Share via

Function App gives error after enabling the Entra Authentication for App Insights

Anonymous
2024-10-15T14:57:44.2633333+00:00

Currently we are sending telemetry data from our .Net function app to Application Insights using connection string. But we need to move away from using connection string as it might be a security concern. Hence we wanted to use Managed Identity for the connection.

We came across the below document which guides on how to Enable Entra Authentication for App Insights. https://learn.microsoft.com/en-us/azure/azure-monitor/app/azure-ad-authentication?tabs=net

According the above documentation we can't eliminate the connection string but can Enable the Entra Auth using UAMI on top of that. Which ensures that only authorized telemetry gets inserted in the app insights.

Prerequisites we already completed

  • Assigned UAMI to our function app
  • Assigned Monitoring Metrics Publisher RBAC role on the UAMI where target resource is AppInsights to which we want to send the logs
  • Disabled the Local Authentication setting on the AppInsights. This will ensure we also use a managed identity for authentication i.e our UAMI along with the connecting string.

The code given in the document doesnt seem to work for us. 

//Code from documentation

services.Configure<TelemetryConfiguration>(config =>
{
    var credential = new DefaultAzureCredential();
    config.SetAzureTokenCredential(credential);
});
services.AddApplicationInsightsTelemetry(new ApplicationInsightsServiceOptions
{
    ConnectionString = "InstrumentationKey=00000000-0000-0000-0000-000000000000;IngestionEndpoint=https://xxxx.applicationinsights.azure.com/"
});

Below is our code. 

//our code

var mngIdCred = new ManagedIdentityCredential(<clientId>);
TelemetryConfiguration telemetryConfiguration = TelemetryConfiguration.CreateDefault();
telemetryConfiguration.SetAzureTokenCredential(mngIdCred);
telemetryConfiguration.ConnectionString = $"InstrumentationKey=xxxxxxx-xxxxxxxxx-xxxxx-xxxx;IngestionEndpoint=https://xxxx.in.applicationinsights.azure.com/";

When we deploy the code to function app we get error on the Overview page of function app saying

Microsoft.Azure.WebJobs.Script: Error configuring services in an external startup class: The provided tokenCredential must inherit Azure.Core.TokenCredential (Parameter 'tokenCredential').

I am also new to c#. Hence it will be really helpful if someone points out what going wrong here.

Below are the nuget packages i am using

  • Azure Identity : 1.11.4
  • Microsoft.ApplicationInsights: 2.22.0
Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
3,664 questions
Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
5,936 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
8,973 questions
Microsoft Security | Microsoft Entra | Microsoft Entra ID
Developer technologies | C#
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Pinaki Ghatak 5,600 Reputation points Microsoft Employee Volunteer Moderator
    2024-10-16T08:16:03.2233333+00:00

    Hello @Anonymous

    It seems that the error is related to the ManagedIdentityCredential class.

    The error message indicates that the provided token credential must inherit Azure.Core.TokenCredential.

    You can try changing the ManagedIdentityCredential to DefaultAzureCredential as shown in the code from the documentation you provided. Here is the updated code: 

    var credential = new DefaultAzureCredential(); 
TelemetryConfiguration telemetryConfiguration = TelemetryConfiguration.CreateDefault(); telemetryConfiguration.SetAzureTokenCredential(credential); telemetryConfiguration.ConnectionString = "InstrumentationKey=xxxxxxx-xxxxxxxxx-xxxxx-xxxx;
IngestionEndpoint=https://xxxx.in.applicationinsights.azure.com/;

    Also, make sure that you have added the Azure.Identity and Microsoft.ApplicationInsights packages to your project.

    I hope that this response has addressed your query and helped you overcome your challenges. If so, please mark this response as Answered. This will not only acknowledge our efforts, but also assist other community members who may be looking for similar solutions.

  2. Anonymous
    2024-10-23T04:54:25.7766667+00:00

    Hi @RohanM
    Welcome to the Microsoft Q&A Platform! Thank you for asking your question here. 

    It seems that the ManagedIdentityCredential class you are using does not inherit from the correct base class, which is why the error message you are getting. 

    To fix this issue you can try changing the ManagedIdentityCredential class to ChainedTokenCredential as shown in the code from the documentation you provided. This allows you to use Managed Identity in conjunction with Application Insights.
    var credential = new ChainedTokenCredential(new ManagedIdentityCredential(<clientId>)); TelemetryConfiguration telemetryConfiguration = TelemetryConfiguration.CreateDefault(); telemetryConfiguration.SetAzureTokenCredential(credential); telemetryConfiguration.ConnectionString = "InstrumentationKey=xxxxxxx-xxxxxxxxx-xxxxx-xxxx; IngestionEndpoint=https://xxxx.in.applicationinsights.azure.com/"; 

    If you have any further queries, do let us know.

    If the answer is helpful, please click "Accept Answer" and "Upvote it".

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.