Description
Description:
Currently, Data API Builder does not support using Managed Identity for authenticating with Application Insights, which introduces security concerns for production workloads. Relying solely on connection strings without AAD support can be considered insecure.
Proposal
Implement support for using Managed Identity when configuring Application Insights, following the same pattern used in Azure Functions:
Example:
Set the APPLICATIONINSIGHTS_AUTHENTICATION_STRING environment variable with either:
Authorization=AADfor system-assigned managed identityAuthorization=AAD;ClientId=<USER_ASSIGNED_CLIENT_ID>for user-assigned identity
This pattern is already well-known in the .NET ecosystem and avoids introducing another authentication standard.
Implementation Suggestions
- Add a new property to the configuration JSON schema and CLI tooling to support setting the
APPLICATIONINSIGHTS_AUTHENTICATION_STRING. - Ensure proper unit test coverage for this configuration.
- Update documentation accordingly to reflect the supported authentication modes for Application Insights.
Why This Matters
- Aligning with established Azure/.NET standards reduces learning curves for developers.
- Avoids fragmentation or confusion caused by introducing new or inconsistent patterns.
- Enables secure, keyless telemetry integration using Entra ID (formerly Azure AD).
Related Work
There is an existing issue for supporting a Log Analytics sink which mentions Entra ID support (#2709), but:
- It appears unrelated to Application Insights.
- It uses a different configuration syntax that doesn’t align with Application Insights’ authentication mechanisms.
I'll need to know if this feature would be accepted by the team before I start working on it.