Merge pull request #314409 from craigshoemaker/import/314079

[SRE Agent] Fix build errors in ADX cluster grouping article

Author: JillGrant615

articles/sre-agent/azure-monitor-alerts.md

@@ -0,0 +1,47 @@
+---
+title: 'Azure Monitor Alerts'
+description: 'Connect Azure Monitor to your agent with zero credentials so alerts are detected, acknowledged, and investigated automatically.'
+author: dchelupati
+ms.author: dchelupati
+ms.date: 04/01/2026
+ms.topic: how-to
+ms.service: azure-sre-agent
+ai-usage: ai-assisted
+---
+
+# Azure Monitor alerts
+
+Connect Azure Monitor through the agent's managed identity—no API keys or credentials needed. The scanner detects new alerts every minute, acknowledges them, and creates investigation threads automatically.
+
+> [!TIP]
+> - Zero-credential setup—uses the agent's managed identity
+> - Detects new alerts every minute and creates investigation threads
+> - Recurring alerts from the same rule merge into one thread
+
+## How it works
+
+Azure Monitor is the default incident platform for Azure SRE Agent. When your agent has Reader access to Azure subscriptions, it automatically detects Azure Monitor alerts and creates investigation threads.
+
+The alert scanner runs every minute and performs these actions:
+
+1. **Detects** new fired alerts across your monitored subscriptions
+2. **Acknowledges** each alert to prevent duplicate investigations
+3. **Creates** an investigation thread with the alert context
+4. **Merges** recurring alerts from the same alert rule into a single thread
+
+## Alert merging
+
+When the same alert rule fires multiple times, the agent merges these alerts into a single investigation thread instead of creating separate threads for each firing. This consolidates related signals and prevents alert fatigue.
+
+## Prerequisites
+
+- An Azure SRE Agent in **Running** state
+- Azure subscriptions added to the agent's monitored scope
+- The agent's managed identity needs **Reader** role on the monitored subscriptions
+- The agent's managed identity needs **Monitoring Contributor** role at subscription scope for alert management (assigned automatically during agent creation through the portal)
+
+## Related content
+
+- [Incident response](incident-response.md)
+- [Incident response plans](incident-response-plans.md)
+- [Diagnose with Azure observability](diagnose-azure-observability.md)

articles/sre-agent/diagnose-azure-observability.md

@@ -3,7 +3,7 @@ title: Diagnose with Azure Observability in Azure SRE Agent
 description: Learn how your agent queries Application Insights, Log Analytics, Azure Monitor metrics, Activity Logs, Resource Graph, and resource-specific diagnostics automatically without connectors.
 ms.topic: concept-article
 ms.service: azure-sre-agent
-ms.date: 03/18/2026
+ms.date: 04/01/2026
 author: craigshoemaker
 ms.author: cshoe
 ms.ai-usage: ai-assisted
@@ -90,6 +90,9 @@ Your agent discovers available metrics for any resource type, queries time-serie
 
 When your agent uses Azure Monitor as its incident platform, it also manages alerts directly by acknowledging and closing them during investigation.
 
+> [!NOTE]
+> Alert management requires the **Monitoring Contributor** role at subscription scope. Your agent receives this role automatically when created through the portal. If the role is missing, a banner appears with an **Assign Monitoring Contributor role** button that assigns the role directly.
+
 ### Resource graph and activity logs
 
 Your agent uses Resource Graph and Activity Logs to discover resources and correlate changes with incidents.

articles/sre-agent/kusto-cluster-grouping.md

@@ -0,0 +1,96 @@
+---
+title: Azure Data Explorer connector in Azure SRE Agent
+description: Connect your agent to Azure Data Explorer (Kusto) clusters to query logs and telemetry, with support for multiple clusters, per-cluster health checks, and identity-based grouping.
+ms.topic: feature-guide
+ms.service: azure-sre-agent
+ms.date: 03/23/2026
+author: craigshoemaker
+ms.author: cshoe
+ms.ai-usage: ai-assisted
+ms.custom: kusto, adx, azure-data-explorer, connector, clusters, managed-identity, multi-cluster, telemetry
+#customer intent: As an SRE, I want to connect my agent to Azure Data Explorer clusters so that it can query logs and telemetry for incident diagnosis and health checks.
+---
+
+# Azure Data Explorer connector in Azure SRE Agent
+
+> [!TIP]
+> - **Connect to ADX clusters** - Give your agent access to logs and telemetry stored in Azure Data Explorer.
+> - **Multiple clusters in one connector** - Group cluster URIs by managed identity instead of creating separate connectors.
+> - **Per-cluster health checks** - See which clusters are healthy and which need attention, individually.
+> - **Test before you save** - The wizard tests connectivity to each cluster before creating the connector.
+
+## Why connect to Azure Data Explorer?
+
+Azure Data Explorer (Kusto) is where teams store operational telemetry—application logs, infrastructure metrics, deployment traces, and service health signals. Connecting your agent to ADX lets it query this data directly when diagnosing incidents, running health checks, or generating reports.
+
+With the ADX connector, your agent can:
+
+- Query logs across multiple clusters and databases.
+- Correlate telemetry from different regions or services during an incident.
+- Run scheduled health checks against your telemetry data.
+- Power [Kusto tools](kusto-tools.md) with deterministic, parameterized queries.
+
+## What the connector enables
+
+Once you create an ADX connector, your agent automatically gains access to Kusto query tools—no additional setup required. These tools let the agent:
+
+| Tool | What it does |
+|------|--------------|
+| **Query** | Run KQL queries against any connected cluster and database |
+| **List databases** | Discover available databases on a cluster |
+| **List tables** | Show tables within a database |
+| **Table schema** | Inspect column names and types for a table |
+| **Sample data** | Preview rows from a table |
+
+This means the moment your connector tests successfully, you can ask your agent questions like:
+
+```text
+Show me error rates from the servicetelemetry database in the last 24 hours
+```
+
+The agent writes and executes KQL on your behalf, using the connector's managed identity for authentication.
+
+### Two ways to query
+
+| Approach | How it works | Best for |
+|----------|-------------|----------|
+| **Ad-hoc queries** | Agent generates KQL during chat based on your question | Investigations, exploration, one-off analysis |
+| **Kusto tools** | Pre-built, parameterized KQL templates you define once | Repeatable health checks, standardized reports |
+
+Ad-hoc queries work immediately with the connector. For Kusto tools, see [Kusto tools](kusto-tools.md) to create reusable query templates.
+
+## How the ADX connector works
+
+The ADX connector supports **multiple clusters in a single connector** through cluster groups. Each group shares a managed identity, so you don't need to create separate connectors for every cluster.
+
+### Cluster groups
+
+A cluster group is a collection of ADX cluster URIs that share the same managed identity. You can have multiple groups within one connector—each with its own identity—to handle clusters across different tenants or permission boundaries.
+
+For example, if your production clusters use one managed identity and your staging clusters use another, you create two groups within the same connector. The "(inherit)" option on each group uses the connector-level identity by default; override it per group when needed.
+
+### Per-cluster health checks
+
+The connector tests each cluster individually—both during setup and on an ongoing basis. If some clusters become unreachable after saving, the connector status calls out the failing clusters by name (for example, *"2 cluster(s) failed: cluster1, cluster2"*) so you know exactly which cluster needs attention.
+
+### Edit connectors
+
+You can add or remove cluster URIs from an existing connector without recreating it. The edit dialog opens directly to the cluster configuration—update URIs, adjust group identities, and re-test.
+
+## Example: connecting regional telemetry clusters
+
+Your team runs services across three Azure regions, each with its own ADX cluster:
+
+| Cluster | Database | Region |
+|---------|----------|--------|
+| `https://prod-westus.westus.kusto.windows.net/servicetelemetry` | servicetelemetry | West US |
+| `https://prod-eastus.eastus.kusto.windows.net/servicetelemetry` | servicetelemetry | East US |
+| `https://prod-westeu.westeurope.kusto.windows.net/servicetelemetry` | servicetelemetry | West Europe |
+
+With cluster grouping, you create one connector named `prod-telemetry`, select your managed identity, and add all three cluster URIs in a single group. After testing confirms all three clusters connect, your agent can query telemetry from any region through one connector.
+
+## Related content
+
+- [Kusto tools](kusto-tools.md)
+- [Connectors overview](connectors.md)
+- [Set up an Azure Data Explorer connector](kusto-connector.md)

articles/sre-agent/kusto-connector.md

@@ -1,17 +1,17 @@
 ---
 title: "Tutorial: Connect to Azure Data Explorer (ADX) in Azure SRE Agent"
-description: Connect your SRE agent to Azure Data Explorer (Kusto) clusters so it can run KQL queries against your logs and telemetry data.
+description: Connect your SRE agent to Azure Data Explorer (Kusto) clusters with per-cluster connectivity testing before saving.
 ms.topic: tutorial
 ms.service: azure-sre-agent
-ms.date: 03/18/2026
+ms.date: 04/01/2026
 author: craigshoemaker
 ms.author: cshoe
 ms.ai-usage: ai-assisted
 #customer intent: As an SRE, I want to connect my agent to Azure Data Explorer so that it can query logs and telemetry during incident investigations.
 ---
 
 # Tutorial: Connect to Azure Data Explorer (ADX) in Azure SRE Agent
-In this tutorial, you connect your SRE agent to an Azure Data Explorer (Kusto) cluster. After you complete the setup, the agent can run KQL queries against your logs and telemetry data to support incident investigations and diagnostics.
+In this tutorial, you connect your SRE agent to an Azure Data Explorer (Kusto) cluster. The connector wizard tests connectivity per-cluster before saving, so you can verify access before committing the configuration.
 
 **Estimated time**: 15 minutes
 
@@ -20,13 +20,14 @@ In this tutorial, you learn how to:
 > [!div class="checklist"]
 > - Locate your Azure Data Explorer cluster URL and database name
 > - Grant the agent's managed identity access to the database
-> - Add and test the Kusto connector in the SRE Agent portal
+> - Add an Azure Data Explorer connector with cluster groups
+> - Test per-cluster connectivity and save the connector
 
 ## Prerequisites
 
 - An existing Azure Data Explorer cluster
 - Admin access to grant database permissions on the target cluster
-- An agent created in the SRE Agent portal
+- An agent created in the SRE Agent portal with a managed identity (system-assigned or user-assigned)
 
 ## Get your cluster details
 
@@ -38,7 +39,7 @@ To configure the connector, you need the cluster URL and at least one database n
     https://<CLUSTER_NAME>.<REGION>.kusto.windows.net
     ```
 
-1. Note the name of the database you want the agent to query.
+1. Note the name of the database you want the agent to query. You'll need the full URL in the format `https://<CLUSTER_NAME>.<REGION>.kusto.windows.net/<DATABASE_NAME>`.
 
 ## Grant the agent database permissions
 
@@ -54,22 +55,45 @@ Replace `<DATABASE_NAME>` with your database name and `<AGENT_MANAGED_IDENTITY_I
 
 ## Add the connector in the portal
 
-Configure the Kusto connector in the SRE Agent portal.
+Configure the Azure Data Explorer connector in the SRE Agent portal.
 
 1. Go to **Builder** > **Connectors**.
 1. Select **Add connector**.
-1. Select **Kusto**.
-1. Enter the following values:
-   - **Name**: A descriptive name for the connector, such as "production-logs".
-   - **Cluster URL**: The cluster URL from the previous step.
-   - **Database**: The default database name.
-1. Select **Test connection** to verify the configuration.
+1. Select the **Azure Data Explorer** card.
+1. Select **Next**.
 
-   You see a **Connection successful** confirmation. If the test fails, check the [Troubleshooting](#troubleshoot-common-issues) section.
+### Set up the connector
 
-   **Checkpoint:** The connector appears in your **Connectors** list with a **Connected** status badge.
+1. Enter a **Name** for the connector, such as "production-logs".
+1. Select a **Managed identity** from the dropdown.
+1. Select **Next**.
 
-1. Select **Save**.
+### Add clusters
+
+1. Enter a **Group name** for the cluster group (such as "production").
+1. Select a **Managed identity** for this cluster group, or leave as **(inherit)** to use the connector-level identity.
+1. Under **Clusters**, enter your cluster URL in the format `https://<CLUSTER_NAME>.<REGION>.kusto.windows.net/<DATABASE_NAME>`.
+1. To add more clusters to the same group, type each URL in the next row — a new row appears automatically when you fill the current one.
+1. To add a second group with different clusters or a different identity, select **+ Create new group**.
+1. Select **Next**.
+
+### Test connection and save
+
+1. Review your connector details—connector type, name, managed identity, and cluster groups.
+1. Each cluster group shows a **Not tested** label.
+1. Select **Test connection**. The button changes to **Testing connection...** while connectivity is verified.
+1. After testing completes, each cluster shows a result:
+   - A green checkmark icon means the cluster is reachable.
+   - A red X icon means the cluster is unreachable, with an error message displayed inline.
+1. Once testing completes, the button changes to **Add connector**.
+1. Select **Add connector** to save.
+
+> [!TIP]
+> If a cluster fails the test, go back to verify the cluster URL format and that the managed identity has the correct permissions on that cluster.
+
+## Edit an existing connector
+
+To modify an existing Azure Data Explorer connector, select the connector name or the edit icon in the Connectors list. The wizard opens directly at the **Add clusters** step, skipping the connector picker.
 
 ## Verify the connection
 
@@ -87,12 +111,20 @@ The agent returns a list of tables from the connected database.
 
 If you encounter problems during setup, review the following common causes.
 
-### Connection test fails
+### Connection test fails with a permission error
+
+- Verify the managed identity has the viewer role on the target database by running `.show database <DATABASE_NAME> principals`.
+- Ensure you used the correct managed identity client ID when granting permissions.
+
+### Connection test fails with an unreachable error
 
-- Verify the cluster URL is correct and includes the region.
-- Ensure the managed identity has the viewer role on the target database.
+- Verify the cluster URL is correct and includes the region and database name.
 - Check that your firewall rules allow connections from SRE Agent IP addresses. For the list of required IP addresses, see [Network requirements](network-requirements.md).
 
+### Not tested badge remains after clicking Test connection
+
+- Wait for the test to complete. Large clusters may take a few seconds to respond.
+
 ## Next step
 
 > [!div class="nextstepaction"]

articles/sre-agent/toc.yml

@@ -82,6 +82,8 @@ items:
             href: deep-investigation.md
           - name: Diagnose with Azure observability
             href: diagnose-azure-observability.md
+          - name: Azure Monitor alerts
+            href: azure-monitor-alerts.md
           - name: Diagnose with external observability
             href: diagnose-observability.md
           - name: Troubleshoot App Service
@@ -122,6 +124,8 @@ items:
             href: upload-knowledge-document.md
           - name: Kusto tools
             href: kusto-tools.md
+          - name: Azure Data Explorer connector
+            href: kusto-cluster-grouping.md
           - name: MCP connectors
             href: mcp-connectors.md
       - name: Access