Azure AD authentication for Application Insights (Preview)

Application Insights now supports Azure Active Directory (Azure AD) authentication. By using Azure AD, you can ensure that only authenticated telemetry is ingested in your Application Insights resources.

Typically, using various authentication systems can be cumbersome and pose risk since it’s difficult to manage credentials at a large scale. You can now choose to opt-out of local authentication and ensure only telemetry that is exclusively authenticated using Managed Identities and Azure Active Directory is ingested in your Application Insights resource. This feature is a step to enhance the security and reliability of the telemetry used to make both critical operational (alerting/autoscale etc.) and business decisions.

Important

Azure AD authentication is currently in PREVIEW. See the Supplemental Terms of Use for Microsoft Azure Previews for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

Below are SDKs/scenarios not supported in the Public Preview:

Prerequisites to enable Azure AD authentication ingestion

Configuring and enabling Azure AD based authentication

  1. Create an identity, if you already don't have one, using either managed identity or service principal:

    1. Using managed identity (Recommended):

      Setup a managed identity for your Azure Service (VM, App Service etc.).

    2. Using service principal (Not Recommended):

      For more information on how to create an Azure AD application and service principal that can access resources, see Create a service principal.

  2. Assign role to the Azure Service.

    Follow the steps in Assign Azure roles to add the "Monitoring Metrics Publisher" role from the target Application Insights resource to the Azure resource from which the telemetry is sent.

    Note

    Although role "Monitoring Metrics Publisher" says metrics, it will publish all telemetry to the App Insights resource.

  3. Follow the configuration guidance per language below.

Note

Support for Azure AD in the Application Insights .NET SDK is included starting with version 2.18-Beta3.

Application Insights .NET SDK supports the credential classes provided by Azure Identity.

  • DefaultAzureCredential is recommended for local development.
  • ManagedIdentityCredential is recommended for system-assigned and user-assigned managed identities.
    • For system-assigned, use the default constructor without parameters.
    • For user-assigned, provide the clientId to the constructor.
  • ClientSecretCredential is recommended for service principals.
    • Provide the tenantId, clientId, and clientSecret to the constructor.

Below is an example of manually creating and configuring a TelemetryConfiguration using .NET:

var config = new TelemetryConfiguration
{
	ConnectionString = "InstrumentationKey=00000000-0000-0000-0000-000000000000;IngestionEndpoint=https://xxxx.applicationinsights.azure.com/"
}
var credential = new DefaultAzureCredential();
config.SetAzureTokenCredential(credential);

Below is an example of configuring the TelemetryConfiguration using ASP.NET Core:

services.Configure<TelemetryConfiguration>(config =>
{
       var credential = new DefaultAzureCredential();
       config.SetAzureTokenCredential(credential);
});
services.AddApplicationInsightsTelemetry(new ApplicationInsightsServiceOptions
{
	ConnectionString = "InstrumentationKey=00000000-0000-0000-0000-000000000000;IngestionEndpoint=https://xxxx.applicationinsights.azure.com/"
});

Disable local authentication

After the Azure AD authentication is enabled, you can choose to disable local authentication. This will allow you to ingest telemetry authenticated exclusively by Azure AD and impacts data access (for example, through API Keys).

You can disable local authentication by using the Azure portal, Azure Policy, or programmatically.

Azure portal

  1. From your Application Insights resource, select Properties under the Configure heading in the left-hand menu. Then select Enabled (click to change) if the local authentication is enabled.

    Screenshot of Properties under the *Configure* selected and enabled (click to change) local authentication button.

  2. Select Disabled and apply changes.

    Screenshot of local authentication with the enabled/disabled button highlighted.

  3. Once your resource has disabled local authentication, you'll see the corresponding info in the Overview pane.

    Screenshot of overview tab with the disabled(click to change) highlighted.

Azure Policy

Azure Policy for ‘DisableLocalAuth’ will deny from users to create a new Application Insights resource without this property setting to ‘true’. The policy name is ‘Application Insights components should block non-AAD auth ingestion’.

To apply this policy definition to your subscription, create a new policy assignment and assign the policy.

Below is the policy template definition:

{
    "properties": {
        "displayName": "Application Insights components should block non-AAD auth ingestion",
        "policyType": "BuiltIn",
        "mode": "Indexed",
        "description": "Improve Application Insights security by disabling log ingestion that are not AAD-based.",
        "metadata": {
            "version": "1.0.0",
            "category": "Monitoring"
        },
        "parameters": {
            "effect": {
                "type": "String",
                "metadata": {
                    "displayName": "Effect",
                    "description": "The effect determines what happens when the policy rule is evaluated to match"
                },
                "allowedValues": [
                    "audit",
                    "deny",
                    "disabled"
                ],
                "defaultValue": "audit"
            }
        },
        "policyRule": {
            "if": {
                "allOf": [
                    {
                        "field": "type",
                        "equals": "Microsoft.Insights/components"
                    },
                    {
                        "field": "Microsoft.Insights/components/DisableLocalAuth",
                        "notEquals": "true"                        
                    }
                ]
            },
            "then": {
                "effect": "[parameters('effect')]"
            }
        }
    }
}

Programmatic enablement

Property DisableLocalAuth is used to disable any local authentication on your Application Insights resource. When set to true, this property enforces that Azure AD authentication must be used for all access.

Below is an example Azure Resource Manager template that you can use to create a workspace-based Application Insights resource with local auth disabled.

{
    "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "name": {
            "type": "string"
        },
        "type": {
            "type": "string"
        },
        "regionId": {
            "type": "string"
        },
        "tagsArray": {
            "type": "object"
        },
        "requestSource": {
            "type": "string"
        },
        "workspaceResourceId": {
            "type": "string"
        },
        "disableLocalAuth": {
            "type": "bool"
        }
     
    },
    "resources": [
        {
        "name": "[parameters('name')]",
        "type": "microsoft.insights/components",
        "location": "[parameters('regionId')]",
        "tags": "[parameters('tagsArray')]",
        "apiVersion": "2020-02-02-preview",
        "dependsOn": [],
        "properties": {
            "Application_Type": "[parameters('type')]",
            "Flow_Type": "Redfield",
            "Request_Source": "[parameters('requestSource')]",
            "WorkspaceResourceId": "[parameters('workspaceResourceId')]",
            "DisableLocalAuth": "[parameters('disableLocalAuth')]"
            }
    }
 ]
}

Troubleshooting

This section provides distinct troubleshooting scenarios and steps that users can take to resolve any issue before they raise a support ticket.

Ingestion HTTP errors

The ingestion service will return specific errors, regardless of the SDK language. Network traffic can be collected using a tool such as Fiddler. You should filter traffic to the IngestionEndpoint set in the Connection String.

HTTP/1.1 400 Authentication not support

This indicates that the Application Insights resource has been configured for Azure AD only, but the SDK hasn't been correctly configured and is sending to the incorrect API.

Note

"v2/track" does not support Azure AD. When the SDK is correctly configured, telemetry will be sent to "v2.1/track".

Next steps should be to review the SDK configuration.

HTTP/1.1 401 Authorization required

This indicates that the SDK has been correctly configured, but was unable to acquire a valid token. This may indicate an issue with Azure Active Directory.

Next steps should be to identify exceptions in the SDK logs or network errors from Azure Identity.

HTTP/1.1 403 Unauthorized

This indicates that the SDK has been configured with credentials that haven't been given permission to the Application Insights resource or subscription.

Next steps should be to review the Application Insights resource's access control. The SDK must be configured with a credential that has been granted the "Monitoring Metrics Publisher" role.

Language specific troubleshooting

Event Source

The Application Insights .NET SDK emits error logs using event source. To learn more about collecting event source logs visit, Troubleshooting no data- collect logs with PerfView.

If the SDK fails to get a token, the exception message is logged as: “Failed to get AAD Token. Error message: ”

Next steps