API keys for querying data from Azure Monitor application insights will be retired

Question

API keys for querying data from Azure Monitor application insights will be retired

Danny Fournier 0

We received an email with the following title: API keys for querying data from Azure Monitor application insights will be retired on 31 March 2026 — transition to using Azure AD.

We're currently using connection strings when sending data to Application Insights. Do we need to migrate to Azure AD?

cfg: { // Application Insights Configuration
  connectionString:"InstrumentationKey=<?= Configure::read("AppInsightInstrumentationKey") ?>;"
}});

We're also doing Curl calls by sending POST to the following API endpoint:

https://api.applicationinsights.io/v1/apps/*instrumention_key_here*/query

Naveena Patlolla 2,390 Reputation points Microsoft External Staff Moderator

2025-04-24T12:11:00.94+00:00
Hi Danny Fournier

As per the notification, retirement of Api keys is querying/ fetching the data from Azure Monitor application insights, below are the features and recommendations to use Microsoft Entra ID authentication.

Unsupported scenarios

The following Software Development Kits (SDKs) and features are unsupported for use with Microsoft Entra authenticated ingestion:

Application Insights Java 2.x SDK. Microsoft Entra authentication is only available for Application Insights Java Agent greater than or equal to 3.2.0.

ApplicationInsights JavaScript web SDK.

Application Insights OpenCensus Python SDK with Python version 3.4 and 3.5.

Automatic instrumentation for Python on Azure App Service

Application Insights Profiler for .NET.

Configure and enable Microsoft Entra ID-based authentication

Create an identity using a managed identity or a service principal if you don't already have one.

We recommend using a managed identity: Set up a managed identity for your Azure service (Virtual Machines or App Service).

We don't recommend using a service principal: For more information on how to create a Microsoft Entra application and service principal that can access resources, see Create a service principal.

Assign the required Role-based access control (RBAC) role to the Azure identity, service principal, or Azure user account.

https://learn.microsoft.com/en-us/azure/azure-monitor/app/azure-ad-authentication?tabs=aspnetcore

Kindly refer to above link for more details

If the comment was helpful, please click "Upvote"
Danny Fournier 0 Reputation points

2025-04-24T13:19:41.44+00:00

To rephrase my question, based on the two example provided in my initial post, do I have to do something?
Danny Fournier 0 Reputation points

2025-04-24T13:23:50.16+00:00

Thanks for this!

How about for feeding data into App Insights (see my 1st snippet), does that need to be revisited too?
Kyle Burns 91 Reputation points Microsoft Employee

2025-04-24T13:26:58.5433333+00:00

Hi Danny. You definitely need to do something because instrumentation key based access will be retired. The answer that I posted about ten minutes ago demonstrates a way that you can update your scripts that use curl with the least disruption by retrieving a bearer token and adding it as an authorization header in your existing calls.
Kyle Burns 91 Reputation points Microsoft Employee

2025-04-24T13:33:06.79+00:00

Your PHP code will certainly need revisited as well since it depends on instrumentation key. I'm not familiar with the PHP SDK, so unfortunately don't have guidance for you on the specific change.
Naveena Patlolla 2,390 Reputation points Microsoft External Staff Moderator

2025-04-25T12:28:08.54+00:00

Hi Danny Fournier

Just checking in to see if the above answer provided by @kyle burns helped.

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know
Please do not forget to "Accept the answer” wherever the information provided helps you, this can be beneficial to other community members.it would be greatly appreciated and helpful to others.
Ashok Gandhi Kotnana 7,665 Reputation points Microsoft External Staff Moderator

2025-04-28T05:44:45.7166667+00:00

Hi Danny Fournier

Just want to check if the above answer worked for you or else please let us know if any help, we are always here to help whenever you need us.

Please do not forget to "Accept the answer” wherever the information provided helps you, this can be beneficial to other community members.it would be greatly appreciated and helpful to others.

1 answer

Your answer

Naveena Patlolla 2,390 Reputation points Microsoft External Staff Moderator

2025-04-24T12:11:00.94+00:00

Hi Danny Fournier

As per the notification, retirement of Api keys is querying/ fetching the data from Azure Monitor application insights, below are the features and recommendations to use Microsoft Entra ID authentication.

Unsupported scenarios

The following Software Development Kits (SDKs) and features are unsupported for use with Microsoft Entra authenticated ingestion:

Application Insights Java 2.x SDK. Microsoft Entra authentication is only available for Application Insights Java Agent greater than or equal to 3.2.0.

ApplicationInsights JavaScript web SDK.

Application Insights OpenCensus Python SDK with Python version 3.4 and 3.5.

Automatic instrumentation for Python on Azure App Service

Application Insights Profiler for .NET.

Configure and enable Microsoft Entra ID-based authentication

Create an identity using a managed identity or a service principal if you don't already have one.

We recommend using a managed identity: Set up a managed identity for your Azure service (Virtual Machines or App Service).

We don't recommend using a service principal: For more information on how to create a Microsoft Entra application and service principal that can access resources, see Create a service principal.

Assign the required Role-based access control (RBAC) role to the Azure identity, service principal, or Azure user account.

https://learn.microsoft.com/en-us/azure/azure-monitor/app/azure-ad-authentication?tabs=aspnetcore

Kindly refer to above link for more details

If the comment was helpful, please click "Upvote"
Danny Fournier 0 Reputation points

2025-04-24T13:19:41.44+00:00

To rephrase my question, based on the two example provided in my initial post, do I have to do something?
Danny Fournier 0 Reputation points

2025-04-24T13:23:50.16+00:00

Thanks for this!

How about for feeding data into App Insights (see my 1st snippet), does that need to be revisited too?
Kyle Burns 91 Reputation points Microsoft Employee

2025-04-24T13:26:58.5433333+00:00

Hi Danny. You definitely need to do something because instrumentation key based access will be retired. The answer that I posted about ten minutes ago demonstrates a way that you can update your scripts that use curl with the least disruption by retrieving a bearer token and adding it as an authorization header in your existing calls.
Kyle Burns 91 Reputation points Microsoft Employee

2025-04-24T13:33:06.79+00:00

Your PHP code will certainly need revisited as well since it depends on instrumentation key. I'm not familiar with the PHP SDK, so unfortunately don't have guidance for you on the specific change.
Naveena Patlolla 2,390 Reputation points Microsoft External Staff Moderator

2025-04-25T12:28:08.54+00:00

Hi Danny Fournier

Just checking in to see if the above answer provided by @kyle burns helped.

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know
Please do not forget to "Accept the answer” wherever the information provided helps you, this can be beneficial to other community members.it would be greatly appreciated and helpful to others.
Ashok Gandhi Kotnana 7,665 Reputation points Microsoft External Staff Moderator

2025-04-28T05:44:45.7166667+00:00

Hi Danny Fournier

Just want to check if the above answer worked for you or else please let us know if any help, we are always here to help whenever you need us.

Please do not forget to "Accept the answer” wherever the information provided helps you, this can be beneficial to other community members.it would be greatly appreciated and helpful to others.

Answer 1

As you are using curl, I thought it may be helpful for me to extend the previous answer with some additional context specific to curl. To help you transition from using instrumentation keys to using Azure Active Directory (Azure AD) authentication for retrieving data from Application Insights with curl, here is a detailed explanation along with relevant samples.

Transitioning from Instrumentation Keys to Azure AD Authentication

Step 1: Register an Application in Azure AD

Go to the Azure portal and navigate to Azure Active Directory.
Select App registrations and click on New registration.
Provide a name for the application and click Register.
Once registered, note down the Application (client) ID and Directory (tenant) ID.

Step 2: Configure API Permissions

In the registered application, go to API permissions.
Click on Add a permission and select APIs my organization uses.
Search for Application Insights and select it.
Choose Application permissions and select Telemetry.Read.
Click Add permissions and then Grant admin consent.

Step 3: Create a Client Secret

In the registered application, go to Certificates & secrets.
Click on New client secret and provide a description.
Set an expiration period and click Add.
Note down the Value of the client secret as it will be used in the curl command.

Step 4: Retrieve Data Using curl

Obtain an access token using the client credentials flow.
Use the access token to make requests to the Application Insights API.

Here is a sample script to achieve this:

# Variables

TENANT_ID="your-tenant-id"

CLIENT_ID="your-client-id"

CLIENT_SECRET="your-client-secret"

RESOURCE="https://api.applicationinsights.io"

APP_ID="your-application-insights-app-id"

# Get the access token

ACCESS_TOKEN=$(curl -X POST -H "Content-Type: application/x-www-form-urlencoded" \

-d "grant_type=client_credentials&client_id=$CLIENT_ID&client_secret=$CLIENT_SECRET&resource=$RESOURCE" \

"https://login.microsoftonline.com/$TENANT_ID/oauth2/token" | jq -r '.access_token')

# Use the access token to query Application Insights

curl -X GET -H "Authorization: Bearer $ACCESS_TOKEN" \

"https://api.applicationinsights.io/v1/apps/$APP_ID/metrics/requests/duration?timespan=P1D&interval=PT1H"

The key in this example is that once you have retrieved the access token, you need to add it in the authorization header of subsequent calls using the -H argument.

Share via

API keys for querying data from Azure Monitor application insights will be retired

1 answer

Your answer