Parametrize linked service

Question

Parametrize linked service

Lina Lampel 0 Microsoft Employee

Our issue spans over multiple factories as we need a way to parametrize the authentication method for both using user managed (UMI) and systems managed identities (SMI) as well as using different credentials for the respective UMIs. The linked service we use is of type AzureDataExplorer.

Ideally we would like to have the following architecture:

factory_1 (connected to repo) using linkedService X with SMI_1
factory_2 (NOT connected to repo) using linkedService X with SMI_2
factory_3 (connected to repo) using linkedService X with UMI_1
factory_4 (connected to repo) using linkedService X with UMI_2
factory_5 (NOT connected to repo) using linkedService X with UMI_3

All of the above factories should be based on the same repository either with a direct connection to it or we deploy to them using templates but still using the same repository. Currently we have setup factories_1 and _2 using SMIs and they are working fine but we are having trouble setting up the remaining factories because we cannot manage to parametrize the authentication method of service X.

The question is whether such a setup is even possible in ADF and if so, how would we achieve this parametrization, i.e. what would the linked Service JSON look like? We would ideally like to achieve this set up using global parameters as we do not need to specify a different authentication method per pipeline but just per factory.

Manoj Kumar Boyini 1,660 Reputation points Microsoft External Staff Moderator

2025-12-12T13:56:16.01+00:00
Hi Lina Lampel,

Yes, what you are trying to achieve is possible, but not using global parameters. This is the same limitation you observed in your earlier thread:

Credential and identity settings in linked services are validated at design time, while global parameters are resolved only at runtime, so ADF cannot parameterize authentication directly in the linked service JSON

Supported way to parametrize authentication per factory
To use SMI or different UMIs across factory_1 … factory_5 while keeping the same shared repository, you must use:

ARM Template Customer Parameters + Environment Specific deployment overrides
This is the only Microsoft-supported pattern for:

using the same linkedService X JSON across factories

using SMI in some factories and UMI in others

using different UMIs per factory

keeping pipelines unchanged

The Linked Service JSON looks like
The linked service should reference a credential name, not the identity:

{ "name": "LinkedServiceX", "properties": { "type": "AzureDataExplorer", "typeProperties": { "clusterUri": "...", "database": "...", "credential": { "referenceName": "KustoAuthCredential", "type": "CredentialReference" } } } }

No identity or resourceId goes here.

Parameterization happens at ARM level, not inside ADF
Add this file to the repo root:

arm-template-parameters-definition.json

{ "Microsoft.DataFactory/factories/credentials": { "properties": { "typeProperties": { "resourceId": "=" } } } }

This allows each environment to override the UMI/SMI during deployment.

Deployment example
factory_1 (SMI_1) → no override
factory_2 (SMI_2) → no override
factory_3 (UMI_1) → override credential.resourceId to UMI_1
factory_4 (UMI_2) → override credential.resourceId to UMI_2
factory_5 (UMI_3) → override credential.resourceId to UMI_3

Example override:

-credential_KustoAuthCredential_properties_typeProperties_resourceId "/subscriptions/.../userAssignedIdentities/UMI_2"

Helpful References:
https://dori-uw-1.kuma-moon.com/en-us/azure/data-factory/continuous-integration-delivery-resource-manager-custom-parameters
https://dori-uw-1.kuma-moon.com/en-us/azure/data-factory/connector-azure-data-explorer
https://dori-uw-1.kuma-moon.com/en-us/azure/data-factory/data-factory-service-identity
https://dori-uw-1.kuma-moon.com/en-us/azure/data-factory/continuous-integration-delivery https://dori-uw-1.kuma-moon.com/en-us/azure/data-factory/credentials
https://dori-uw-1.kuma-moon.com/en-us/azure/data-factory/author-global-parameters

Hope this helps, Please let us know if you have any questions and concerns.
Lina Lampel 0 Reputation points Microsoft Employee

2025-12-12T16:17:02.14+00:00
Hello Manoj Kumar Boyini,

thank you very much for your detailed answer! One more question How can I overwrite the parameter for factory_3 (UMI_1) which is connected to the repository? I know how to overwrite global parameters in such cases (in the factory file) but how does it work for parameters specified in the credential directly? My understanding is that overwriting the parameter in the parameter file for this factory will not work as if the factory uses the repository directly it does not use the parameter files.

This is what my credential now looks like:

{ "name": "EngThriveKustoCredential", "properties": { "type": "ManagedIdentity", "typeProperties": { "resourceId": "@{parameters.EngThriveKustoCredentialResourceId}" } }, "parameters": { "EngThriveKustoCredentialResourceId": { "type": "String" } } }

Thank you in advance!

1 answer

Your answer

Lina Lampel 0 Reputation points Microsoft Employee

2025-12-12T16:17:02.14+00:00

Hello Manoj Kumar Boyini,

thank you very much for your detailed answer! One more question How can I overwrite the parameter for factory_3 (UMI_1) which is connected to the repository? I know how to overwrite global parameters in such cases (in the factory file) but how does it work for parameters specified in the credential directly? My understanding is that overwriting the parameter in the parameter file for this factory will not work as if the factory uses the repository directly it does not use the parameter files.

This is what my credential now looks like:

{ "name": "EngThriveKustoCredential", "properties": { "type": "ManagedIdentity", "typeProperties": { "resourceId": "@{parameters.EngThriveKustoCredentialResourceId}" } }, "parameters": { "EngThriveKustoCredentialResourceId": { "type": "String" } } }

Thank you in advance!

Answer 1

Yes, it is possible to set up parameterization for linked services in Azure Data Factory (ADF) to accommodate different authentication methods, including both user-managed identities (UMI) and system-managed identities (SMI). You can achieve this by defining parameters in your linked service JSON that specify the authentication method and the corresponding credentials.

Here’s a general approach to how you can structure your linked service JSON to support this setup:

Define Parameters: You will need to define parameters in your linked service that can accept values for the authentication method and the identity to use.

Linked Service JSON Example:

   {
     "name": "linkedServiceX",
     "type": "AzureSqlDatabase",
     "typeProperties": {
       "connectionString": "<your_connection_string>",
       "connectVia": {
         "referenceName": "<integration_runtime_name>",
         "type": "IntegrationRuntimeReference"
       },
       "authenticationType": "@{parameters.authenticationType}",
       "userAssignedManagedIdentityId": "@{parameters.userAssignedManagedIdentityId}",
       "systemAssignedManagedIdentity": "@{parameters.systemAssignedManagedIdentity}"
     },
     "parameters": {
       "authenticationType": {
         "type": "String"
       },
       "userAssignedManagedIdentityId": {
         "type": "String"
       },
       "systemAssignedManagedIdentity": {
         "type": "Boolean"
       }
     }
   }

In this example, authenticationType can be set to either SMI or UMI, and you can pass the respective identity ID based on the factory's requirements.

Deployment: When deploying your factories, you can pass different values for these parameters based on the factory's configuration, allowing you to use the same linked service definition across multiple factories while adapting to their specific authentication needs.

By following this approach, you can manage the authentication methods dynamically based on the factory's requirements, whether they are connected to a repository or not.

References:

Lina Lampel 0 Reputation points Microsoft Employee

2025-12-12T11:44:12.75+00:00

How would this loop for a linked service of type "AzureDataExplorer"?

Share via

Parametrize linked service

1 answer

Your answer