IoT Central data export to Azure Data Explorer fails with insufficient permissions error

Cloud Platforms Microsoft Azure
, , , , , , , ,
1

Our IoT Central application is failing to export device telemetry data to Azure Data Explorer. The export destination was working fine for two weeks, but suddenly started failing yesterday with “Insufficient permissions” errors.

The export configuration in IoT Central shows the destination as unhealthy with this error:


Export failed: Unable to ingest data to Azure Data Explorer
Error: Principal lacks required permissions
Cluster: iottelemetry.westus2.kusto.windows.net
Database: devicedata

We’re using managed identity for authentication between IoT Central and ADX. I’ve verified the managed identity exists in Azure AD and is enabled on the IoT Central application. The ADX database permissions look correct to me, but clearly something is wrong.

Has anyone encountered this before? What specific role assignments are needed for IoT Central’s managed identity to write to ADX?

2

The managed identity needs the “Ingestor” role at the ADX database level, not just cluster level. Go to your ADX cluster → Databases → devicedata → Permissions, and add the IoT Central managed identity with the Database Ingestor role. That’s the minimum permission needed for data ingestion.

3

Let me provide a comprehensive solution covering all three key areas:

1. Managed Identity Role Assignment (Complete Setup)

First, get your IoT Central application’s managed identity details:

  • Go to IoT Central app → Settings → Identity
  • Copy the Object (principal) ID and Application (client) ID
  • Verify status shows “System assigned: On”

In Azure Data Explorer, you need permissions at THREE levels:

Cluster Level:


.add cluster AllDatabasesMonitors ('aadapp=<CLIENT_ID>;<TENANT_ID>') 'IoT Central App'

Database Level:


.add database devicedata ingestors ('aadapp=<CLIENT_ID>;<TENANT_ID>') 'IoT Central Ingestor'

Table Level (Critical - Often Missed):


.add table DeviceTelemetry ingestors ('aadapp=<CLIENT_ID>;<TENANT_ID>') 'IoT Central Table Access'

Replace <CLIENT_ID> with your managed identity’s Application ID and <TENANT_ID> with your Azure AD tenant ID.

2. Azure Data Explorer Permissions (Verification)

Verify all permissions are correctly applied:


// Check database-level permissions
.show database devicedata principals

// Check table-level permissions
.show table DeviceTelemetry principals

// Verify ingestion mappings exist
.show table DeviceTelemetry ingestion mappings

If you see the managed identity listed but exports still fail, the issue is likely stale permission cache after your ADX cluster update. Force a permission refresh:


// Remove the principal
.drop database devicedata ingestors ('aadapp=<CLIENT_ID>;<TENANT_ID>')

// Wait 2 minutes for cache to clear

// Re-add with explicit permissions
.add database devicedata ingestors ('aadapp=<CLIENT_ID>;<TENANT_ID>') 'IoT Central - Refreshed'

3. IoT Central Export Configuration (Complete Checklist)

In IoT Central → Data export → Destinations:

  • Authentication: System-assigned managed identity (verify enabled)
  • Cluster URI: Must be full URI including region (e.g., https://iottelemetry.westus2.kusto.windows.net)
  • Database: Exact database name (case-sensitive: devicedata)
  • Table: Exact table name (case-sensitive: DeviceTelemetry)
  • Data format: JSON (recommended) or CSV
  • Ingestion mapping: Must match ADX mapping name exactly

Test the destination connection:

  1. Edit the export destination
  2. Click “Test connection” button
  3. Should show “Connection successful” if all permissions are correct

Common Issues After Cluster Updates:

ADX cluster updates (especially major version updates) can cause:

  • Permission cache invalidation (fixed by re-adding principals)
  • Ingestion mapping format changes (verify mapping compatibility)
  • TLS/SSL certificate rotation (usually auto-resolves within 24 hours)

Validation Steps:

After applying all fixes:

  1. Wait 5-10 minutes for permission propagation

  2. In IoT Central, disable and re-enable the data export

  3. Monitor export status for 15 minutes

  4. Check ADX table for new data:

    
DeviceTelemetry
| where ingestion_time() > ago(30m)
| count

  5. Review IoT Central audit logs for any remaining permission errors

If issues persist after these steps, check ADX cluster diagnostic logs for detailed ingestion failure reasons. The logs often reveal specific permission or schema mismatch issues not visible in IoT Central’s export status.

4

Also verify your IoT Central export configuration has the correct ingestion mapping reference. The mapping name in IoT Central must exactly match the ingestion mapping name in ADX. Case sensitivity matters here. Check the export destination settings in IoT Central and compare with your ADX table’s ingestion mappings using .show table YourTableName ingestion mappings.

5

Check if your ADX database has row level security policies or restricted view access enabled. Even with Ingestor role, certain security policies can block ingestion. Also verify the table mapping in your IoT Central export configuration matches the actual table schema in ADX.

Another thing - did you recently update the ADX cluster? Sometimes cluster updates reset certain permission caches and you need to re-add the principals even though they appear in the portal.