Edit

Azure AD authentication for Application Insights

  • Article
  • 13 minutes to read

Application Insights now supports Azure Active Directory (Azure AD) authentication. By using Azure AD, you can ensure that only authenticated telemetry is ingested in your Application Insights resources.

Using various authentication systems can be cumbersome and risky because it's difficult to manage credentials at scale. You can now choose to opt out of local authentication to ensure only telemetry exclusively authenticated by using managed identities and Azure AD is ingested in your resource. This feature is a step to enhance the security and reliability of the telemetry used to make critical operational (alertingand autoscale) and business decisions.

Prerequisites

The following prerequisites enable Azure AD authenticated ingestion. You need to:

Unsupported scenarios

The following SDKs and features are unsupported for use with Azure AD authenticated ingestion:

Configure and enable Azure AD-based authentication

  1. If you don't already have an identity, create one by using either a managed identity or a service principal.

  2. Assign a role to the Azure service.

    Follow the steps in Assign Azure roles to add the Monitoring Metrics Publisher role from the target Application Insights resource to the Azure resource from which the telemetry is sent.

    Note

    Although the Monitoring Metrics Publisher role says "metrics," it will publish all telemetry to the Application Insights resource.

  3. Follow the configuration guidance in accordance with the language that follows.

Note

Support for Azure AD in the Application Insights .NET SDK is included starting with version 2.18-Beta3.

Application Insights .NET SDK supports the credential classes provided by Azure Identity.

  • We recommend DefaultAzureCredential for local development.
  • We recommend ManagedIdentityCredential for system-assigned and user-assigned managed identities.
    • For system-assigned, use the default constructor without parameters.
    • For user-assigned, provide the client ID to the constructor.
  • We recommend ClientSecretCredential for service principals.
    • Provide the tenant ID, client ID, and client secret to the constructor.

The following example shows how to manually create and configure TelemetryConfiguration by using .NET:

TelemetryConfiguration.Active.ConnectionString = "InstrumentationKey=00000000-0000-0000-0000-000000000000;IngestionEndpoint=https://xxxx.applicationinsights.azure.com/";
var credential = new DefaultAzureCredential();
TelemetryConfiguration.Active.SetAzureTokenCredential(credential);

The following example shows how to configure TelemetryConfiguration by using .NET Core:

services.Configure<TelemetryConfiguration>(config =>
{
       var credential = new DefaultAzureCredential();
       config.SetAzureTokenCredential(credential);
});
services.AddApplicationInsightsTelemetry(new ApplicationInsightsServiceOptions
{
    ConnectionString = "InstrumentationKey=00000000-0000-0000-0000-000000000000;IngestionEndpoint=https://xxxx.applicationinsights.azure.com/"
});

Note

On March 31, 2025, support for instrumentation key ingestion will end. Instrumentation key ingestion will continue to work, but we'll no longer provide updates or support for the feature. Transition to connection strings to take advantage of new capabilities.

Disable local authentication

After the Azure AD authentication is enabled, you can choose to disable local authentication. This configuration allows you to ingest telemetry authenticated exclusively by Azure AD and affects data access (for example, through API keys).

You can disable local authentication by using the Azure portal or Azure Policy or programmatically.

Azure portal

  1. From your Application Insights resource, select Properties under the Configure heading in the menu on the left. Select Enabled (click to change) if the local authentication is enabled.

    Screenshot that shows Properties under the Configure section and the Enabled (click to change) local authentication button.

  2. Select Disabled and apply changes.

    Screenshot that shows local authentication with the Enabled/Disabled button.

  3. After your resource has disabled local authentication, you'll see the corresponding information in the Overview pane.

    Screenshot that shows the Overview tab with the Disabled (click to change) local authentication button.

Azure Policy

Azure Policy for DisableLocalAuth will deny users the ability to create a new Application Insights resource without this property set to true. The policy name is Application Insights components should block non-AAD auth ingestion.

To apply this policy definition to your subscription, create a new policy assignment and assign the policy.

The following example shows the policy template definition:

{
    "properties": {
        "displayName": "Application Insights components should block non-AAD auth ingestion",
        "policyType": "BuiltIn",
        "mode": "Indexed",
        "description": "Improve Application Insights security by disabling log ingestion that are not AAD-based.",
        "metadata": {
            "version": "1.0.0",
            "category": "Monitoring"
        },
        "parameters": {
            "effect": {
                "type": "String",
                "metadata": {
                    "displayName": "Effect",
                    "description": "The effect determines what happens when the policy rule is evaluated to match"
                },
                "allowedValues": [
                    "audit",
                    "deny",
                    "disabled"
                ],
                "defaultValue": "audit"
            }
        },
        "policyRule": {
            "if": {
                "allOf": [
                    {
                        "field": "type",
                        "equals": "Microsoft.Insights/components"
                    },
                    {
                        "field": "Microsoft.Insights/components/DisableLocalAuth",
                        "notEquals": "true"                        
                    }
                ]
            },
            "then": {
                "effect": "[parameters('effect')]"
            }
        }
    }
}

Programmatic enablement

The property DisableLocalAuth is used to disable any local authentication on your Application Insights resource. When this property is set to true, it enforces that Azure AD authentication must be used for all access.

The following example shows the Azure Resource Manager template you can use to create a workspace-based Application Insights resource with LocalAuth disabled.

{
    "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "name": {
            "type": "string"
        },
        "type": {
            "type": "string"
        },
        "regionId": {
            "type": "string"
        },
        "tagsArray": {
            "type": "object"
        },
        "requestSource": {
            "type": "string"
        },
        "workspaceResourceId": {
            "type": "string"
        },
        "disableLocalAuth": {
            "type": "bool"
        }
     
    },
    "resources": [
        {
        "name": "[parameters('name')]",
        "type": "microsoft.insights/components",
        "location": "[parameters('regionId')]",
        "tags": "[parameters('tagsArray')]",
        "apiVersion": "2020-02-02-preview",
        "dependsOn": [],
        "properties": {
            "Application_Type": "[parameters('type')]",
            "Flow_Type": "Redfield",
            "Request_Source": "[parameters('requestSource')]",
            "WorkspaceResourceId": "[parameters('workspaceResourceId')]",
            "DisableLocalAuth": "[parameters('disableLocalAuth')]"
            }
    }
 ]
}

Troubleshooting

This section provides distinct troubleshooting scenarios and steps that you can take to resolve an issue before you raise a support ticket.

Ingestion HTTP errors

The ingestion service will return specific errors, regardless of the SDK language. Network traffic can be collected by using a tool such as Fiddler. You should filter traffic to the ingestion endpoint set in the connection string.

HTTP/1.1 400 Authentication not supported

This error indicates that the resource is configured for Azure AD only. The SDK hasn't been correctly configured and is sending to the incorrect API.

Note

"v2/track" doesn't support Azure AD. When the SDK is correctly configured, telemetry will be sent to "v2.1/track".

Next, you should review the SDK configuration.

HTTP/1.1 401 Authorization required

This error indicates that the SDK is correctly configured but it's unable to acquire a valid token. This error might indicate an issue with Azure AD.

Next, you should identify exceptions in the SDK logs or network errors from Azure Identity.

HTTP/1.1 403 Unauthorized

This error indicates that the SDK is configured with credentials that haven't been given permission to the Application Insights resource or subscription.

Next, you should review the Application Insights resource's access control. The SDK must be configured with a credential that's been granted the Monitoring Metrics Publisher role.

Language-specific troubleshooting

Event source

The Application Insights .NET SDK emits error logs by using the event source. To learn more about collecting event source logs, see Troubleshooting no data - collect logs with PerfView.

If the SDK fails to get a token, the exception message is logged as Failed to get AAD Token. Error message: .

Next steps