Skip to content

Azure Active Directory Authentication

kryalama edited this page Jun 3, 2021 · 10 revisions

Authentication (preview) - Azure Monitor Application Insights for Java

Note

The Authentication feature is in preview. This feature is available only in version 3.2.0 and later.

The Application Insights Java agent takes a dependency on Azure Identity library which focuses on OAuth authentication with Azure Active Directory(AAD). This library offers different kinds of credential classes which are capable of acquiring an AAD token to authenticate service requests. It is the responsibility of the user of the Java agent to provide the necessary details for the agent to build the TokenCredentials required for authentication with AAD.

Prerequisites

We assume users to be familiar with the following articles before enabling authentication with AAD.

Steps to enable AAD authentication

Following are the high level view of the steps involved in enabling AAD authentication on Java agent to securely send telemetry to Azure Application Insights resource:

  1. The first step depends on the type of authentication used by the user.
    • If using System assigned managed identity or User assigned managed identity, follow these steps to configure managed identities for Azure resources on a VM using azure portal.
    • If using service principal, follow these steps to create an Azure AD application and service principal that can access resources. We recommend to use this type of authentication only during development.
  2. Follow these steps to add "Monitoring Metrics Publisher" role from the Application Insights resource to the Azure resource from which the telemetry is sent.
  3. Add the authentication related configuration to the ApplicationInsights.json configuration file.
  4. Follow these steps to create a Application Insights resource with "DisableLocalAuth=true" setting.

Supported types of authentication

The following are types of authentication that are supported by Java agent. We recommend users to use managed identities, since the ultimate goal is to eliminate secrets and also to eliminate the need for developers to manage credentials.

System Assigned Managed Identity

Here is an example on how to configure Java agent to use system assigned managed identity for authentication with AAD.

"preview" : {
    "authentication" : {
      "enabled": true,
      "type": "SAMI"
    }
}

User Assigned Managed Identity

Here is an example on how to configure Java agent to use user assigned managed identity for authentication with AAD.

"preview" : {
    "authentication" : {
      "enabled": true,
      "type": "UAMI",
      "clientId":"<USER ASSIGNED MANAGED IDENTITY CLIENT ID>"
    }
}

Client Secret

Here is an example on how to configure Java agent to use service principal for authentication with AAD. We recommend users to use this type of authentication only during development. The ultimate goal of adding authentication feature is to eliminate secrets.

"preview" : {
    "authentication" : {
      "enabled": true,
      "type": "CLIENTSECRET",
      "clientId":"<YOUR CLIENT ID>",
      "clientSecret":"<YOUR CLIENT SECRET>",
      "tenantId":"<YOUR TENANT ID>"
    }
}

Steps to create Application Insights resource using a template

Note

As of today Application Insights UI donot support adding the "DisableLocalAuth=true" to the resource. The following steps might change when this feature is enabled in UI

  1. Search for "Templates" in Azure Portal and create a new template.
  2. Paste the following template in the template creation page.
{
    "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "name": {
            "type": "string"
        },
        "type": {
            "type": "string"
        },
        "regionId": {
            "type": "string"
        },
        "tagsArray": {
            "type": "object"
        },
        "requestSource": {
            "type": "string"
        },
        "workspaceResourceId": {
            "type": "string"
        }
    },
    "resources": [
        {
            "name": "[parameters('name')]",
            "type": "microsoft.insights/components",
            "location": "[parameters('regionId')]",
            "tags": "[parameters('tagsArray')]",
            "apiVersion": "2020-02-02-preview",
            "dependsOn": [],
            "properties": {
                "ApplicationId": "[parameters('name')]",
                "Application_Type": "[parameters('type')]",
                "Flow_Type": "Redfield",
                "Request_Source": "[parameters('requestSource')]",
                "WorkspaceResourceId": "[parameters('workspaceResourceId')]",
                "DisableLocalAuth": true
            }
        }
    ]
}
  1. Once the template is created, click on deploy. This will take you to a menu where the user can edit both the template and parameters.
  2. Click on Edit parameters and paste the following json
{
    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "type": {
            "value": "web"
        },
        "name": {
            "value": "Your Application Insights Resource name"
        },
        "regionId": {
            "value": "Your desired region(for example:westus2)"
        },
        "tagsArray": {
            "value": {}
        },
        "requestSource": {
            "value": "CustomDeployment"
        },
        "workspaceResourceId": {
            "value": "Your workspace resource Id"
        }
    }
}
  1. Follow these steps to get the correct workspace resource id.
  2. Click on purchase/deploy to create the application insights resource

Steps to get workspaceResourceId

  1. Follow these steps to create a workspace based Application Insights resource. During the last step of creation do not click on Create.
  2. Click 'Download a template for automation', which will take you to a sample template.
  3. Click on 'Parameters' tab, copy the "workspaceResourceId" from this resource and use it in the template creation.
Clone this wiki locally