You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
[Azure App Insights] add support for Client Secret (#48880)
* [Azure App Insights] add support for ouath2
* check that at least one auth is configured
* add changelog fragemnt and update docs
* small fixes
* fix yml files
* add auth_type to config
* remove sensitive data from debug log
* remove redundant log msg
* add required roles
* remove logger and ctx nil check
* add deprecation message and remove active_directory_endpoint
* fix doc
* add applies_to to docs
Copy file name to clipboardExpand all lines: docs/reference/metricbeat/metricbeat-metricset-azure-app_insights.md
+39-2Lines changed: 39 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -23,10 +23,47 @@ This metricset allows users to retrieve application insights metrics from specif
23
23
### Config options to identify resources [_config_options_to_identify_resources]
24
24
25
25
`application_id`
26
-
: (*[]string*) ID of the application. This is Application ID from the API Access settings blade in the Azure portal.
26
+
: (*string*) ID of the application. This is Application ID from the API Access settings blade in the Azure portal.
27
+
28
+
29
+
### Authentication [_authentication]
30
+
31
+
Two authentication methods are supported: **Client secret (Microsoft Entra ID)** and **API key**. The method is selected using the `auth_type` option.
32
+
33
+
`auth_type`
34
+
: (*string*) The authentication method to use. Valid values: `api_key` (default), `client_secret`.
35
+
36
+
#### Client secret authentication
37
+
38
+
{applies_to}`stack: ga 8.19.13` {applies_to}`stack: ga 9.2.7` {applies_to}`stack: ga 9.3.2`
39
+
40
+
Set `auth_type: "client_secret"` and provide the following options:
41
+
42
+
`tenant_id`
43
+
: (*string*) The tenant ID of the Microsoft Entra ID (Azure Active Directory) instance. More on service principal authentication can be found here [https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal](https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal).
44
+
45
+
`client_id`
46
+
: (*string*) The client/application ID of the service principal registered in Microsoft Entra ID.
47
+
48
+
`client_secret`
49
+
: (*string*) The client secret associated with the service principal.
50
+
51
+
All three of `tenant_id`, `client_id`, and `client_secret` are required when `auth_type` is `client_secret`.
52
+
53
+
**Required permissions:** The service principal must be assigned a role that grants read access to Application Insights data. The minimum built-in role is **Monitoring Reader**, assigned at the Application Insights resource scope. Other roles that include the required permissions are **Monitoring Contributor**, **Contributor**, and **Owner**. For more details, see [Azure built-in roles for Monitor](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/monitor).
54
+
55
+
#### API key authentication
56
+
57
+
::::{warning}
58
+
Microsoft is retiring API key authentication for Application Insights on **March 31, 2026**. After this date, API key authentication will no longer work. It is recommended to migrate to [client secret authentication](#_authentication) before this deadline. For more details, see [Transition to Microsoft Entra ID authentication](https://azure.microsoft.com/en-us/updates?id=transition-to-azure-ad-to-query-data-from-azure-monitor-application-insights-by-31-march-2026).
59
+
::::
60
+
61
+
Set `auth_type: "api_key"` (or omit `auth_type`, as it defaults to `api_key`) and provide:
27
62
28
63
`api_key`
29
-
: (*[]string*) The API key which will be generated, more on the steps here [https://dev.applicationinsights.io/documentation/Authorization/API-key-and-App-ID](https://dev.applicationinsights.io/documentation/Authorization/API-key-and-App-ID).
64
+
: (*string*) The API key which will be generated, more on the steps here [https://dev.applicationinsights.io/documentation/Authorization/API-key-and-App-ID](https://dev.applicationinsights.io/documentation/Authorization/API-key-and-App-ID).
65
+
66
+
**Required permissions:** The API key must be created with the **Read telemetry** permission enabled in the Azure portal (under the API Access blade of the Application Insights resource).
Copy file name to clipboardExpand all lines: x-pack/metricbeat/module/azure/app_insights/_meta/docs.md
+39-2Lines changed: 39 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -11,10 +11,47 @@ This metricset allows users to retrieve application insights metrics from specif
11
11
### Config options to identify resources [_config_options_to_identify_resources]
12
12
13
13
`application_id`
14
-
: (*[]string*) ID of the application. This is Application ID from the API Access settings blade in the Azure portal.
14
+
: (*string*) ID of the application. This is Application ID from the API Access settings blade in the Azure portal.
15
+
16
+
17
+
### Authentication [_authentication]
18
+
19
+
Two authentication methods are supported: **Client secret (Microsoft Entra ID)** and **API key**. The method is selected using the `auth_type` option.
20
+
21
+
`auth_type`
22
+
: (*string*) The authentication method to use. Valid values: `api_key` (default), `client_secret`.
23
+
24
+
#### Client secret authentication
25
+
26
+
{applies_to}`stack: ga 8.19.13` {applies_to}`stack: ga 9.2.7` {applies_to}`stack: ga 9.3.2`
27
+
28
+
Set `auth_type: "client_secret"` and provide the following options:
29
+
30
+
`tenant_id`
31
+
: (*string*) The tenant ID of the Microsoft Entra ID (Azure Active Directory) instance. More on service principal authentication can be found here [https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal](https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal).
32
+
33
+
`client_id`
34
+
: (*string*) The client/application ID of the service principal registered in Microsoft Entra ID.
35
+
36
+
`client_secret`
37
+
: (*string*) The client secret associated with the service principal.
38
+
39
+
All three of `tenant_id`, `client_id`, and `client_secret` are required when `auth_type` is `client_secret`.
40
+
41
+
**Required permissions:** The service principal must be assigned a role that grants read access to Application Insights data. The minimum built-in role is **Monitoring Reader**, assigned at the Application Insights resource scope. Other roles that include the required permissions are **Monitoring Contributor**, **Contributor**, and **Owner**. For more details, see [Azure built-in roles for Monitor](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/monitor).
42
+
43
+
#### API key authentication
44
+
45
+
::::{warning}
46
+
Microsoft is retiring API key authentication for Application Insights on **March 31, 2026**. After this date, API key authentication will no longer work. It is recommended to migrate to [client secret authentication](#_authentication) before this deadline. For more details, see [Transition to Microsoft Entra ID authentication](https://azure.microsoft.com/en-us/updates?id=transition-to-azure-ad-to-query-data-from-azure-monitor-application-insights-by-31-march-2026).
47
+
::::
48
+
49
+
Set `auth_type: "api_key"` (or omit `auth_type`, as it defaults to `api_key`) and provide:
15
50
16
51
`api_key`
17
-
: (*[]string*) The API key which will be generated, more on the steps here [https://dev.applicationinsights.io/documentation/Authorization/API-key-and-App-ID](https://dev.applicationinsights.io/documentation/Authorization/API-key-and-App-ID).
52
+
: (*string*) The API key which will be generated, more on the steps here [https://dev.applicationinsights.io/documentation/Authorization/API-key-and-App-ID](https://dev.applicationinsights.io/documentation/Authorization/API-key-and-App-ID).
53
+
54
+
**Required permissions:** The API key must be created with the **Read telemetry** permission enabled in the Azure portal (under the API Access blade of the Application Insights resource).
0 commit comments