skip to Main Content

When reading the Microsoft documentation Microsoft Entra authentication for Application Insights it is possible to configure authenticated telemetry using RBAC but when I want also to configure Availability tests then this is an unsupported scenario according to the documentation.

For me it is not very clear why this is the case. I’ve looked for additional documentation on this subject but can’t find much. Are there any alternatives for this omission?

2

Answers


  1. When reading the Microsoft documentation Microsoft Entra authentication for Application Insights it is possible to configure authenticated telemetry using RBAC but when I want also to configure Availability tests then this is an unsupported scenario according to the documentation.

    Let’s break this down.

    1. You have an Application Insights (AI) resource. Applications send telemetry to this resource. For that, an instrumentation key / connection string is required so that AI knows what telemetry belongs to what AI resource. You can add RBAC authentication so that only applications of which you have full control can send the telemetry using that instrumentation key / connection
      string. This prevents other parties from sending bogus telemetry to your AI resource since they don’t have the right RBAC permissions.
    2. Unrelated to telemetry ingestion you have this thing called Availability Tests. This could have easily been a totally different Azure Service but they made it a part of Application Insights because the results of the tests are stored in AI. With an Availability Test you can setup a test to check whether an application is available. The application url defined in the test can have any authentication mechanisms, or none at all. It could be hosted in Azure but it doesn’t need to be. You can even add the stackoverflow url in the test if you want. Due to that, there is no possibility to use an RBAC role.

    So, it is not an omission as you put it. It just doesn’t make sense to be able to use RBAC for the availability tests. That could only work if your application would support authentication using a managed identity.

    Login or Signup to reply.
  2. I think documentation is somewhat confusing.

    Availability Tests don’t require Microsoft Entra auth to ingest results into Application Insights. So, even if local auth is disabled the availability results will continue to be ingested (since it is internal to Azure).

    Availability Tests themselves cannot use Microsoft Entra (or any other auth) to authenticate against websites they’re pinging. This is probably what documentation implied.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search