Country and Region Information in current_principal_details

Kusto has introduced a new feature that allows users to access information about their country and their tenant region or country. Microsoft Entra ID through current_principal_details() function. This add-on provides increased granularity and control over data security and accessibility.

For the ability to provide this information, it is important to understand the authentication (AuthN) and authorization (AuthZ) flows for queries in Kusto.

It starts with a client application requesting access to the Kusto service. the client Microsoft Authentication Library (MSAL) Obtain an access token from Microsoft Entra ID, which serves as proof of the client’s identity. This access token is included in the request’s authentication header. When a request is received, Kusto validates the access token to ensure it was issued by a trusted authority and is still valid. Next, Kusto checks the roles assigned to the authenticated principal to ensure that it has the necessary permissions to run the query. Once the security principal is approved, the query is executed. Otherwise, access will be denied. For current_principal_details()The function extracts information from: Optional claims on tokens Enrich the results for your identity. The newly added properties are as follows:

• Country – optional claim “ctry” criteria (standard two letter country/region code)
• TenantCountry – based on the optional claim “tenant_ctry” (a standard 2-character country/region code configured by the tenant administrator)
• TenantRegion – based on the optional claim “tenant_region_scope” (the standard 2-character region code of the resource tenant)

The following Kusto Query Language (KQL) statement prints information for Entra ID user Alice.

print details=current_principal_details()

The result of the function provides detailed information about the authenticated user, Alice.

{ 
  "Country": "DE",
  "TenantCountry": "US",
  "TenantRegion": "WW",
  "UserPrincipalName": "alice@contoso.com",
  "Type": "aaduser",
  "IdentityProvider": "https://sts.windows.net",
  "DisplayName": "Alice (upn: alice@contoso.com)",
  "Authority": "",
  "ObjectId": "",
  "Mfa": "True",
  "FQN": "aaduser=

The integration of location information now allows users to formulate advanced information. Row-level security (RLS) policy. These policies can control access to specific rows based on data provided by the Entra ID token. This feature is particularly advantageous for organizations that operate across multiple countries or regions, as it ensures that only authorized individuals within a specific location have access to sensitive data.

that ContosoSales The table provides a simple, illustrative data set containing sales information broken down by country. The table consists of two columns. nation and productcorresponding sheep sale. For example, it shows that 10 units of espresso were sold in Germany (DE) and 5 units were sold in the United States (US). This data can be used to implement and test row-level security policies based on geographic location, ensuring that access to sales data is restricted based on specified country codes.

The following functions can be used as predicates in row-level security policies.

.create-or-alter function RLSForContoso(TableName: string) {
    table(TableName)
    | where Country == current_principal_details()["Country"]
}

User with nation A property set to “DE” in the Entra ID will result in the following when queried: ContosoSales table:

Please note that the information provided by Entra ID is based on static properties configured in the user profile. Therefore, it does not necessarily represent the user’s actual location at the time the query is executed. for example, nation Properties set to “DE” may not actually be located in Germany when the query is run.

This new feature not only enhances data security but also improves compliance with local data protection regulations. Enterprises can leverage the properties of Microsoft Entra IDs to enforce data governance policies more effectively and accurately.

The introduction of country/region-based filtering in Kusto RLS policies highlights Microsoft’s commitment to providing robust, secure, and versatile data management solutions. As organizations navigate the complexities of data privacy and security, this capability provides a critical tool to maintain control over their data environment.

Stay tuned for further updates and detailed guides on how to implement and make the most of this exciting new feature!