Repo sync for protected branch

data-explorer/kusto/management/alter-merge-table-update-policy-command.md

@@ -3,7 +3,7 @@ title:  .alter-merge table policy update command
 description: Learn how to use the `.alter-merge table policy` command to change the table's update policy.
 ms.reviewer: yonil
 ms.topic: reference
-ms.date: 08/11/2024
+ms.date: 06/01/2026
 ---
 # .alter-merge table policy update command
 
@@ -58,4 +58,54 @@ The following command changes the update policy for a table using [multi-line st
     }
 ]
 ```
-````
+````
+
+::: moniker range="azure-data-explorer"
+
+### Example with an accelerated external table reference
+
+The following example adds an update policy entry whose query joins data from an accelerated external table. Because the external table uses impersonation authentication, the policy must include a `ManagedIdentity`:
+
+````kusto
+.alter-merge table MyDatabase.MyTargetTable policy update
+```
+[
+    {
+        "IsEnabled": true,
+        "Source": "MySourceTable",
+        "Query": "MySourceTable | join kind=leftouter (external_table('MyAcceleratedExternalTable')) on CommonKey | project-away CommonKey1",
+        "IsTransactional": true,
+        "PropagateIngestionProperties": false,
+        "ManagedIdentity": "system"
+    }
+]
+```
+````
+
+::: moniker-end
+
+::: moniker range="microsoft-fabric"
+
+### Example with an accelerated external table reference
+
+The following example adds an update policy entry whose query joins data from an accelerated external table. In Fabric, the system automatically populates the `OwnerPrincipalDetails` property for authorization:
+
+````kusto
+.alter-merge table MyDatabase.MyTargetTable policy update
+```
+[
+    {
+        "IsEnabled": true,
+        "Source": "MySourceTable",
+        "Query": "MySourceTable | join kind=leftouter (external_table('MyAcceleratedExternalTable')) on CommonKey | project-away CommonKey1",
+        "IsTransactional": true,
+        "PropagateIngestionProperties": false
+    }
+]
+```
+````
+
+> [!NOTE]
+> When the policy is read back, the returned JSON may include a system-populated `OwnerPrincipalDetails` property. This property captures the identity of the user who sets or alters the update policy, and is used by the system for authorization when the query references external tables. The property is read-only and set automatically.
+
+::: moniker-end

data-explorer/kusto/management/alter-query-acceleration-policy-command.md

@@ -3,7 +3,7 @@ title: .alter query acceleration policy command
 description: Learn how to use the .alter query acceleration policy command to accelerate queries over external delta tables.
 ms.reviewer: sharmaanshul
 ms.topic: reference
-ms.date: 11/30/2025
+ms.date: 06/01/2026
 ---
 
 # `.alter query acceleration policy` command
@@ -103,3 +103,13 @@ The command returns a table with one record that includes the modified policy ob
 - [.delete query acceleration policy command](delete-query-acceleration-policy-command.md)
 - [.show query acceleration policy command](show-query-acceleration-policy-command.md)
 - [.show external table operations query_acceleration statistics](show-external-table-operations-query-acceleration-statistics.md)
+
+## Example: Setting hot period for use with update policy
+
+To allow an accelerated external table to be referenced from an [update policy](update-policy.md) query, the `Hot` period must cover all data (>= 100 years):
+
+```Kusto
+.alter external table MyExternalTable policy query_acceleration '{"IsEnabled": true, "Hot": "36500.00:00:00"}'
+```
+
+This enables the external table to be used with `external_table('MyExternalTable')` inside update policy functions. For more information, see [Use with update policies](query-acceleration-policy.md#use-with-update-policies).

data-explorer/kusto/management/alter-table-update-policy-command.md

@@ -3,7 +3,7 @@ title: .alter table policy update command
 description: Learn how to use the `.alter table policy update` command to change the table update policy.
 ms.reviewer: yonil
 ms.topic: reference
-ms.date: 08/11/2024
+ms.date: 06/01/2026
 ---
 # .alter table policy update command
 
@@ -60,4 +60,54 @@ Change the update policy for a table (using [multi-line string literals](../quer
     }
 ]
 ```
-````
+````
+
+::: moniker range="azure-data-explorer"
+
+### Example with an accelerated external table reference
+
+The following example sets an update policy whose query joins data from an accelerated external table. Because the external table uses impersonation authentication, the policy must include a `ManagedIdentity`:
+
+````kusto
+.alter table MyDatabase.MyTargetTable policy update
+```
+[
+    {
+        "IsEnabled": true,
+        "Source": "MySourceTable",
+        "Query": "MySourceTable | join kind=leftouter (external_table('MyAcceleratedExternalTable')) on CommonKey | project-away CommonKey1",
+        "IsTransactional": true,
+        "PropagateIngestionProperties": false,
+        "ManagedIdentity": "system"
+    }
+]
+```
+````
+
+::: moniker-end
+
+::: moniker range="microsoft-fabric"
+
+### Example with an accelerated external table reference
+
+The following example sets an update policy whose query joins data from an accelerated external table. In Fabric, the system automatically populates the `OwnerPrincipalDetails` property for authorization:
+
+````kusto
+.alter table MyDatabase.MyTargetTable policy update
+```
+[
+    {
+        "IsEnabled": true,
+        "Source": "MySourceTable",
+        "Query": "MySourceTable | join kind=leftouter (external_table('MyAcceleratedExternalTable')) on CommonKey | project-away CommonKey1",
+        "IsTransactional": true,
+        "PropagateIngestionProperties": false
+    }
+]
+```
+````
+
+> [!NOTE]
+> When the policy is read back, the returned JSON may include a system-populated `OwnerPrincipalDetails` property. This property captures the identity of the user who sets or alters the update policy, and is used by the system for authorization when the query references external tables. The property is read-only and set automatically.
+
+::: moniker-end

data-explorer/kusto/management/query-acceleration-policy.md

@@ -3,7 +3,7 @@ title: Query acceleration policy
 description: Learn how to use the query acceleration policy to accelerate queries over external delta tables.
 ms.reviewer: sharmaanshul
 ms.topic: reference
-ms.date: 09/16/2025
+ms.date: 06/01/2026
 ---
 # Query acceleration policy
 
@@ -50,3 +50,22 @@ To enable query acceleration in the Fabric UI, see [Query acceleration over OneL
 * [.delete query acceleration policy command](delete-query-acceleration-policy-command.md)
 * [.show query acceleration policy command](show-query-acceleration-policy-command.md)
 * [.show external table operations query_acceleration statistics](show-external-table-operations-query-acceleration-statistics.md)
+
+## Use with update policies
+
+Accelerated external tables can be referenced from an [update policy](update-policy.md) query using the [`external_table()` function](../query/external-table-function.md). This enables enriching or joining ingested data with external delta table data as part of the update policy transformation.
+
+The following conditions must be met:
+
+* The query acceleration policy must be **enabled** on the external table.
+* The `Hot` period must cover **all data** in the external table. Currently, this requires setting `Hot` to a value >= 100 years (for example, `"Hot": "36500.00:00:00"`).
+
+::: moniker range="azure-data-explorer"
+* If the external table uses impersonation authentication, the update policy must be configured with a `ManagedIdentity` that has appropriate permissions on the external table's underlying storage.
+::: moniker-end
+
+::: moniker range="microsoft-fabric"
+* In Fabric, the system automatically handles authorization through the `OwnerPrincipalDetails` property, which is populated when the update policy is created or altered.
+::: moniker-end
+
+For more information, see [Update policy overview - Query limitations](update-policy.md#query-limitations).

data-explorer/kusto/management/query-acceleration-troubleshooting-guide.md

@@ -3,7 +3,7 @@ title: Query Acceleration Troubleshooting Guide
 description: Learn how to troubleshoot for common errors encountered in query acceleration.
 ms.reviewer: urishapira
 ms.topic: reference
-ms.date: 12/08/2025
+ms.date: 06/01/2026
 ---
 
 # Troubleshoot query acceleration over external delta tables
@@ -235,3 +235,32 @@ Run the following command to view the remaining capacity:
   > [!NOTE]
   > Altering the capacity policy might have adverse effects on other operations. Alter the policy as a last resort at your own discretion.
 
+## Troubleshoot update policy failures involving external tables
+
+When an [update policy](update-policy.md) query references an accelerated external table, additional failure scenarios can occur. Use the [`.show ingestion failures`](ingestion-failures.md) command to identify update policy failures:
+
+```kusto
+.show ingestion failures
+| where FailedOn > ago(1h) and OriginatesFromUpdatePolicy == true
+```
+
+### Common update policy errors with external tables
+
+::: moniker range="azure-data-explorer"
+
+| Error | Cause | Resolution |
+|-------|-------|------------|
+| Update policy query references an external table without query acceleration covering all data | The external table's query acceleration policy has a `Hot` period < 100 years, or the policy is disabled. | Enable the query acceleration policy on the external table with `Hot` >= 100 years (for example, `"Hot": "36500.00:00:00"`). |
+| Managed identity is missing or invalid | The update policy references an external table with impersonation authentication but doesn't have a valid `ManagedIdentity` configured. | Add a valid `ManagedIdentity` (object ID or `system`) to the update policy. Ensure the identity has `AutomatedFlows` usage in the managed identity policy and appropriate storage permissions. |
+| External table access forbidden during update policy execution | The managed identity configured in the update policy doesn't have permissions on the external table's underlying storage. | Grant the managed identity read permissions on the storage account or container backing the external table. |
+
+::: moniker-end
+
+::: moniker range="microsoft-fabric"
+
+| Error | Cause | Resolution |
+|-------|-------|------------|
+| Update policy query references an external table without query acceleration covering all data | The external table's query acceleration policy has a `Hot` period < 100 years, or the policy is disabled. | Enable the query acceleration policy on the external table with `Hot` >= 100 years (for example, `"Hot": "36500.00:00:00"`). |
+| Owner principal is invalid or missing | The `OwnerPrincipalDetails` on the update policy is invalid or the owner no longer has access to the external table. | Re-alter the update policy to refresh the `OwnerPrincipalDetails`. Ensure the policy owner has access to the external table's underlying data. |
+
+::: moniker-end

data-explorer/kusto/management/show-table-update-policy-command.md

@@ -3,7 +3,7 @@ title: .show table policy update command
 description: Learn how to use the `.show table policy update` command to show the table's update policy.
 ms.reviewer: yonil
 ms.topic: reference
-ms.date: 08/11/2024
+ms.date: 06/01/2026
 ---
 # .show table policy update command
 
@@ -36,6 +36,13 @@ You must have at least Database User, Database Viewer, or Database Monitor permi
 
 Returns a JSON representation of the policy.
 
+::: moniker range="microsoft-fabric"
+
+> [!NOTE]
+> The returned policy JSON may include system-populated properties such as `OwnerPrincipalDetails`. This property is read-only and automatically set by the system for authorization when the update policy query references external tables.
+
+::: moniker-end
+
 ## Example
 
 The following example shows the update policies for all tables:

data-explorer/kusto/management/update-policy-with-managed-identity.md

@@ -3,7 +3,7 @@ title: Run an update policy with a managed identity
 description:  This article describes how to use a managed identity for update policy.
 ms.reviewer: atefsawaed
 ms.topic: reference
-ms.date: 11/13/2024
+ms.date: 06/01/2026
 monikerRange: "azure-data-explorer"
 ms.custom: sfi-image-nochange
 ---
@@ -15,6 +15,7 @@ The update policy must be configured with a [managed identity](/azure/data-explo
 
 * When the update policy query references tables in other databases
 * When the update policy query references tables with an enabled [row level security policy](row-level-security-policy.md)
+* When the update policy query references an accelerated external table that uses impersonation authentication
 
 An update policy configured with a managed identity is performed on behalf of the managed identity.
 
@@ -142,3 +143,32 @@ For example, the following command alters the update policy of the table `MyTabl
 ]
 ```
 ````
+
+---
+
+## Create an update policy that references an accelerated external table
+
+When the update policy query references an accelerated external table that uses impersonation authentication, you must configure the policy with a `ManagedIdentity`. The managed identity must have the appropriate permissions on the external table's underlying storage.
+
+> [!NOTE]
+> The external table must have a [query acceleration policy](query-acceleration-policy.md) enabled with a `Hot` period that covers all data (currently >= 100 years).
+
+### Example
+
+The following example creates an update policy whose query joins data from an accelerated external table using `external_table()`:
+
+````kusto
+.alter table MyDatabase.MyTargetTable policy update
+```
+[
+    {
+        "IsEnabled": true,
+        "Source": "MySourceTable",
+        "Query": "MySourceTable | join kind=leftouter (external_table('MyAcceleratedExternalTable')) on CommonKey | project-away CommonKey1",
+        "IsTransactional": true,
+        "PropagateIngestionProperties": false,
+        "ManagedIdentity": "system"
+    }
+]
+```
+````

data-explorer/kusto/management/update-policy.md

@@ -3,7 +3,7 @@ title: Update policy overview
 description: Learn how to trigger an update policy to add data to a source table.
 ms.reviewer: orspodek
 ms.topic: reference
-ms.date: 02/04/2026
+ms.date: 06/01/2026
 ---
 
 # Update policy overview
@@ -53,7 +53,10 @@ If the update policy is defined on the target table, multiple queries can run on
 
 * The policy-related query can invoke stored functions, but:
   * It can't perform cross-cluster queries.
-  * It can't access external data or external tables.
+  * It can't access external data or external tables, with the following exception:
+    * The query *can* reference an accelerated external table using the [`external_table()` function](../query/external-table-function.md), provided that:
+      * The external table has a [query acceleration policy](query-acceleration-policy.md) enabled with a `Hot` period that covers all data (currently `Hot` >= 100 years).
+      * The update policy is configured with a `ManagedIdentity` property if the external table uses impersonation authentication.
   * It can't make callouts (by using a plugin).
 
 * The query doesn't have read access to tables that have the [RestrictedViewAccess policy](restricted-view-access-policy.md) enabled.
@@ -67,7 +70,9 @@ If the update policy is defined on the target table, multiple queries can run on
 
 * The policy-related query can invoke stored functions, but:
   * It can't perform cross-eventhouse queries.
-  * It can't access external data or external tables.
+  * It can't access external data or external tables, with the following exception:
+    * The query *can* reference an accelerated external table using the [`external_table()` function](../query/external-table-function.md), provided that:
+      * The external table has a [query acceleration policy](query-acceleration-policy.md) enabled with a `Hot` period that covers all data (currently `Hot` >= 100 years).
   * It can't make callouts (by using a plugin).
 
 * The query doesn't have read access to tables that have the [RestrictedViewAccess policy](restricted-view-access-policy.md) enabled.
@@ -115,7 +120,7 @@ Each such object is represented as a JSON property bag, with the following prope
 |Query |`string` |A query used to produce data for the update. |
 |IsTransactional |`bool` |States if the update policy is transactional or not, default is *false*. If the policy is transactional and the update policy fails, the source table isn't updated. |
 |PropagateIngestionProperties  |`bool`|States if properties specified during ingestion to the source table, such as [extent tags](extent-tags.md) and creation time, apply to the target table. |
-|ManagedIdentity | `string` | The managed identity on behalf of which the update policy runs. The managed identity can be an object ID, or the `system` reserved word. The update policy must be configured with a managed identity when the query references tables in other databases or tables with an enabled [row level security policy](row-level-security-policy.md). For more information, see [Use a managed identity to run a update policy](update-policy-with-managed-identity.md). |
+|ManagedIdentity | `string` | The managed identity on behalf of which the update policy runs. The managed identity can be an object ID, or the `system` reserved word. The update policy must be configured with a managed identity when the query references tables in other databases, tables with an enabled [row level security policy](row-level-security-policy.md), or accelerated external tables that use impersonation authentication. For more information, see [Use a managed identity to run a update policy](update-policy-with-managed-identity.md). |
 
 ::: moniker-end
 ::: moniker range="microsoft-fabric"
@@ -128,6 +133,7 @@ Each such object is represented as a JSON property bag, with the following prope
 |Query |`string` |A query used to produce data for the update |
 |IsTransactional |`bool` |States if the update policy is transactional or not, default is *false*. If the policy is transactional and the update policy fails, the source table isn't updated. |
 |PropagateIngestionProperties  |`bool`|States if properties specified during ingestion to the source table, such as [extent tags](extent-tags.md) and creation time, apply to the target table. |
+|OwnerPrincipalDetails | `object` | A system-populated, read-only property. Contains the principal details of the user who sets or alters the update policy, used for authorization when the update policy query references external tables. This property is automatically set by the system and can't be modified manually. |
 
 ::: moniker-end
 

data-explorer/kusto/query/external-table-function.md

@@ -3,7 +3,7 @@ title:  external_table()
 description: Learn how to use the external_table() function to reference an external table by name.
 ms.reviewer: alexans
 ms.topic: reference
-ms.date: 08/11/2024
+ms.date: 06/01/2026
 ---
 # external_table()
 
@@ -37,6 +37,23 @@ To accelerate queries over external delta tables, see [Query acceleration policy
 
 The authentication method to access an external table is based on the connection string provided during its creation, and the permissions required to access the table vary depending on the authentication method. For more information, see [Azure Storage external table](../management/external-tables-azure-storage.md#authentication-and-authorization) or [SQL Server external table](../management/external-sql-tables.md).
 
+## Use in update policy queries
+
+The `external_table()` function can be used inside [update policy](../management/update-policy.md) queries under restricted conditions:
+
+* The external table must have a [query acceleration policy](../management/query-acceleration-policy.md) **enabled**.
+* The query acceleration `Hot` period must cover all data in the external table (currently >= 100 years).
+
+::: moniker range="azure-data-explorer"
+* If the external table uses impersonation authentication, the update policy must be configured with a `ManagedIdentity`.
+::: moniker-end
+
+::: moniker range="microsoft-fabric"
+* In Fabric, the system automatically handles authorization through the `OwnerPrincipalDetails` property on the update policy, which captures the identity of the user who sets or alters the policy.
+::: moniker-end
+
+For more information, see [Update policy overview - Query limitations](../management/update-policy.md#query-limitations).
+
 ## Related content
 
 * [External tables overview](schema-entities/external-tables.md)