Currently we are sending telemetry data from our .Net function app to Application Insights using connection string. But we need to move away from using connection string as it might be a security concern. Hence we wanted to use Managed Identity for the connection.
We came across the below document which guides on how to Enable Entra Authentication for App Insights. https://zcusa.951200.xyz/en-us/azure/azure-monitor/app/azure-ad-authentication?tabs=net
According the above documentation we can't eliminate the connection string but can Enable the Entra Auth using UAMI on top of that. Which ensures that only authorized telemetry gets inserted in the app insights.
Prerequisites we already completed
- Assigned UAMI to our function app
- Assigned
Monitoring Metrics Publisher
RBAC role on the UAMI where target resource is AppInsights to which we want to send the logs
- Disabled the
Local Authentication
setting on the AppInsights. This will ensure we also use a managed identity for authentication i.e our UAMI along with the connecting string.
The code given in the document doesnt seem to work for us.
//Code from documentation
services.Configure<TelemetryConfiguration>(config =>
{
var credential = new DefaultAzureCredential();
config.SetAzureTokenCredential(credential);
});
services.AddApplicationInsightsTelemetry(new ApplicationInsightsServiceOptions
{
ConnectionString = "InstrumentationKey=00000000-0000-0000-0000-000000000000;IngestionEndpoint=https://xxxx.applicationinsights.azure.com/"
});
Below is our code.
//our code
var mngIdCred = new ManagedIdentityCredential(<clientId>);
TelemetryConfiguration telemetryConfiguration = TelemetryConfiguration.CreateDefault();
telemetryConfiguration.SetAzureTokenCredential(mngIdCred);
telemetryConfiguration.ConnectionString = $"InstrumentationKey=xxxxxxx-xxxxxxxxx-xxxxx-xxxx;IngestionEndpoint=https://xxxx.in.applicationinsights.azure.com/";
When we deploy the code to function app we get error on the Overview page of function app saying
Microsoft.Azure.WebJobs.Script: Error configuring services in an external startup class: The provided tokenCredential must inherit Azure.Core.TokenCredential (Parameter 'tokenCredential').
I am also new to c#. Hence it will be really helpful if someone points out what going wrong here.
Below are the nuget packages i am using
- Azure Identity :
1.11.4
- Microsoft.ApplicationInsights:
2.22.0