Azure Data Explorer
An Azure data analytics service for real-time analysis on large volumes of data streaming from sources including applications, websites, and internet of things devices.
Is there a document that states that limitation?
Continuously failing to add a cross-tenant aad group in kusto principalAssignments
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(156.8, 87%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERW%3C/text%3E%3C/svg%3E)
Rachel Weber
25
Reputation points Microsoft Employee
I'm trying to do a bicep deployment of a kusto cluster with an aad group in a different tenant in principalAssignments. I was assuming that was allowed because the principalAssignments object takes a tenant id as argument. For what it's worth, the tenant is in "trustedExternalTenants"
However, I continuously get "[NotFound] Failed to run add principal assignment action for service <service>. AAD principal was not found."
Is this a supported scenario?
Azure Data Explorer
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(16, 2%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMK%3C/text%3E%3C/svg%3E)
Manoj Kumar Boyini 12,735 Reputation points Microsoft External Staff Moderator2026-04-21T18:57:01.0133333+00:00 This issue typically occurs when the Object ID used for the external Azure AD Group corresponds to the group’s home tenant.
For cross‑tenant principal assignments in Azure Data Explorer, the service resolves identities using the Object ID as it exists in the cluster’s tenant (resource tenant) directory.
To resolve this:
- Locate the external Azure AD Group in the cluster tenant’s Microsoft Entra ID (resource tenant), where it appears as a synced/B2B object.
- Use the Object ID from the cluster tenant directory in the
principalAssignmentsdeployment instead of the Object ID from the external (home) tenant.
Once the tenant‑local Object ID is used, the principal assignment should succeed. Hope this helps, Please let us know if you have any questions or concerns.
-
Manoj Kumar Boyini 12,735 Reputation points Microsoft External Staff Moderator
2026-04-22T22:34:21.0666667+00:00 I hope you had a chance to review the information shared earlier, and I hope this information has been helpful! If you still have questions, please let us know what is needed in the comments so the question can be answered.
Sign in to comment
2 answers
Sort by: Most helpful
-
Rachel Weber 25 Reputation points Microsoft Employee
2026-04-21T18:09:29.1733333+00:00 -
Q&A Assist2026-04-21T18:08:08.3333333+00:00 AI generated content. This question contains an answer created with AI from Q&A Assist. Learn moreThis scenario is not supported.
For
Microsoft.Kusto/clusters/principalAssignments, theprincipalIdmust be resolvable as an AAD principal in the same tenant as the Kusto cluster. While the schema allows specifying atenantIdproperty and accepts values like user email, application ID, or security group name, the platform still validates the principal in the home tenant of the Kusto resource. Cross-tenant AAD groups cannot be added directly as cluster principal assignments, even if the external tenant is listed intrustedExternalTenants.The error
[NotFound] ... AAD principal was not foundis consistent with this limitation.
References: