Configure Bring Your Own Storage (BYOS) for Application Insights Profiler and Snapshot Debugger

What is Bring Your Own Storage (BYOS) and why might I need it?

When you use Application Insights Profiler or Snapshot Debugger, artifacts generated by your application are uploaded into Azure storage accounts over the public Internet. For these artifacts and storage accounts, Microsoft controls and covers the cost for:

  • Processing and analysis.
  • Encryption-at-rest and lifetime management policies.

When you configure Bring Your Own Storage (BYOS), artifacts are uploaded into a storage account that you control. That means you control and are responsible for the cost of:

  • The encryption-at-rest policy and the Lifetime management policy.
  • Network access.


BYOS is required if you are enabling Private Link or Customer-Managed Keys.

How will my storage account be accessed?

  1. Agents running in your Virtual Machines or App Service will upload artifacts (profiles, snapshots, and symbols) to blob containers in your account.

    This process involves contacting the Profiler or Snapshot Debugger service to obtain a Shared Access Signature (SAS) token to a new blob in your storage account.

  2. The Profiler or Snapshot Debugger service will:

    1. Analyze the incoming blob.
    2. Write back the analysis results and log files into blob storage.

    Depending on available compute capacity, this process may occur anytime after upload.

  3. When you view the Profiler traces or Snapshot Debugger analysis, the service fetches the analysis results from blob storage.


  • Create your Storage Account in the same location as your Application Insights resource.

    For example, if your Application Insights resource is in West US 2, your Storage Account must be also in West US 2.

  • Grant the Storage Blob Data Contributor role to the Azure AD application named Diagnostic Services Trusted Storage Access via the Access Control (IAM) page in your storage account.

  • If Private Link is enabled, allow connection to our Trusted Microsoft Service from your virtual network.

Enable BYOS

Grant Access to Diagnostic Services to your Storage Account

A BYOS storage account will be linked to an Application Insights resource. There may be only one storage account per Application Insights resource and both must be in the same location. You may use the same storage account with more than one Application Insights resource.

First, the Application Insights Profiler, and Snapshot Debugger service needs to be granted access to the storage account. To grant access, add the role Storage Blob Data Contributor to the Azure AD application named Diagnostic Services Trusted Storage Access via the Access Control (IAM) page in your storage account as shown in Figure 1.0.


  1. Select Access control (IAM).

  2. Select Add > Add role assignment to open the Add role assignment page.

  3. Assign the following role. For detailed steps, see Assign Azure roles using the Azure portal.

    Setting Value
    Role Storage Blob Data Contributor
    Assign access to User, group, or service principal
    Members Diagnostic Services Trusted Storage Access

    Screenshot showing how to add role assignment page in Azure portal. Figure 1.0

After you added the role, it will appear under the "Role assignments" section, like the below Figure 1.1. Screenshot showing the IAM screen after Role assignments. Figure 1.1

If you're also using Private Link, it's required one additional configuration to allow connection to our Trusted Microsoft Service from your Virtual Network. or more information, see Storage Network Security documentation.

To configure BYOS for code-level diagnostics (Profiler/Debugger), there are three options:

  • Using Azure PowerShell cmdlets.
  • Using the Azure CLI.
  • Using Azure Resource Manager templates.
  1. Make sure you have installed Az PowerShell 4.2.0 or greater.

    To install Azure PowerShell, refer to the Official Azure PowerShell documentation.

  2. Install the Application Insights PowerShell extension.

    Install-Module -Name Az.ApplicationInsights -Force
  3. Sign in with your Azure account subscription.

    Connect-AzAccount -Subscription "{subscription_id}"

    For more information on how to sign in, refer to the Connect-AzAccount documentation.

  4. Remove previous Storage Account linked to your Application Insights resource.


    $appInsights = Get-AzApplicationInsights -ResourceGroupName "{resource_group_name}" -Name "{application_insights_name}"
    Remove-AzApplicationInsightsLinkedStorageAccount -ResourceId $appInsights.Id


    $appInsights = Get-AzApplicationInsights -ResourceGroupName "byos-test" -Name "byos-test-westus2-ai"
    Remove-AzApplicationInsightsLinkedStorageAccount -ResourceId $appInsights.Id
  5. Connect your Storage Account with your Application Insights resource.


    $storageAccount = Get-AzStorageAccount -ResourceGroupName "{resource_group_name}" -Name "{storage_account_name}"
    $appInsights = Get-AzApplicationInsights -ResourceGroupName "{resource_group_name}" -Name "{application_insights_name}"
    New-AzApplicationInsightsLinkedStorageAccount -ResourceId $appInsights.Id -LinkedStorageAccountResourceId $storageAccount.Id


    $storageAccount = Get-AzStorageAccount -ResourceGroupName "byos-test" -Name "byosteststoragewestus2"
    $appInsights = Get-AzApplicationInsights -ResourceGroupName "byos-test" -Name "byos-test-westus2-ai"
    New-AzApplicationInsightsLinkedStorageAccount -ResourceId $appInsights.Id -LinkedStorageAccountResourceId $storageAccount.Id