Microsoft Entra authentication for Application Insights
Application Insights now supports Microsoft Entra authentication. By using Microsoft Entra ID, you can ensure that only authenticated telemetry is ingested in your Application Insights resources.
Using various authentication systems can be cumbersome and risky because it's difficult to manage credentials at scale. You can now choose to opt out of local authentication to ensure only telemetry exclusively authenticated by using managed identities and Microsoft Entra ID is ingested in your resource. This feature is a step to enhance the security and reliability of the telemetry used to make critical operational (alerting and autoscaling) and business decisions.
Note
This document covers data ingestion into Application Insights using Microsoft Entra ID-based authentication. For information on querying data within Application Insights, see Query Application Insights using Microsoft Entra authentication.
Prerequisites
The following preliminary steps are required to enable Microsoft Entra authenticated ingestion. You need to:
- Be in the public cloud.
- Be familiar with:
- Have an Owner role to the resource group to grant access by using Azure built-in roles.
- Understand the unsupported scenarios.
Unsupported scenarios
The following Software Development Kits (SDKs) and features are unsupported for use with Microsoft Entra authenticated ingestion:
- Application Insights Java 2.x SDK.
Microsoft Entra authentication is only available for Application Insights Java Agent greater than or equal to 3.2.0. - ApplicationInsights JavaScript web SDK.
- Application Insights OpenCensus Python SDK with Python version 3.4 and 3.5.
- On-by-default autoinstrumentation/codeless monitoring (for languages) for Azure App Service, Azure Virtual Machines/Azure Virtual Machine Scale Sets, and Azure Functions.
- Profiler.
Configure and enable Microsoft Entra ID-based authentication
If you don't already have an identity, create one by using either a managed identity or a service principal.
We recommend using a managed identity:
Set up a managed identity for your Azure service (Virtual Machines or App Service).
We don't recommend using a service principal:
For more information on how to create a Microsoft Entra application and service principal that can access resources, see Create a service principal.
Assign a role to the Azure service.
Follow the steps in Assign Azure roles to add the Monitoring Metrics Publisher role from the target Application Insights resource to the Azure resource from which the telemetry is sent.
Note
Although the Monitoring Metrics Publisher role says "metrics," it will publish all telemetry to the Application Insights resource.
Follow the configuration guidance in accordance with the language that follows.
Note
Support for Microsoft Entra ID in the Application Insights .NET SDK is included starting with version 2.18-Beta3.
Application Insights .NET SDK supports the credential classes provided by Azure Identity.
- We recommend
DefaultAzureCredential
for local development. - We recommend
ManagedIdentityCredential
for system-assigned and user-assigned managed identities.- For system-assigned, use the default constructor without parameters.
- For user-assigned, provide the client ID to the constructor.
The following example shows how to manually create and configure TelemetryConfiguration
by using .NET:
TelemetryConfiguration.Active.ConnectionString = "InstrumentationKey=00000000-0000-0000-0000-000000000000;IngestionEndpoint=https://xxxx.applicationinsights.azure.com/";
var credential = new DefaultAzureCredential();
TelemetryConfiguration.Active.SetAzureTokenCredential(credential);
The following example shows how to configure TelemetryConfiguration
by using .NET Core:
services.Configure<TelemetryConfiguration>(config =>
{
var credential = new DefaultAzureCredential();
config.SetAzureTokenCredential(credential);
});
services.AddApplicationInsightsTelemetry(new ApplicationInsightsServiceOptions
{
ConnectionString = "InstrumentationKey=00000000-0000-0000-0000-000000000000;IngestionEndpoint=https://xxxx.applicationinsights.azure.com/"
});
Disable local authentication
After the Microsoft Entra authentication is enabled, you can choose to disable local authentication. This configuration allows you to ingest telemetry authenticated exclusively by Microsoft Entra ID and affects data access (for example, through API keys).
You can disable local authentication by using the Azure portal or Azure Policy or programmatically.
Azure portal
From your Application Insights resource, select Properties under the Configure heading in the menu on the left. Select Enabled (click to change) if the local authentication is enabled.
Select Disabled and apply changes.
After disabling local authentication on your resource, you'll see the corresponding information in the Overview pane.
Azure Policy
Azure Policy for DisableLocalAuth
denies users the ability to create a new Application Insights resource without this property set to true
. The policy name is Application Insights components should block non-AAD auth ingestion
.
To apply this policy definition to your subscription, create a new policy assignment and assign the policy.
The following example shows the policy template definition:
{
"properties": {
"displayName": "Application Insights components should block non-AAD auth ingestion",
"policyType": "BuiltIn",
"mode": "Indexed",
"description": "Improve Application Insights security by disabling log ingestion that are not AAD-based.",
"metadata": {
"version": "1.0.0",
"category": "Monitoring"
},
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "The effect determines what happens when the policy rule is evaluated to match"
},
"allowedValues": [
"audit",
"deny",
"disabled"
],
"defaultValue": "audit"
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Insights/components"
},
{
"field": "Microsoft.Insights/components/DisableLocalAuth",
"notEquals": "true"
}
]
},
"then": {
"effect": "[parameters('effect')]"
}
}
}
}
Programmatic enablement
The property DisableLocalAuth
is used to disable any local authentication on your Application Insights resource. When this property is set to true
, it enforces that Microsoft Entra authentication must be used for all access.
The following example shows the Azure Resource Manager template you can use to create a workspace-based Application Insights resource with LocalAuth
disabled.
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"name": {
"type": "string"
},
"type": {
"type": "string"
},
"regionId": {
"type": "string"
},
"tagsArray": {
"type": "object"
},
"requestSource": {
"type": "string"
},
"workspaceResourceId": {
"type": "string"
},
"disableLocalAuth": {
"type": "bool"
}
},
"resources": [
{
"name": "[parameters('name')]",
"type": "microsoft.insights/components",
"location": "[parameters('regionId')]",
"tags": "[parameters('tagsArray')]",
"apiVersion": "2020-02-02-preview",
"dependsOn": [],
"properties": {
"Application_Type": "[parameters('type')]",
"Flow_Type": "Redfield",
"Request_Source": "[parameters('requestSource')]",
"WorkspaceResourceId": "[parameters('workspaceResourceId')]",
"DisableLocalAuth": "[parameters('disableLocalAuth')]"
}
}
]
}
Token audience
When developing a custom client to obtain an access token from Microsoft Entra ID for submitting telemetry to Application Insights, refer to the following table to determine the appropriate audience string for your particular host environment.
Azure cloud version | Token audience value |
---|---|
Azure public cloud | https://monitor.azure.com |
Microsoft Azure operated by 21Vianet cloud | https://monitor.azure.cn |
Azure US Government cloud | https://monitor.azure.us |
If you're using sovereign clouds, you can find the audience information in the connection string as well. The connection string follows this structure:
InstrumentationKey={profile.InstrumentationKey};IngestionEndpoint={ingestionEndpoint};LiveEndpoint={liveDiagnosticsEndpoint};AADAudience={aadAudience}
The audience parameter, AADAudience, can vary depending on your specific environment.
Troubleshooting
This section provides distinct troubleshooting scenarios and steps that you can take to resolve an issue before you raise a support ticket.
Ingestion HTTP errors
The ingestion service returns specific errors, regardless of the SDK language. Network traffic can be collected by using a tool such as Fiddler. You should filter traffic to the ingestion endpoint set in the connection string.
HTTP/1.1 400 Authentication not supported
This error shows the resource is set for Microsoft Entra-only. You need to correctly configure the SDK because it's sending to the wrong API.
Note
"v2/track" doesn't support Microsoft Entra ID. When the SDK is correctly configured, telemetry will be sent to "v2.1/track".
Next, you should review the SDK configuration.
HTTP/1.1 401 Authorization required
This error indicates that the SDK is correctly configured but it's unable to acquire a valid token. This error might indicate an issue with Microsoft Entra ID.
Next, you should identify exceptions in the SDK logs or network errors from Azure Identity.
HTTP/1.1 403 Unauthorized
This error means the SDK uses credentials without permission for the Application Insights resource or subscription.
First, check the Application Insights resource's access control. You must configure the SDK with credentials that have the Monitoring Metrics Publisher role.
Language-specific troubleshooting
Event source
The Application Insights .NET SDK emits error logs by using the event source. To learn more about collecting event source logs, see Troubleshooting no data - collect logs with PerfView.
If the SDK fails to get a token, the exception message is logged as
Failed to get AAD Token. Error message:
.
Next steps
Feedback
https://aka.ms/ContentUserFeedback.
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see:Submit and view feedback for