Azure AD authentication for Application Insights
Application Insights now supports Azure Active Directory (Azure AD) authentication. By using Azure AD, you can ensure that only authenticated telemetry is ingested in your Application Insights resources.
Using various authentication systems can be cumbersome and risky because it's difficult to manage credentials at scale. You can now choose to opt-out of local authentication to ensure only telemetry exclusively authenticated using Managed Identities and Azure Active Directory is ingested in your resource. This feature is a step to enhance the security and reliability of the telemetry used to make both critical operational (alerting, autoscale, etc.) and business decisions.
Prerequisites
The following are prerequisites to enable Azure AD authenticated ingestion.
- Must be in public cloud
- Familiarity with:
- You have an "Owner" role to the resource group to grant access using Azure built-in roles.
- Understand the unsupported scenarios.
Unsupported scenarios
The following SDK's and features are unsupported for use with Azure AD authenticated ingestion.
Application Insights Java 2.x SDK
Azure AD authentication is only available for Application Insights Java Agent >=3.2.0.Application Insights OpenCensus Python SDK with Python version 3.4 and 3.5.
Certificate/secret based Azure AD isn't recommended for production. Use Managed Identities instead.
On-by-default Codeless monitoring (for languages) for App Service, VM/Virtual machine scale sets, Azure Functions etc.
Configuring and enabling Azure AD based authentication
Create an identity, if you already don't have one, using either managed identity or service principal:
Using managed identity (Recommended):
Setup a managed identity for your Azure Service (VM, App Service etc.).
Using service principal (Not Recommended):
For more information on how to create an Azure AD application and service principal that can access resources, see Create a service principal.
Assign role to the Azure Service.
Follow the steps in Assign Azure roles to add the "Monitoring Metrics Publisher" role from the target Application Insights resource to the Azure resource from which the telemetry is sent.
Note
Although role "Monitoring Metrics Publisher" says metrics, it will publish all telemetry to the App Insights resource.
Follow the configuration guidance per language below.
Note
Support for Azure AD in the Application Insights .NET SDK is included starting with version 2.18-Beta3.
Application Insights .NET SDK supports the credential classes provided by Azure Identity.
DefaultAzureCredential
is recommended for local development.ManagedIdentityCredential
is recommended for system-assigned and user-assigned managed identities.- For system-assigned, use the default constructor without parameters.
- For user-assigned, provide the clientId to the constructor.
ClientSecretCredential
is recommended for service principals.- Provide the tenantId, clientId, and clientSecret to the constructor.
Below is an example of manually creating and configuring a TelemetryConfiguration
using .NET:
TelemetryConfiguration.Active.ConnectionString = "InstrumentationKey=00000000-0000-0000-0000-000000000000;IngestionEndpoint=https://xxxx.applicationinsights.azure.com/";
var credential = new DefaultAzureCredential();
TelemetryConfiguration.Active.SetAzureTokenCredential(credential);
Below is an example of configuring the TelemetryConfiguration
using .NET Core:
services.Configure<TelemetryConfiguration>(config =>
{
var credential = new DefaultAzureCredential();
config.SetAzureTokenCredential(credential);
});
services.AddApplicationInsightsTelemetry(new ApplicationInsightsServiceOptions
{
ConnectionString = "InstrumentationKey=00000000-0000-0000-0000-000000000000;IngestionEndpoint=https://xxxx.applicationinsights.azure.com/"
});
Note
On March 31, 2025, support for instrumentation key ingestion will end. Instrumentation key ingestion will continue to work, but we'll no longer provide updates or support for the feature. Transition to connection strings to take advantage of new capabilities.
Disable local authentication
After the Azure AD authentication is enabled, you can choose to disable local authentication. This configuration will allow you to ingest telemetry authenticated exclusively by Azure AD and impacts data access (for example, through API Keys).
You can disable local authentication by using the Azure portal, Azure Policy, or programmatically.
Azure portal
From your Application Insights resource, select Properties under the Configure heading in the left-hand menu. Then select Enabled (click to change) if the local authentication is enabled.
Select Disabled and apply changes.
Once your resource has disabled local authentication, you'll see the corresponding info in the Overview pane.
Azure Policy
Azure Policy for 'DisableLocalAuth' will deny from users to create a new Application Insights resource without this property setting to 'true'. The policy name is 'Application Insights components should block non-AAD auth ingestion'.
To apply this policy definition to your subscription, create a new policy assignment and assign the policy.
Below is the policy template definition:
{
"properties": {
"displayName": "Application Insights components should block non-AAD auth ingestion",
"policyType": "BuiltIn",
"mode": "Indexed",
"description": "Improve Application Insights security by disabling log ingestion that are not AAD-based.",
"metadata": {
"version": "1.0.0",
"category": "Monitoring"
},
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "The effect determines what happens when the policy rule is evaluated to match"
},
"allowedValues": [
"audit",
"deny",
"disabled"
],
"defaultValue": "audit"
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Insights/components"
},
{
"field": "Microsoft.Insights/components/DisableLocalAuth",
"notEquals": "true"
}
]
},
"then": {
"effect": "[parameters('effect')]"
}
}
}
}
Programmatic enablement
Property DisableLocalAuth
is used to disable any local authentication on your Application Insights resource. When set to true
, this property enforces that Azure AD authentication must be used for all access.
Below is an example Azure Resource Manager template that you can use to create a workspace-based Application Insights resource with local auth disabled.
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"name": {
"type": "string"
},
"type": {
"type": "string"
},
"regionId": {
"type": "string"
},
"tagsArray": {
"type": "object"
},
"requestSource": {
"type": "string"
},
"workspaceResourceId": {
"type": "string"
},
"disableLocalAuth": {
"type": "bool"
}
},
"resources": [
{
"name": "[parameters('name')]",
"type": "microsoft.insights/components",
"location": "[parameters('regionId')]",
"tags": "[parameters('tagsArray')]",
"apiVersion": "2020-02-02-preview",
"dependsOn": [],
"properties": {
"Application_Type": "[parameters('type')]",
"Flow_Type": "Redfield",
"Request_Source": "[parameters('requestSource')]",
"WorkspaceResourceId": "[parameters('workspaceResourceId')]",
"DisableLocalAuth": "[parameters('disableLocalAuth')]"
}
}
]
}
Troubleshooting
This section provides distinct troubleshooting scenarios and steps that users can take to resolve any issue before they raise a support ticket.
Ingestion HTTP errors
The ingestion service will return specific errors, regardless of the SDK language. Network traffic can be collected using a tool such as Fiddler. You should filter traffic to the IngestionEndpoint set in the Connection String.
HTTP/1.1 400 Authentication not supported
This error indicates that the resource has been configured for Azure AD only. The SDK hasn't been correctly configured and is sending to the incorrect API.
Note
"v2/track" does not support Azure AD. When the SDK is correctly configured, telemetry will be sent to "v2.1/track".
Next steps should be to review the SDK configuration.
HTTP/1.1 401 Authorization required
This error indicates that the SDK has been correctly configured, but was unable to acquire a valid token. This error may indicate an issue with Azure Active Directory.
Next steps should be to identify exceptions in the SDK logs or network errors from Azure Identity.
HTTP/1.1 403 Unauthorized
This error indicates that the SDK has been configured with credentials that haven't been given permission to the Application Insights resource or subscription.
Next steps should be to review the Application Insights resource's access control. The SDK must be configured with a credential that has been granted the "Monitoring Metrics Publisher" role.
Language specific troubleshooting
Event Source
The Application Insights .NET SDK emits error logs using event source. To learn more about collecting event source logs visit, Troubleshooting no data- collect logs with PerfView.
If the SDK fails to get a token, the exception message is logged as:
Failed to get AAD Token. Error message:
Next steps
Feedback
Submit and view feedback for