Microsoft has recently announced the public preview of a new capability for Azure Application Insights: the support for Azure Active Directory (Azure AD) authentication. By using Azure AD, you can ensure that only authenticated telemetry is ingested in your Application Insights resources.
By using this new feature you can now choose to opt-out of local authentication and ensure that only telemetry that is exclusively authenticated using Managed Identities and Azure Active Directory is ingested in your Application Insights resource.
When you create an Azure Application Insights instance, it has local authentication enabled as default:
To use the new Azure AD authentication, you need to select the Properties menu on the Application Insights instance and then click on the above red link and disable the local authentication:
When selecting the Disabled switch (currently in preview) a message about a required role appears. In order to use Azure AD authentication, you need to assign the Monitoring Metrics Publisher role to any identity or user that wants to send telemetries to this Application Insights instance.
For this scope, you need to assign a Managed Identity to your Azure resources that want to use the Application Insights instance.
A managed identity from Azure Active Directory (Azure AD) allows your app to easily access other Azure AD-protected resources. The identity is managed by the Azure platform and does not require you to provision or rotate any secrets.
Your application can be granted two types of identities:
- A system-assigned identity is tied to your application and is deleted if your app is deleted. An app can only have one system-assigned identity.
- A user-assigned identity is a standalone Azure resource that can be assigned to your app. An app can have multiple user-assigned identities.
As an example, here I’ve created a system-assigned identity for an Azure Function app:
In this way, your Function app can ingest telemetry by using Azure AD authentication with the following way:
var config = new TelemetryConfiguration
{
ConnectionString = "InstrumentationKey=00000000-0000-0000-0000- 000000000000;IngestionEndpoint=https://xxxx.applicationinsights.azure.com/"
}
var credential = new ManagedIdentityCredential();
config.SetAzureTokenCredential(credential);
var telemetryClient = new TelemetryClient(config);
// Send some telemetry signals to Application Insights
telemetryClient.TrackTrace($"Sent from Azure Function");
telemetryClient.TrackException(new System.Exception("Exception sent from Azure Function"));
telemetryClient.Flush();
To enable the managed identity to access the Application Insights instance, select Access Control (IAM) and then add a role assignment:
Here add a new Monitoring Metrics Publisher role and assign access to the system-assigned managed identity you want (in my case it’s my Azure Function app):
This is the most secure way of injecting telemetry into an Azure Application Insights instance from your applications. Only authenticated clients can send signals.
But what happens if your Application Insights instance receives telemetry signals also from Dynamics 365 Business Central?
In this case, you should not disable the local authentication on the Application Insights instance and you need to continue using the Application Insights Instrumentation Key linked to the Dynamics 365 Business Central environment, otherwise your telemetry signals will be rejected (status code = 400, Authorization not supported).
Stefano Demiliani 