Share via

Function App gives error after enabling the Entra Authentication for App Insights

RohanM 0 Reputation points Microsoft Vendor
2024-10-15T14:57:44.2633333+00:00

Currently we are sending telemetry data from our .Net function app to Application Insights using connection string. But we need to move away from using connection string as it might be a security concern. Hence we wanted to use Managed Identity for the connection.

We came across the below document which guides on how to Enable Entra Authentication for App Insights. https://zcusa.951200.xyz/en-us/azure/azure-monitor/app/azure-ad-authentication?tabs=net

According the above documentation we can't eliminate the connection string but can Enable the Entra Auth using UAMI on top of that. Which ensures that only authorized telemetry gets inserted in the app insights.

Prerequisites we already completed

  • Assigned UAMI to our function app
  • Assigned Monitoring Metrics Publisher RBAC role on the UAMI where target resource is AppInsights to which we want to send the logs
  • Disabled the Local Authentication setting on the AppInsights. This will ensure we also use a managed identity for authentication i.e our UAMI along with the connecting string.

The code given in the document doesnt seem to work for us. 

//Code from documentation

services.Configure<TelemetryConfiguration>(config =>
{
    var credential = new DefaultAzureCredential();
    config.SetAzureTokenCredential(credential);
});
services.AddApplicationInsightsTelemetry(new ApplicationInsightsServiceOptions
{
    ConnectionString = "InstrumentationKey=00000000-0000-0000-0000-000000000000;IngestionEndpoint=https://xxxx.applicationinsights.azure.com/"
});

Below is our code. 

//our code

var mngIdCred = new ManagedIdentityCredential(<clientId>);
TelemetryConfiguration telemetryConfiguration = TelemetryConfiguration.CreateDefault();
telemetryConfiguration.SetAzureTokenCredential(mngIdCred);
telemetryConfiguration.ConnectionString = $"InstrumentationKey=xxxxxxx-xxxxxxxxx-xxxxx-xxxx;IngestionEndpoint=https://xxxx.in.applicationinsights.azure.com/";

When we deploy the code to function app we get error on the Overview page of function app saying

Microsoft.Azure.WebJobs.Script: Error configuring services in an external startup class: The provided tokenCredential must inherit Azure.Core.TokenCredential (Parameter 'tokenCredential').

I am also new to c#. Hence it will be really helpful if someone points out what going wrong here.

Below are the nuget packages i am using

  • Azure Identity : 1.11.4
  • Microsoft.ApplicationInsights: 2.22.0
Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
3,292 questions
Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
5,039 questions
C#
C#
An object-oriented and type-safe programming language that has its roots in the C family of languages and includes support for component-oriented programming.
10,972 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
7,821 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,937 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Pinaki Ghatak 4,380 Reputation points Microsoft Employee
    2024-10-16T08:16:03.2233333+00:00

    Hello @RohanM

    It seems that the error is related to the ManagedIdentityCredential class.

    The error message indicates that the provided token credential must inherit Azure.Core.TokenCredential.

    You can try changing the ManagedIdentityCredential to DefaultAzureCredential as shown in the code from the documentation you provided. Here is the updated code: 

    var credential = new DefaultAzureCredential(); 
TelemetryConfiguration telemetryConfiguration = TelemetryConfiguration.CreateDefault(); telemetryConfiguration.SetAzureTokenCredential(credential); telemetryConfiguration.ConnectionString = "InstrumentationKey=xxxxxxx-xxxxxxxxx-xxxxx-xxxx;
IngestionEndpoint=https://xxxx.in.applicationinsights.azure.com/;

    Also, make sure that you have added the Azure.Identity and Microsoft.ApplicationInsights packages to your project.

    I hope that this response has addressed your query and helped you overcome your challenges. If so, please mark this response as Answered. This will not only acknowledge our efforts, but also assist other community members who may be looking for similar solutions.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.