Share via

Continuously failing to add a cross-tenant aad group in kusto principalAssignments

Rachel Weber 65 Reputation points Microsoft Employee
2026-04-21T18:08:00.7966667+00:00

I'm trying to do a bicep deployment of a kusto cluster with an aad group in a different tenant in principalAssignments. I was assuming that was allowed because the principalAssignments object takes a tenant id as argument. For what it's worth, the tenant is in "trustedExternalTenants"

However, I continuously get "[NotFound] Failed to run add principal assignment action for service <service>. AAD principal was not found."

Is this a supported scenario?

Azure Data Explorer
Azure Data Explorer

An Azure data analytics service for real-time analysis on large volumes of data streaming from sources including applications, websites, and internet of things devices.

Answer accepted by question author

  1. Manoj Kumar Boyini 13,930 Reputation points Microsoft External Staff Moderator
    2026-04-21T18:57:01.0133333+00:00

    Hi @Rachel Weber

    While principalAssignments allows specifying a tenantId and the tenant can be added under trustedExternalTenants, this does not guarantee that cross-tenant Azure AD groups are supported.

    The error you’re seeing, AAD principal was not found, indicates that ADX is unable to resolve the provided principal during the assignment. For Azure Data Explorer, you should use the Object ID from the home tenant (where the group is originally created). However, even with the correct Object ID and a trusted tenant configuration, external Azure AD groups are not always resolvable across tenants, which is the key limitation in this scenario.

    In contrast, user principals behave differently. External users can often be made resolvable (for example, by inviting them as B2B guests into the resource tenant), which helps ADX validate the identity. You can refer to this document for adding guest users:
    https://docs.azure.cn/en-us/entra/external-id/b2b-quickstart-add-guest-users-portal

    Because groups cannot be materialized in the same way as users, assigning a cross-tenant AAD group directly in principalAssignments is not a reliably supported scenario today.

    As a practical approach, you can use a group within the same tenant as the ADX cluster or assign individual users from the external tenant.

    Please let us know if you have any questions and concerns.

    0 comments

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Rachel Weber 65 Reputation points Microsoft Employee
    2026-04-21T18:09:29.1733333+00:00

    Is there a document that states that limitation?

    0 comments
  2. Q&A Assist
    2026-04-21T18:08:08.3333333+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    This scenario is not supported.

    For Microsoft.Kusto/clusters/principalAssignments, the principalId must be resolvable as an AAD principal in the same tenant as the Kusto cluster. While the schema allows specifying a tenantId property and accepts values like user email, application ID, or security group name, the platform still validates the principal in the home tenant of the Kusto resource. Cross-tenant AAD groups cannot be added directly as cluster principal assignments, even if the external tenant is listed in trustedExternalTenants.

    The error [NotFound] ... AAD principal was not found is consistent with this limitation.

    References:

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.