++ b/data-explorer/web-customize-settings.md @@ -2,7 +2,7 @@ title: 'Customize settings in the Azure Data Explorer web UI' description: In this guide, you'll learn how to customize your settings in the Azure Data Explorer web UI. ms.topic: how-to -ms.date: 05/28/2023 +ms.date: 01/14/2025 --- # Customize settings in the Azure Data Explorer web UI @@ -106,6 +106,20 @@ For highlighted error levels, the column must be of [data type](/kusto/query/sca * information * verbose, verb, d +## Enable cross-tenant dashboard sharing + +To enable cross-tenant sharing, a tenant admin must enable it in the Azure Data Explorer WebUI settings. This setting allows you to share dashboards with users in a different tenant. + +For more information, see [Grant permissions to users in a different tenant](azure-data-explorer-dashboard-share.md#grant-permissions-to-users-in-a-different-tenant). + +Under **Settings** > **Share Dashboards Across Tenants**, toggle to **On**. + +:::image type="content" source="media/web-customize-settings/dashboard-sharing.png" alt-text="Screenshot of enabling dashboard sharing in settings."::: + +> [!IMPORTANT] +> If a tenant admin enables cross-tenant sharing and later disables cross-tenant sharing, all dashboards shared while the feature was active will remain accessible. + + ## Related content * [Query data in the web UI](web-ui-query-overview.md) diff --git a/data-explorer/web-share-queries.md b/data-explorer/web-share-queries.md index 28469c23e4..bb172b1f3e 100644 --- a/data-explorer/web-share-queries.md +++ b/data-explorer/web-share-queries.md @@ -1,8 +1,8 @@ --- title: 'Share queries from Azure Data Explorer web UI' -description: In this guide, you'll learn how to share queries from the Azure Data Explorer web UI. +description: This guide teaches you how to share queries from the Azure Data Explorer web UI. ms.topic: how-to -ms.date: 05/17/2023 +ms.date: 01/14/2025 --- # Share queries from Azure Data Explorer web UI @@ -24,8 +24,8 @@ The following table outlines the many options for how to share a query. |--|--| |[Pin to dashboard](#pin-to-dashboard)|Display the query in an [Azure Data Explorer dashboard](azure-data-explorer-dashboards.md).| |[Link to clipboard](#link-to-clipboard)|Copy a link that can be used to run the query.| -|[Link, query to clipboard](#link-query-to-clipboard)|Copy a link that can be used to run the query and the text of the query.| -|[Link, query, results to clipboard](#link-query-results-to-clipboard)|Copy a link that can be used to run the query, the text of the query, and the results of the query.| +|[Link, query to clipboard](#link-query-to-clipboard)|Copy a link that can be used to run the query and the text of the query. For enhanced security, the shared query opens in Azure Data Explorer in **Protected mode**. | +|[Link, query, results to clipboard](#link-query-results-to-clipboard)|Copy a link that can be used to run the query, the text of the query, and the results of the query. For enhanced security, the shared query opens in Azure Data Explorer in protected mode. | |[Download](#download)|Download a KQL file of the query.| |[Open in Excel](#open-in-excel)|Open a live query in an Excel workbook that can be refreshed directly from Excel.| |[Export to CSV](#export-to-csv)|Download a CSV of the query results.| @@ -77,6 +77,9 @@ To copy a link to share with others and the text of the query, follow these step 1. Paste to share. The output lists the link followed by the query text. +> [!NOTE] +> The query link request is generated with `request_readonly_hardline` set to `true`, ensuring it operates in strict read-only mode for enhanced security in protected mode. The **Protected mode** banner displays above the query and an icon appears in the query tab when protected mode is enabled. For more information about this request property, see [Request properties](/azure/data-explorer/kusto/api/rest/request-properties). + ## Link, query, results to clipboard To copy a link to share with others, the text of the query, and the results of the query, follow these steps: @@ -89,6 +92,9 @@ To copy a link to share with others, the text of the query, and the results of t 1. Paste to share. The output lists the link, query text, and query results. +> [!NOTE] +> The query link request is generated with `request_readonly_hardline` set to `true`, ensuring it operates in strict read-only mode for enhanced security in protected mode. The **Protected mode** banner displays above the query and an icon appears in the query tab when protected mode is enabled. For more information about this request property, see [Request properties](/azure/data-explorer/kusto/api/rest/request-properties). + ## Download To download a KQL file of the query, follow these steps: @@ -109,10 +115,10 @@ To access live results of your query in an Excel workbook, follow these steps: :::image type="content" source="media/web-share-query/open-in-excel.png" alt-text="Screenshot of option to open in excel." lightbox="media/web-share-query/open-in-excel.png"::: -1. Open and share the downloaded Excel workbook, which is connected to Azure Data Explorer and can be refreshed. You can refresh your Excel workbook with new data from Azure Data Explorer, and all related Excel artifacts, like charts and pivot tables, will be updated based on the new data. +1. Open and share the downloaded Excel workbook, which is connected to Azure Data Explorer and can be refreshed. You can refresh your Excel workbook with new data from Azure Data Explorer, and all related Excel artifacts, like charts and pivot tables, is updated based on the new data. > [!NOTE] -> Depending on your Excel settings, you may need to enable editing and grant permission to access external data connections for the file to update. +> Depending on your Excel settings, you might need to enable editing and grant permission to access external data connections for the file to update. ## Export to CSV