From 91ea3f67cb2c8f833ea668ea085eb11f9a8df568 Mon Sep 17 00:00:00 2001 From: Aydin Erdas Date: Wed, 22 May 2024 11:14:23 +0200 Subject: [PATCH 01/29] Add entra authentication for live metrics --- .../ApplicationInsightsOptions.cs | 1 + .../ApplicationInsightsInitializerExtensions.cs | 12 +++++++++++- Readme.md | 13 ++++++++++++- 3 files changed, 24 insertions(+), 2 deletions(-) diff --git a/Lombiq.Hosting.Azure.ApplicationInsights/ApplicationInsightsOptions.cs b/Lombiq.Hosting.Azure.ApplicationInsights/ApplicationInsightsOptions.cs index ca78802..2bfcede 100644 --- a/Lombiq.Hosting.Azure.ApplicationInsights/ApplicationInsightsOptions.cs +++ b/Lombiq.Hosting.Azure.ApplicationInsights/ApplicationInsightsOptions.cs @@ -28,6 +28,7 @@ public class ApplicationInsightsOptions /// documentation for more info: . /// + [Obsolete("Microsoft Entra authentication is the only supported method from September 30, 2025. API key authentication will be removed")] public string QuickPulseTelemetryModuleAuthenticationApiKey { get; set; } /// diff --git a/Lombiq.Hosting.Azure.ApplicationInsights/Extensions/ApplicationInsightsInitializerExtensions.cs b/Lombiq.Hosting.Azure.ApplicationInsights/Extensions/ApplicationInsightsInitializerExtensions.cs index 7cf79e8..9a15696 100644 --- a/Lombiq.Hosting.Azure.ApplicationInsights/Extensions/ApplicationInsightsInitializerExtensions.cs +++ b/Lombiq.Hosting.Azure.ApplicationInsights/Extensions/ApplicationInsightsInitializerExtensions.cs @@ -1,4 +1,5 @@ -using Lombiq.Hosting.Azure.ApplicationInsights; +using Azure.Identity; +using Lombiq.Hosting.Azure.ApplicationInsights; using Lombiq.Hosting.Azure.ApplicationInsights.Services; using Lombiq.Hosting.Azure.ApplicationInsights.TelemetryInitializers; using Microsoft.ApplicationInsights.AspNetCore.Extensions; @@ -23,6 +24,13 @@ public static OrchardCoreBuilder AddOrchardCoreApplicationInsightsTelemetry( IConfiguration configurationManager) { var services = builder.ApplicationServices; + + services.Configure(config => + { + var credential = new ManagedIdentityCredential(); + config.SetAzureTokenCredential(credential); + }); + services.AddApplicationInsightsTelemetry(configurationManager); // Create a temporary ServiceProvider to configure ApplicationInsightsServiceOptions. @@ -62,7 +70,9 @@ public static OrchardCoreBuilder AddOrchardCoreApplicationInsightsTelemetry( (module, _) => module.EnableSqlCommandTextInstrumentation = applicationInsightsOptions.EnableSqlCommandTextInstrumentation); services.ConfigureTelemetryModule( +#pragma warning disable CS0618 // Type or member is obsolete (module, _) => module.AuthenticationApiKey = applicationInsightsOptions.QuickPulseTelemetryModuleAuthenticationApiKey); +#pragma warning restore CS0618 // Type or member is obsolete services.AddSingleton(); services.AddSingleton(); diff --git a/Readme.md b/Readme.md index 7787eca..32d5d3b 100644 --- a/Readme.md +++ b/Readme.md @@ -86,6 +86,7 @@ The module has its own configuration for further options. These need to come fro }, "OrchardCore": { "Lombiq_Hosting_Azure_ApplicationInsights": { + // Deprecated, do not use in new projects "QuickPulseTelemetryModuleAuthenticationApiKey": "your API key here" } } @@ -93,12 +94,22 @@ The module has its own configuration for further options. These need to come fro ``` -See the [`ApplicationInsightsOptions` class](Lombiq.Hosting.Azure.ApplicationInsights/ApplicationInsightsOptions.cs) for all options and details. We recommend configuring at least `QuickPulseTelemetryModuleAuthenticationApiKey`. +> ⚠ Use of QuickPulseTelemetryModuleAuthenticationApiKey is deprecated and will be officially unsupported starting September 30, 2025. See [Entra Authentication](#entra-authentication) for more information. + +See the [`ApplicationInsightsOptions` class](Lombiq.Hosting.Azure.ApplicationInsights/ApplicationInsightsOptions.cs) for all options and details. Note that while telemetry from background tasks is collected in form of dependency operations it'll be collected even if `EnableDependencyTrackingTelemetryModule` is `false`. If you use the security defaults from [Lombiq Helpful Libraries - Orchard Core Libraries - Security](https://github.com/Lombiq/Helpful-Libraries/blob/dev/Lombiq.HelpfulLibraries.OrchardCore/Docs/Security.md), then the security headers necessary to use Application Insight's client-side tracking will automatically be added. +### Entra Authentication + +Starting September 30, 2025, authentication using API keys is no longer supported. Instead, you'll have to set up Entra Authentication. + +To set up Entra Authentication follow the steps that most closely match your situation over at [Microsoft Entra authentication for Application Insights](https://learn.microsoft.com/en-us/azure/azure-monitor/app/azure-ad-authentication?tabs=net) + +Once Entra Authentication is set up and the ConnectionString has been properly set, live metrics should be flowing in. + ### Using collected data All the collected data will be available in the Azure Portal as usual. Some custom properties will be added to all suitable telemetry with the `"OrchardCore."` prefix. From 15d377306a19e43a098a1249fc8eabd3eee9f50a Mon Sep 17 00:00:00 2001 From: Aydin Erdas Date: Thu, 23 May 2024 10:18:50 +0200 Subject: [PATCH 02/29] Update Readme.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Zoltán Lehóczky --- Readme.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Readme.md b/Readme.md index 32d5d3b..ee5bcfe 100644 --- a/Readme.md +++ b/Readme.md @@ -86,7 +86,7 @@ The module has its own configuration for further options. These need to come fro }, "OrchardCore": { "Lombiq_Hosting_Azure_ApplicationInsights": { - // Deprecated, do not use in new projects + // Deprecated, do not use in new projects. "QuickPulseTelemetryModuleAuthenticationApiKey": "your API key here" } } From 69b61c960df2eac9bbb8b53340758b11b4f1bf53 Mon Sep 17 00:00:00 2001 From: Aydin Erdas Date: Thu, 23 May 2024 10:20:06 +0200 Subject: [PATCH 03/29] Update Readme.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Zoltán Lehóczky --- Readme.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Readme.md b/Readme.md index ee5bcfe..7ea0c53 100644 --- a/Readme.md +++ b/Readme.md @@ -104,11 +104,11 @@ If you use the security defaults from [Lombiq Helpful Libraries - Orchard Core L ### Entra Authentication -Starting September 30, 2025, authentication using API keys is no longer supported. Instead, you'll have to set up Entra Authentication. +Starting 30 September 2025, authentication using API keys is no longer supported. Instead, you'll have to set up Entra Authentication. To set up Entra Authentication follow the steps that most closely match your situation over at [Microsoft Entra authentication for Application Insights](https://learn.microsoft.com/en-us/azure/azure-monitor/app/azure-ad-authentication?tabs=net) -Once Entra Authentication is set up and the ConnectionString has been properly set, live metrics should be flowing in. +Once Entra Authentication is set up and the `ConnectionString` has been properly set, live metrics should be flowing in. ### Using collected data From e64a5017105444403d2d3381d0b17ff0c0e9b271 Mon Sep 17 00:00:00 2001 From: Aydin Erdas Date: Thu, 23 May 2024 10:20:27 +0200 Subject: [PATCH 04/29] Update Readme.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Zoltán Lehóczky --- Readme.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Readme.md b/Readme.md index 7ea0c53..83152b4 100644 --- a/Readme.md +++ b/Readme.md @@ -94,7 +94,7 @@ The module has its own configuration for further options. These need to come fro ``` -> ⚠ Use of QuickPulseTelemetryModuleAuthenticationApiKey is deprecated and will be officially unsupported starting September 30, 2025. See [Entra Authentication](#entra-authentication) for more information. +> ⚠ Use of QuickPulseTelemetryModuleAuthenticationApiKey is deprecated and will be officially unsupported starting 30 September 2025. See [Entra Authentication](#entra-authentication) for more information. See the [`ApplicationInsightsOptions` class](Lombiq.Hosting.Azure.ApplicationInsights/ApplicationInsightsOptions.cs) for all options and details. From 22bec38be0c602cd7212601754d46361b9a11e15 Mon Sep 17 00:00:00 2001 From: Aydin Erdas Date: Thu, 23 May 2024 10:20:43 +0200 Subject: [PATCH 05/29] Update Lombiq.Hosting.Azure.ApplicationInsights/ApplicationInsightsOptions.cs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Zoltán Lehóczky --- .../ApplicationInsightsOptions.cs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Lombiq.Hosting.Azure.ApplicationInsights/ApplicationInsightsOptions.cs b/Lombiq.Hosting.Azure.ApplicationInsights/ApplicationInsightsOptions.cs index 2bfcede..7ffc983 100644 --- a/Lombiq.Hosting.Azure.ApplicationInsights/ApplicationInsightsOptions.cs +++ b/Lombiq.Hosting.Azure.ApplicationInsights/ApplicationInsightsOptions.cs @@ -28,7 +28,7 @@ public class ApplicationInsightsOptions /// documentation for more info: . /// - [Obsolete("Microsoft Entra authentication is the only supported method from September 30, 2025. API key authentication will be removed")] + [Obsolete("Microsoft Entra authentication is the only supported method from 30 September 2025. API key authentication will be removed.")] public string QuickPulseTelemetryModuleAuthenticationApiKey { get; set; } /// From f74854cd9d5643971c2cdffd9e6ccc01d8c4ef01 Mon Sep 17 00:00:00 2001 From: Aydin Erdas Date: Thu, 23 May 2024 10:58:29 +0200 Subject: [PATCH 06/29] Support local development --- .../ApplicationInsightsOptions.cs | 8 +++++++ ...pplicationInsightsInitializerExtensions.cs | 24 ++++++++++++------- 2 files changed, 24 insertions(+), 8 deletions(-) diff --git a/Lombiq.Hosting.Azure.ApplicationInsights/ApplicationInsightsOptions.cs b/Lombiq.Hosting.Azure.ApplicationInsights/ApplicationInsightsOptions.cs index 2bfcede..10fcacb 100644 --- a/Lombiq.Hosting.Azure.ApplicationInsights/ApplicationInsightsOptions.cs +++ b/Lombiq.Hosting.Azure.ApplicationInsights/ApplicationInsightsOptions.cs @@ -70,6 +70,14 @@ public class ApplicationInsightsOptions /// public bool EnableClientSideTracking { get; set; } = true; + /// + /// Gets or sets a value indicating whether local development is enabled where telemetry is sent to + /// Azure Application Insights from the local instance. + /// Will only work if local authentication is enabled in the properties of the Applications Insights resource + /// which should only be the case during development and testing. + /// + public bool EnableLocalDevelopment { get; set; } + /// /// Gets or sets a value indicating whether to work in kind of a debug mode completely offline. Telemetry will still /// show up in the Debug window. diff --git a/Lombiq.Hosting.Azure.ApplicationInsights/Extensions/ApplicationInsightsInitializerExtensions.cs b/Lombiq.Hosting.Azure.ApplicationInsights/Extensions/ApplicationInsightsInitializerExtensions.cs index 9a15696..4bbb5a3 100644 --- a/Lombiq.Hosting.Azure.ApplicationInsights/Extensions/ApplicationInsightsInitializerExtensions.cs +++ b/Lombiq.Hosting.Azure.ApplicationInsights/Extensions/ApplicationInsightsInitializerExtensions.cs @@ -25,14 +25,6 @@ public static OrchardCoreBuilder AddOrchardCoreApplicationInsightsTelemetry( { var services = builder.ApplicationServices; - services.Configure(config => - { - var credential = new ManagedIdentityCredential(); - config.SetAzureTokenCredential(credential); - }); - - services.AddApplicationInsightsTelemetry(configurationManager); - // Create a temporary ServiceProvider to configure ApplicationInsightsServiceOptions. using var serviceProvider = services.BuildServiceProvider(); var applicationInsightsServiceOptions = serviceProvider @@ -43,6 +35,22 @@ public static OrchardCoreBuilder AddOrchardCoreApplicationInsightsTelemetry( .GetSection("OrchardCore:Lombiq_Hosting_Azure_ApplicationInsights"); applicationInsightsConfigSection.Bind(applicationInsightsOptions); + services.Configure(config => + { + if (applicationInsightsOptions.EnableLocalDevelopment) + { + var credential = new DefaultAzureCredential(); + config.SetAzureTokenCredential(credential); + } + else + { + var credential = new ManagedIdentityCredential(); + config.SetAzureTokenCredential(credential); + } + }); + + services.AddApplicationInsightsTelemetry(configurationManager); + if (string.IsNullOrEmpty(applicationInsightsServiceOptions?.ConnectionString) && #pragma warning disable CS0618 // Type or member is obsolete string.IsNullOrEmpty(applicationInsightsServiceOptions?.InstrumentationKey) && From 11ed4b7ca705a3df2752ce71958593f96ade576d Mon Sep 17 00:00:00 2001 From: Aydin Erdas Date: Thu, 23 May 2024 11:05:56 +0200 Subject: [PATCH 07/29] Update Readme.md --- Readme.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/Readme.md b/Readme.md index 83152b4..6491d08 100644 --- a/Readme.md +++ b/Readme.md @@ -110,6 +110,20 @@ To set up Entra Authentication follow the steps that most closely match your sit Once Entra Authentication is set up and the `ConnectionString` has been properly set, live metrics should be flowing in. +If you want to stream local metrics to Application Insights, you should set the `EnableLocalDevelopment` option to `true` in the `Lombiq_Hosting_Azure_ApplicationInsights` section of your configuration. + +```json5 +{ + "OrchardCore": { + "Lombiq_Hosting_Azure_ApplicationInsights": { + "EnableLocalDevelopment": true + } + } +} +``` + +> ⚠ Logging local metrics to Application Insights is only recommended for development purposes. And only works when local development is enabled on the Application Insights resource in Azure. Once you are ready to deploy to staging/production environments, you should disable local development. + ### Using collected data All the collected data will be available in the Azure Portal as usual. Some custom properties will be added to all suitable telemetry with the `"OrchardCore."` prefix. From ef8e2566537e01d25cb8f712222d75e13c229c2d Mon Sep 17 00:00:00 2001 From: Aydin Erdas Date: Thu, 23 May 2024 11:37:08 +0200 Subject: [PATCH 08/29] Update ApplicationInsightsInitializerExtensions.cs --- .../Extensions/ApplicationInsightsInitializerExtensions.cs | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/Lombiq.Hosting.Azure.ApplicationInsights/Extensions/ApplicationInsightsInitializerExtensions.cs b/Lombiq.Hosting.Azure.ApplicationInsights/Extensions/ApplicationInsightsInitializerExtensions.cs index 4bbb5a3..8d7b66b 100644 --- a/Lombiq.Hosting.Azure.ApplicationInsights/Extensions/ApplicationInsightsInitializerExtensions.cs +++ b/Lombiq.Hosting.Azure.ApplicationInsights/Extensions/ApplicationInsightsInitializerExtensions.cs @@ -24,6 +24,7 @@ public static OrchardCoreBuilder AddOrchardCoreApplicationInsightsTelemetry( IConfiguration configurationManager) { var services = builder.ApplicationServices; + services.AddApplicationInsightsTelemetry(configurationManager); // Create a temporary ServiceProvider to configure ApplicationInsightsServiceOptions. using var serviceProvider = services.BuildServiceProvider(); @@ -49,8 +50,6 @@ public static OrchardCoreBuilder AddOrchardCoreApplicationInsightsTelemetry( } }); - services.AddApplicationInsightsTelemetry(configurationManager); - if (string.IsNullOrEmpty(applicationInsightsServiceOptions?.ConnectionString) && #pragma warning disable CS0618 // Type or member is obsolete string.IsNullOrEmpty(applicationInsightsServiceOptions?.InstrumentationKey) && From d676e19c6d015f6601bb080fed3f3b65b35d60e7 Mon Sep 17 00:00:00 2001 From: Aydin Erdas Date: Thu, 23 May 2024 11:40:07 +0200 Subject: [PATCH 09/29] Update nuget package version --- .../Lombiq.Hosting.Azure.ApplicationInsights.csproj | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Lombiq.Hosting.Azure.ApplicationInsights/Lombiq.Hosting.Azure.ApplicationInsights.csproj b/Lombiq.Hosting.Azure.ApplicationInsights/Lombiq.Hosting.Azure.ApplicationInsights.csproj index d5e7d92..dfdb9aa 100644 --- a/Lombiq.Hosting.Azure.ApplicationInsights/Lombiq.Hosting.Azure.ApplicationInsights.csproj +++ b/Lombiq.Hosting.Azure.ApplicationInsights/Lombiq.Hosting.Azure.ApplicationInsights.csproj @@ -34,7 +34,7 @@ - + From 0db85a0787bb0bc73c8f91e01a776f882303c004 Mon Sep 17 00:00:00 2001 From: Aydin Erdas Date: Mon, 3 Jun 2024 10:18:49 +0200 Subject: [PATCH 10/29] Update readme and local development --- .../ApplicationInsightsInitializerExtensions.cs | 7 +------ Readme.md | 14 ++++++++++---- 2 files changed, 11 insertions(+), 10 deletions(-) diff --git a/Lombiq.Hosting.Azure.ApplicationInsights/Extensions/ApplicationInsightsInitializerExtensions.cs b/Lombiq.Hosting.Azure.ApplicationInsights/Extensions/ApplicationInsightsInitializerExtensions.cs index 8d7b66b..c4b38f6 100644 --- a/Lombiq.Hosting.Azure.ApplicationInsights/Extensions/ApplicationInsightsInitializerExtensions.cs +++ b/Lombiq.Hosting.Azure.ApplicationInsights/Extensions/ApplicationInsightsInitializerExtensions.cs @@ -38,16 +38,11 @@ public static OrchardCoreBuilder AddOrchardCoreApplicationInsightsTelemetry( services.Configure(config => { - if (applicationInsightsOptions.EnableLocalDevelopment) + if (!applicationInsightsOptions.EnableLocalDevelopment) { var credential = new DefaultAzureCredential(); config.SetAzureTokenCredential(credential); } - else - { - var credential = new ManagedIdentityCredential(); - config.SetAzureTokenCredential(credential); - } }); if (string.IsNullOrEmpty(applicationInsightsServiceOptions?.ConnectionString) && diff --git a/Readme.md b/Readme.md index 6491d08..50d4f91 100644 --- a/Readme.md +++ b/Readme.md @@ -106,11 +106,15 @@ If you use the security defaults from [Lombiq Helpful Libraries - Orchard Core L Starting 30 September 2025, authentication using API keys is no longer supported. Instead, you'll have to set up Entra Authentication. -To set up Entra Authentication follow the steps that most closely match your situation over at [Microsoft Entra authentication for Application Insights](https://learn.microsoft.com/en-us/azure/azure-monitor/app/azure-ad-authentication?tabs=net) +#### Setting up Entra Authentication for Application Insights -Once Entra Authentication is set up and the `ConnectionString` has been properly set, live metrics should be flowing in. +To set up Entra Authentication for an application hosted on Azure you will have to set up a Managed Identity for the application and give it the `Monitoring Metrics Publisher` role to be able to publish metrics to AI. See how to set up a managed identity [here](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/managed-identities-status). See more on Assigning Azure roles [here](https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal) -If you want to stream local metrics to Application Insights, you should set the `EnableLocalDevelopment` option to `true` in the `Lombiq_Hosting_Azure_ApplicationInsights` section of your configuration. +Once Entra Authentication is set up and the `ConnectionString` has been properly set, metrics should be flowing in. + +#### Local development + +If you want to stream local metrics to Application Insights, you should set the `EnableLocalDevelopment` option to `true` in the `Lombiq_Hosting_Azure_ApplicationInsights` section of your configuration and make sure that `Local Authentication` is enabled in the Application Insights resource on Azure. ```json5 { @@ -122,7 +126,9 @@ If you want to stream local metrics to Application Insights, you should set the } ``` -> ⚠ Logging local metrics to Application Insights is only recommended for development purposes. And only works when local development is enabled on the Application Insights resource in Azure. Once you are ready to deploy to staging/production environments, you should disable local development. +For more information or scenarios not described here, see the [official documentation](https://learn.microsoft.com/en-us/azure/azure-monitor/app/azure-ad-authentication). + +> ⚠ Logging local metrics to Application Insights is only recommended for development purposes. And only works when local development is enabled on the Application Insights resource in Azure. Once you are ready to deploy to staging/production environments, you should disable `Local Authentication` on your AI resource. ### Using collected data From b8b1f45d2d45497dbcaa688b44ccdbcc5affead2 Mon Sep 17 00:00:00 2001 From: Aydin Erdas Date: Wed, 5 Jun 2024 09:33:04 +0200 Subject: [PATCH 11/29] Update Readme.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Zoltán Lehóczky --- Readme.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Readme.md b/Readme.md index 50d4f91..9580005 100644 --- a/Readme.md +++ b/Readme.md @@ -104,7 +104,7 @@ If you use the security defaults from [Lombiq Helpful Libraries - Orchard Core L ### Entra Authentication -Starting 30 September 2025, authentication using API keys is no longer supported. Instead, you'll have to set up Entra Authentication. +Starting 30 September 2025, authentication using API keys is no longer supported for [securing the Live Metrics control channel](https://learn.microsoft.com/en-us/azure/azure-monitor/app/live-stream#secure-the-control-channel). Instead, you'll have to set up Entra Authentication for that (you may omit this if not needed; configuring the connection string is necessary in any case, and enough for simply collecting telemetry). #### Setting up Entra Authentication for Application Insights From 6bd71d5323c94087edeb93abc7637464fb312aef Mon Sep 17 00:00:00 2001 From: Aydin Erdas Date: Wed, 5 Jun 2024 09:34:33 +0200 Subject: [PATCH 12/29] Update Readme.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Zoltán Lehóczky --- Readme.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Readme.md b/Readme.md index 9580005..3d372fa 100644 --- a/Readme.md +++ b/Readme.md @@ -102,7 +102,7 @@ Note that while telemetry from background tasks is collected in form of dependen If you use the security defaults from [Lombiq Helpful Libraries - Orchard Core Libraries - Security](https://github.com/Lombiq/Helpful-Libraries/blob/dev/Lombiq.HelpfulLibraries.OrchardCore/Docs/Security.md), then the security headers necessary to use Application Insight's client-side tracking will automatically be added. -### Entra Authentication +### Entra Authentication for the Live Metrics control channel Starting 30 September 2025, authentication using API keys is no longer supported for [securing the Live Metrics control channel](https://learn.microsoft.com/en-us/azure/azure-monitor/app/live-stream#secure-the-control-channel). Instead, you'll have to set up Entra Authentication for that (you may omit this if not needed; configuring the connection string is necessary in any case, and enough for simply collecting telemetry). From b05ab16b6e3620e735e969fda826eeacc2a92187 Mon Sep 17 00:00:00 2001 From: Aydin Erdas Date: Wed, 5 Jun 2024 09:35:21 +0200 Subject: [PATCH 13/29] Update Readme.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Zoltán Lehóczky --- Readme.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Readme.md b/Readme.md index 3d372fa..b02a291 100644 --- a/Readme.md +++ b/Readme.md @@ -114,7 +114,7 @@ Once Entra Authentication is set up and the `ConnectionString` has been properly #### Local development -If you want to stream local metrics to Application Insights, you should set the `EnableLocalDevelopment` option to `true` in the `Lombiq_Hosting_Azure_ApplicationInsights` section of your configuration and make sure that `Local Authentication` is enabled in the Application Insights resource on Azure. +If you want to stream local metrics to Application Insights, you should set the `EnableLocalDevelopment` option to `true` in the `Lombiq_Hosting_Azure_ApplicationInsights` section of your configuration and make sure that `Local Authentication` is enabled in the Application Insights resource on Azure (for that, do the **opposite** of what's documented [here](https://learn.microsoft.com/en-us/azure/azure-monitor/app/azure-ad-authentication?tabs=net#disable-local-authentication)). ```json5 { From 8a73ae78dd23dead0e4a4a3b7ff8340ee264fe1b Mon Sep 17 00:00:00 2001 From: Aydin Erdas Date: Wed, 5 Jun 2024 09:35:35 +0200 Subject: [PATCH 14/29] Update Readme.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Zoltán Lehóczky --- Readme.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Readme.md b/Readme.md index b02a291..1568954 100644 --- a/Readme.md +++ b/Readme.md @@ -108,7 +108,7 @@ Starting 30 September 2025, authentication using API keys is no longer supported #### Setting up Entra Authentication for Application Insights -To set up Entra Authentication for an application hosted on Azure you will have to set up a Managed Identity for the application and give it the `Monitoring Metrics Publisher` role to be able to publish metrics to AI. See how to set up a managed identity [here](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/managed-identities-status). See more on Assigning Azure roles [here](https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal) +To set up Entra Authentication for an application hosted on Azure you will have to set up a Managed Identity for the application and give it the `Monitoring Metrics Publisher` role to be able to publish metrics to AI. See how to set up a managed identity [here](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/managed-identities-status). See more on Assigning Azure roles [here](https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal). Once Entra Authentication is set up and the `ConnectionString` has been properly set, metrics should be flowing in. From dd956de2da3159255256b1c1f5f157d6163393a8 Mon Sep 17 00:00:00 2001 From: Aydin Erdas Date: Wed, 5 Jun 2024 15:57:51 +0200 Subject: [PATCH 15/29] Use service principal for local development --- .../ApplicationInsightsOptions.cs | 24 +++++++++++++++---- ...pplicationInsightsInitializerExtensions.cs | 10 +++++++- Readme.md | 11 ++++++--- 3 files changed, 36 insertions(+), 9 deletions(-) diff --git a/Lombiq.Hosting.Azure.ApplicationInsights/ApplicationInsightsOptions.cs b/Lombiq.Hosting.Azure.ApplicationInsights/ApplicationInsightsOptions.cs index 15d5b51..f7ca719 100644 --- a/Lombiq.Hosting.Azure.ApplicationInsights/ApplicationInsightsOptions.cs +++ b/Lombiq.Hosting.Azure.ApplicationInsights/ApplicationInsightsOptions.cs @@ -71,12 +71,26 @@ public class ApplicationInsightsOptions public bool EnableClientSideTracking { get; set; } = true; /// - /// Gets or sets a value indicating whether local development is enabled where telemetry is sent to - /// Azure Application Insights from the local instance. - /// Will only work if local authentication is enabled in the properties of the Applications Insights resource - /// which should only be the case during development and testing. + /// Gets or sets a value indicating whether local development is enabled where telemetry is sent to a secure Azure + /// Application Insights resource from the local instance. When using this option you will also need to provide + /// tenantId, clientId, and clientSecret of the service principal. /// - public bool EnableLocalDevelopment { get; set; } + public bool EnableSecureLocalDevelopment { get; set; } + + /// + /// The tenant ID of the Azure AD application that's used for local development. + /// + public string TenantId { get; set; } + + /// + /// The client ID of the Azure AD application that's used for local development. + /// + public string ClientId { get; set; } + + /// + /// The client secret of the Azure AD application that's used for local development. + /// + public string ClientSecret { get; set; } /// /// Gets or sets a value indicating whether to work in kind of a debug mode completely offline. Telemetry will still diff --git a/Lombiq.Hosting.Azure.ApplicationInsights/Extensions/ApplicationInsightsInitializerExtensions.cs b/Lombiq.Hosting.Azure.ApplicationInsights/Extensions/ApplicationInsightsInitializerExtensions.cs index c4b38f6..a86e99b 100644 --- a/Lombiq.Hosting.Azure.ApplicationInsights/Extensions/ApplicationInsightsInitializerExtensions.cs +++ b/Lombiq.Hosting.Azure.ApplicationInsights/Extensions/ApplicationInsightsInitializerExtensions.cs @@ -38,7 +38,15 @@ public static OrchardCoreBuilder AddOrchardCoreApplicationInsightsTelemetry( services.Configure(config => { - if (!applicationInsightsOptions.EnableLocalDevelopment) + if (applicationInsightsOptions.EnableSecureLocalDevelopment) + { + var credential = new ClientSecretCredential( + applicationInsightsOptions.TenantId, + applicationInsightsOptions.ClientId, + applicationInsightsOptions.ClientSecret); + config.SetAzureTokenCredential(credential); + } + else { var credential = new DefaultAzureCredential(); config.SetAzureTokenCredential(credential); diff --git a/Readme.md b/Readme.md index 1568954..c0b48b5 100644 --- a/Readme.md +++ b/Readme.md @@ -94,7 +94,7 @@ The module has its own configuration for further options. These need to come fro ``` -> ⚠ Use of QuickPulseTelemetryModuleAuthenticationApiKey is deprecated and will be officially unsupported starting 30 September 2025. See [Entra Authentication](#entra-authentication) for more information. +> ⚠ Use of QuickPulseTelemetryModuleAuthenticationApiKey is deprecated and will be officially unsupported starting 30 September 2025. See [Entra Authentication for the Live Metrics control channel](#entra-authentication-for-the-live-metrics-control-channel) for more information. See the [`ApplicationInsightsOptions` class](Lombiq.Hosting.Azure.ApplicationInsights/ApplicationInsightsOptions.cs) for all options and details. @@ -114,13 +114,18 @@ Once Entra Authentication is set up and the `ConnectionString` has been properly #### Local development -If you want to stream local metrics to Application Insights, you should set the `EnableLocalDevelopment` option to `true` in the `Lombiq_Hosting_Azure_ApplicationInsights` section of your configuration and make sure that `Local Authentication` is enabled in the Application Insights resource on Azure (for that, do the **opposite** of what's documented [here](https://learn.microsoft.com/en-us/azure/azure-monitor/app/azure-ad-authentication?tabs=net#disable-local-authentication)). +If you want to stream local metrics to a **SECURE** Application Insights resource, you should set the `EnableSecureLocalDevelopment` option to `true` in the `Lombiq_Hosting_Azure_ApplicationInsights` section of your configuration. To stream local metrics on a secure channel with Entra ID you will also have to provide the credentials of the service principal, to set this up [see the docs](https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal). + +In the scenario where you have `LOCAL AUTHENTICATION` enabled on your AI resource, you do not have to provide the service principal credentials. In this case, the module will use the `ConnectionString` to authenticate the local telemetry. ```json5 { "OrchardCore": { "Lombiq_Hosting_Azure_ApplicationInsights": { - "EnableLocalDevelopment": true + "EnableSecureLocalDevelopment": true, + "TenantId": "your tenant id", + "ClientId": "your client id", + "ClientSecret": "your client secret", } } } From dddcdfe9c8e991cf1cf1b8689e0907962a0bf307 Mon Sep 17 00:00:00 2001 From: Aydin Erdas Date: Wed, 5 Jun 2024 16:35:19 +0200 Subject: [PATCH 16/29] Update ApplicationInsightsOptions.cs --- .../ApplicationInsightsOptions.cs | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Lombiq.Hosting.Azure.ApplicationInsights/ApplicationInsightsOptions.cs b/Lombiq.Hosting.Azure.ApplicationInsights/ApplicationInsightsOptions.cs index f7ca719..e646b81 100644 --- a/Lombiq.Hosting.Azure.ApplicationInsights/ApplicationInsightsOptions.cs +++ b/Lombiq.Hosting.Azure.ApplicationInsights/ApplicationInsightsOptions.cs @@ -78,17 +78,17 @@ public class ApplicationInsightsOptions public bool EnableSecureLocalDevelopment { get; set; } /// - /// The tenant ID of the Azure AD application that's used for local development. + /// Gets or sets the tenant ID of the Azure AD application that's used for local development. /// public string TenantId { get; set; } /// - /// The client ID of the Azure AD application that's used for local development. + /// Gets or sets the client ID of the Azure AD application that's used for local development. /// public string ClientId { get; set; } /// - /// The client secret of the Azure AD application that's used for local development. + /// Gets or sets the client secret of the Azure AD application that's used for local development. /// public string ClientSecret { get; set; } From 48865d79e7cb4d9150a6e46916729a2e253f0279 Mon Sep 17 00:00:00 2001 From: Aydin Erdas Date: Thu, 6 Jun 2024 08:03:27 +0200 Subject: [PATCH 17/29] Update Lombiq.Hosting.Azure.ApplicationInsights/ApplicationInsightsOptions.cs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Zoltán Lehóczky --- .../ApplicationInsightsOptions.cs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Lombiq.Hosting.Azure.ApplicationInsights/ApplicationInsightsOptions.cs b/Lombiq.Hosting.Azure.ApplicationInsights/ApplicationInsightsOptions.cs index e646b81..e253702 100644 --- a/Lombiq.Hosting.Azure.ApplicationInsights/ApplicationInsightsOptions.cs +++ b/Lombiq.Hosting.Azure.ApplicationInsights/ApplicationInsightsOptions.cs @@ -78,7 +78,7 @@ public class ApplicationInsightsOptions public bool EnableSecureLocalDevelopment { get; set; } /// - /// Gets or sets the tenant ID of the Azure AD application that's used for local development. + /// Gets or sets the tenant ID of the Microsoft Entra application used to secure the control channel. /// public string TenantId { get; set; } From 492dacd9784b9a3e1b9f1f2ac36a30800dc016a5 Mon Sep 17 00:00:00 2001 From: Aydin Erdas Date: Thu, 6 Jun 2024 08:03:36 +0200 Subject: [PATCH 18/29] Update Lombiq.Hosting.Azure.ApplicationInsights/ApplicationInsightsOptions.cs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Zoltán Lehóczky --- .../ApplicationInsightsOptions.cs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Lombiq.Hosting.Azure.ApplicationInsights/ApplicationInsightsOptions.cs b/Lombiq.Hosting.Azure.ApplicationInsights/ApplicationInsightsOptions.cs index e253702..0b8c049 100644 --- a/Lombiq.Hosting.Azure.ApplicationInsights/ApplicationInsightsOptions.cs +++ b/Lombiq.Hosting.Azure.ApplicationInsights/ApplicationInsightsOptions.cs @@ -83,7 +83,7 @@ public class ApplicationInsightsOptions public string TenantId { get; set; } /// - /// Gets or sets the client ID of the Azure AD application that's used for local development. + /// Gets or sets the client ID of the Microsoft Entra application used to secure the control channel. /// public string ClientId { get; set; } From 22b5f9fea7cfb0eb6196e640c7710d3f8f16d508 Mon Sep 17 00:00:00 2001 From: Aydin Erdas Date: Thu, 6 Jun 2024 14:05:26 +0200 Subject: [PATCH 19/29] Update Lombiq.Hosting.Azure.ApplicationInsights/ApplicationInsightsOptions.cs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Zoltán Lehóczky --- .../ApplicationInsightsOptions.cs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Lombiq.Hosting.Azure.ApplicationInsights/ApplicationInsightsOptions.cs b/Lombiq.Hosting.Azure.ApplicationInsights/ApplicationInsightsOptions.cs index 0b8c049..40249bd 100644 --- a/Lombiq.Hosting.Azure.ApplicationInsights/ApplicationInsightsOptions.cs +++ b/Lombiq.Hosting.Azure.ApplicationInsights/ApplicationInsightsOptions.cs @@ -88,7 +88,7 @@ public class ApplicationInsightsOptions public string ClientId { get; set; } /// - /// Gets or sets the client secret of the Azure AD application that's used for local development. + /// Gets or sets the client secret of the Microsoft Entra application used to secure the control channel. /// public string ClientSecret { get; set; } From 6538e0a367f90be5a03caded9a95789b951ccb52 Mon Sep 17 00:00:00 2001 From: Aydin Erdas Date: Thu, 6 Jun 2024 14:54:49 +0200 Subject: [PATCH 20/29] Try to clear up some confusion --- .../ApplicationInsightsOptions.cs | 22 +++++-------------- ...pplicationInsightsInitializerExtensions.cs | 8 +++---- .../ServicePrincipalCredentials.cs | 19 ++++++++++++++++ Readme.md | 20 ++++++++--------- 4 files changed, 39 insertions(+), 30 deletions(-) create mode 100644 Lombiq.Hosting.Azure.ApplicationInsights/ServicePrincipalCredentials.cs diff --git a/Lombiq.Hosting.Azure.ApplicationInsights/ApplicationInsightsOptions.cs b/Lombiq.Hosting.Azure.ApplicationInsights/ApplicationInsightsOptions.cs index 40249bd..aec8b22 100644 --- a/Lombiq.Hosting.Azure.ApplicationInsights/ApplicationInsightsOptions.cs +++ b/Lombiq.Hosting.Azure.ApplicationInsights/ApplicationInsightsOptions.cs @@ -71,26 +71,16 @@ public class ApplicationInsightsOptions public bool EnableClientSideTracking { get; set; } = true; /// - /// Gets or sets a value indicating whether local development is enabled where telemetry is sent to a secure Azure - /// Application Insights resource from the local instance. When using this option you will also need to provide - /// tenantId, clientId, and clientSecret of the service principal. + /// Gets or sets a value indicating whether to authenticate to AI using a Service Principal. When using this option + /// you will also need to provide tenantId, clientId, and clientSecret of the service principal. /// - public bool EnableSecureLocalDevelopment { get; set; } + public bool UseServicePrincipalAuthentication { get; set; } /// - /// Gets or sets the tenant ID of the Microsoft Entra application used to secure the control channel. + /// Gets or sets the ServicePrincipalCredentials of the Microsoft Entra application used to secure the control + /// channel. /// - public string TenantId { get; set; } - - /// - /// Gets or sets the client ID of the Microsoft Entra application used to secure the control channel. - /// - public string ClientId { get; set; } - - /// - /// Gets or sets the client secret of the Microsoft Entra application used to secure the control channel. - /// - public string ClientSecret { get; set; } + public ServicePrincipalCredentials ServicePrincipalCredentials { get; set; } /// /// Gets or sets a value indicating whether to work in kind of a debug mode completely offline. Telemetry will still diff --git a/Lombiq.Hosting.Azure.ApplicationInsights/Extensions/ApplicationInsightsInitializerExtensions.cs b/Lombiq.Hosting.Azure.ApplicationInsights/Extensions/ApplicationInsightsInitializerExtensions.cs index a86e99b..535f479 100644 --- a/Lombiq.Hosting.Azure.ApplicationInsights/Extensions/ApplicationInsightsInitializerExtensions.cs +++ b/Lombiq.Hosting.Azure.ApplicationInsights/Extensions/ApplicationInsightsInitializerExtensions.cs @@ -38,12 +38,12 @@ public static OrchardCoreBuilder AddOrchardCoreApplicationInsightsTelemetry( services.Configure(config => { - if (applicationInsightsOptions.EnableSecureLocalDevelopment) + if (applicationInsightsOptions.UseServicePrincipalAuthentication) { var credential = new ClientSecretCredential( - applicationInsightsOptions.TenantId, - applicationInsightsOptions.ClientId, - applicationInsightsOptions.ClientSecret); + applicationInsightsOptions.ServicePrincipalCredentials.TenantId, + applicationInsightsOptions.ServicePrincipalCredentials.ClientId, + applicationInsightsOptions.ServicePrincipalCredentials.ClientSecret); config.SetAzureTokenCredential(credential); } else diff --git a/Lombiq.Hosting.Azure.ApplicationInsights/ServicePrincipalCredentials.cs b/Lombiq.Hosting.Azure.ApplicationInsights/ServicePrincipalCredentials.cs new file mode 100644 index 0000000..1c7b90d --- /dev/null +++ b/Lombiq.Hosting.Azure.ApplicationInsights/ServicePrincipalCredentials.cs @@ -0,0 +1,19 @@ +namespace Lombiq.Hosting.Azure.ApplicationInsights; + +public class ServicePrincipalCredentials +{ + /// + /// Gets or sets the tenant ID of the Microsoft Entra application used to secure the control channel. + /// + public string TenantId { get; set; } + + /// + /// Gets or sets the client ID of the Microsoft Entra application used to secure the control channel. + /// + public string ClientId { get; set; } + + /// + /// Gets or sets the client secret of the Microsoft Entra application used to secure the control channel. + /// + public string ClientSecret { get; set; } +} diff --git a/Readme.md b/Readme.md index c0b48b5..7eb82df 100644 --- a/Readme.md +++ b/Readme.md @@ -110,22 +110,24 @@ Starting 30 September 2025, authentication using API keys is no longer supported To set up Entra Authentication for an application hosted on Azure you will have to set up a Managed Identity for the application and give it the `Monitoring Metrics Publisher` role to be able to publish metrics to AI. See how to set up a managed identity [here](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/managed-identities-status). See more on Assigning Azure roles [here](https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal). -Once Entra Authentication is set up and the `ConnectionString` has been properly set, metrics should be flowing in. +Although not recommended, you can also use a service principal to authenticate. To set this up, you will have to provide the service principal credentials in the configuration. See the [Service principal](#service-principal) section for more information. This is also the only way to authenticate if you are using a non-Azure (or local) environment. -#### Local development +Once Entra Authentication is set up and the `ConnectionString` has been properly set, metrics should be flowing in. -If you want to stream local metrics to a **SECURE** Application Insights resource, you should set the `EnableSecureLocalDevelopment` option to `true` in the `Lombiq_Hosting_Azure_ApplicationInsights` section of your configuration. To stream local metrics on a secure channel with Entra ID you will also have to provide the credentials of the service principal, to set this up [see the docs](https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal). +#### Service principal -In the scenario where you have `LOCAL AUTHENTICATION` enabled on your AI resource, you do not have to provide the service principal credentials. In this case, the module will use the `ConnectionString` to authenticate the local telemetry. +If you want to use the Service Principal method for your Application Insights resource, you should set the `UseServicePrincipalAuthentication` option to `true` in the `Lombiq_Hosting_Azure_ApplicationInsights` section of your configuration. To securely stream metrics with Entra ID you will also have to provide the credentials of the service principal, to set this up [see the docs](https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal). ```json5 { "OrchardCore": { "Lombiq_Hosting_Azure_ApplicationInsights": { - "EnableSecureLocalDevelopment": true, - "TenantId": "your tenant id", - "ClientId": "your client id", - "ClientSecret": "your client secret", + "UseServicePrincipalAuthentication": true, + "ServicePrincipalCredentials": { + "TenantId": "your service principal tenant id", + "ClientId": "your service principal client id", + "ClientSecret": "your service principal client secret" + }, } } } @@ -133,8 +135,6 @@ In the scenario where you have `LOCAL AUTHENTICATION` enabled on your AI resourc For more information or scenarios not described here, see the [official documentation](https://learn.microsoft.com/en-us/azure/azure-monitor/app/azure-ad-authentication). -> ⚠ Logging local metrics to Application Insights is only recommended for development purposes. And only works when local development is enabled on the Application Insights resource in Azure. Once you are ready to deploy to staging/production environments, you should disable `Local Authentication` on your AI resource. - ### Using collected data All the collected data will be available in the Azure Portal as usual. Some custom properties will be added to all suitable telemetry with the `"OrchardCore."` prefix. From 1bfda11378a711059dbfef8f95853fb8c8a34d74 Mon Sep 17 00:00:00 2001 From: Aydin Erdas Date: Fri, 7 Jun 2024 16:49:10 +0200 Subject: [PATCH 21/29] Add option to use entra --- .../ApplicationInsightsOptions.cs | 5 +++ ...pplicationInsightsInitializerExtensions.cs | 33 ++++++++++--------- 2 files changed, 22 insertions(+), 16 deletions(-) diff --git a/Lombiq.Hosting.Azure.ApplicationInsights/ApplicationInsightsOptions.cs b/Lombiq.Hosting.Azure.ApplicationInsights/ApplicationInsightsOptions.cs index aec8b22..f5489b5 100644 --- a/Lombiq.Hosting.Azure.ApplicationInsights/ApplicationInsightsOptions.cs +++ b/Lombiq.Hosting.Azure.ApplicationInsights/ApplicationInsightsOptions.cs @@ -70,6 +70,11 @@ public class ApplicationInsightsOptions /// public bool EnableClientSideTracking { get; set; } = true; + /// + /// Gets or sets a value indicating whether to use entra authentication. + /// + public bool UseEntraAuthentication { get; set; } + /// /// Gets or sets a value indicating whether to authenticate to AI using a Service Principal. When using this option /// you will also need to provide tenantId, clientId, and clientSecret of the service principal. diff --git a/Lombiq.Hosting.Azure.ApplicationInsights/Extensions/ApplicationInsightsInitializerExtensions.cs b/Lombiq.Hosting.Azure.ApplicationInsights/Extensions/ApplicationInsightsInitializerExtensions.cs index 535f479..1ed9f38 100644 --- a/Lombiq.Hosting.Azure.ApplicationInsights/Extensions/ApplicationInsightsInitializerExtensions.cs +++ b/Lombiq.Hosting.Azure.ApplicationInsights/Extensions/ApplicationInsightsInitializerExtensions.cs @@ -1,4 +1,4 @@ -using Azure.Identity; +using Azure.Identity; using Lombiq.Hosting.Azure.ApplicationInsights; using Lombiq.Hosting.Azure.ApplicationInsights.Services; using Lombiq.Hosting.Azure.ApplicationInsights.TelemetryInitializers; @@ -36,22 +36,23 @@ public static OrchardCoreBuilder AddOrchardCoreApplicationInsightsTelemetry( .GetSection("OrchardCore:Lombiq_Hosting_Azure_ApplicationInsights"); applicationInsightsConfigSection.Bind(applicationInsightsOptions); - services.Configure(config => - { - if (applicationInsightsOptions.UseServicePrincipalAuthentication) - { - var credential = new ClientSecretCredential( - applicationInsightsOptions.ServicePrincipalCredentials.TenantId, - applicationInsightsOptions.ServicePrincipalCredentials.ClientId, - applicationInsightsOptions.ServicePrincipalCredentials.ClientSecret); - config.SetAzureTokenCredential(credential); - } - else + if (applicationInsightsOptions.UseEntraAuthentication) + services.Configure(config => { - var credential = new DefaultAzureCredential(); - config.SetAzureTokenCredential(credential); - } - }); + if (applicationInsightsOptions.UseServicePrincipalAuthentication) + { + var credential = new ClientSecretCredential( + applicationInsightsOptions.ServicePrincipalCredentials.TenantId, + applicationInsightsOptions.ServicePrincipalCredentials.ClientId, + applicationInsightsOptions.ServicePrincipalCredentials.ClientSecret); + config.SetAzureTokenCredential(credential); + } + else + { + var credential = new DefaultAzureCredential(); + config.SetAzureTokenCredential(credential); + } + }); if (string.IsNullOrEmpty(applicationInsightsServiceOptions?.ConnectionString) && #pragma warning disable CS0618 // Type or member is obsolete From 390846eb96bbdb2abd005dfb8c9933760474db90 Mon Sep 17 00:00:00 2001 From: Aydin Erdas Date: Fri, 7 Jun 2024 17:51:45 +0200 Subject: [PATCH 22/29] Update Readme.md --- Readme.md | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) diff --git a/Readme.md b/Readme.md index 7eb82df..83cfc6e 100644 --- a/Readme.md +++ b/Readme.md @@ -108,20 +108,37 @@ Starting 30 September 2025, authentication using API keys is no longer supported #### Setting up Entra Authentication for Application Insights +> ⚠ This section is required if you have disabled `Local Authentication` on your AI resource, See [the docs](https://learn.microsoft.com/en-us/azure/azure-monitor/app/azure-ad-authentication?WT.mc_id=Portal-AppInsightsExtension&tabs=net#disable-local-authentication). + +If you want to use Entra Authentication for Application Insights, or if you have disabled `Local Authentication` on your AI resource, you will have to set up the `UseEntraAuthentication` option to `true` in the `Lombiq_Hosting_Azure_ApplicationInsights` section of your configuration like below. + +```json5 +{ + "OrchardCore": { + "Lombiq_Hosting_Azure_ApplicationInsights": { + "UseEntraAuthentication": true + } + } +} +``` + To set up Entra Authentication for an application hosted on Azure you will have to set up a Managed Identity for the application and give it the `Monitoring Metrics Publisher` role to be able to publish metrics to AI. See how to set up a managed identity [here](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/managed-identities-status). See more on Assigning Azure roles [here](https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal). -Although not recommended, you can also use a service principal to authenticate. To set this up, you will have to provide the service principal credentials in the configuration. See the [Service principal](#service-principal) section for more information. This is also the only way to authenticate if you are using a non-Azure (or local) environment. +You can also use a service principal to authenticate. To set this up, you will have to provide the service principal credentials in the configuration. See the [Service principal](#service-principal) section for more information. This is also the only way to authenticate if you are using a non-Azure (or local) environment - or an Azure resource that does not support Managed Identities. Once Entra Authentication is set up and the `ConnectionString` has been properly set, metrics should be flowing in. #### Service principal -If you want to use the Service Principal method for your Application Insights resource, you should set the `UseServicePrincipalAuthentication` option to `true` in the `Lombiq_Hosting_Azure_ApplicationInsights` section of your configuration. To securely stream metrics with Entra ID you will also have to provide the credentials of the service principal, to set this up [see the docs](https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal). +Using a Service Principal is the only way to authenticate using Entra if you are using a non-Azure (or local) environment. + +If you want to use the Service Principal method for your Application Insights resource, you should set the `UseServicePrincipalAuthentication` option to `true` in addition to `UseEntraAuthentication` in the `Lombiq_Hosting_Azure_ApplicationInsights` section of your configuration. To securely stream metrics with Entra ID you will also have to provide the credentials of the service principal, to set this up [see the docs](https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal). ```json5 { "OrchardCore": { "Lombiq_Hosting_Azure_ApplicationInsights": { + "UseEntraAuthentication": true, "UseServicePrincipalAuthentication": true, "ServicePrincipalCredentials": { "TenantId": "your service principal tenant id", From c066760e4eef1eb98b2a968af41ba0e1db5667dc Mon Sep 17 00:00:00 2001 From: Aydin Erdas Date: Fri, 7 Jun 2024 20:25:55 +0200 Subject: [PATCH 23/29] Add validation check --- .../ApplicationInsightsInitializerExtensions.cs | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/Lombiq.Hosting.Azure.ApplicationInsights/Extensions/ApplicationInsightsInitializerExtensions.cs b/Lombiq.Hosting.Azure.ApplicationInsights/Extensions/ApplicationInsightsInitializerExtensions.cs index 1ed9f38..a35d325 100644 --- a/Lombiq.Hosting.Azure.ApplicationInsights/Extensions/ApplicationInsightsInitializerExtensions.cs +++ b/Lombiq.Hosting.Azure.ApplicationInsights/Extensions/ApplicationInsightsInitializerExtensions.cs @@ -9,6 +9,7 @@ using Microsoft.ApplicationInsights.Extensibility.PerfCounterCollector.QuickPulse; using Microsoft.Extensions.Configuration; using Microsoft.Extensions.Options; +using System; using System.Linq; using ApplicationInsightsFeatureIds = Lombiq.Hosting.Azure.ApplicationInsights.Constants.FeatureIds; @@ -36,7 +37,17 @@ public static OrchardCoreBuilder AddOrchardCoreApplicationInsightsTelemetry( .GetSection("OrchardCore:Lombiq_Hosting_Azure_ApplicationInsights"); applicationInsightsConfigSection.Bind(applicationInsightsOptions); + // Check if UseServicePrincipalAuthentication is true, if so UseEntraAuthentication must also be true. + if (applicationInsightsOptions.UseServicePrincipalAuthentication && + !applicationInsightsOptions.UseEntraAuthentication) + { + throw new InvalidOperationException( + "UseServicePrincipalAuthentication is set to true, but UseEntraAuthentication is set to false. " + + "UseEntraAuthentication must be set to true when UseServicePrincipalAuthentication is set to true."); + } + if (applicationInsightsOptions.UseEntraAuthentication) + { services.Configure(config => { if (applicationInsightsOptions.UseServicePrincipalAuthentication) @@ -53,6 +64,7 @@ public static OrchardCoreBuilder AddOrchardCoreApplicationInsightsTelemetry( config.SetAzureTokenCredential(credential); } }); + } if (string.IsNullOrEmpty(applicationInsightsServiceOptions?.ConnectionString) && #pragma warning disable CS0618 // Type or member is obsolete From 7009f63f085bdcaf70058ccdaeae599e805bd866 Mon Sep 17 00:00:00 2001 From: Aydin Erdas Date: Mon, 10 Jun 2024 10:17:17 +0200 Subject: [PATCH 24/29] Change options to use Enum --- .../ApplicationInsightsOptions.cs | 11 ++--- ...pplicationInsightsInitializerExtensions.cs | 41 +++++++------------ .../Models/EntraAuthenticationType.cs | 19 +++++++++ Readme.md | 11 +++-- 4 files changed, 42 insertions(+), 40 deletions(-) create mode 100644 Lombiq.Hosting.Azure.ApplicationInsights/Models/EntraAuthenticationType.cs diff --git a/Lombiq.Hosting.Azure.ApplicationInsights/ApplicationInsightsOptions.cs b/Lombiq.Hosting.Azure.ApplicationInsights/ApplicationInsightsOptions.cs index f5489b5..564c389 100644 --- a/Lombiq.Hosting.Azure.ApplicationInsights/ApplicationInsightsOptions.cs +++ b/Lombiq.Hosting.Azure.ApplicationInsights/ApplicationInsightsOptions.cs @@ -1,3 +1,4 @@ +using Lombiq.Hosting.Azure.ApplicationInsights.Models; using Microsoft.ApplicationInsights.DataContracts; using System; using System.Text.RegularExpressions; @@ -71,15 +72,9 @@ public class ApplicationInsightsOptions public bool EnableClientSideTracking { get; set; } = true; /// - /// Gets or sets a value indicating whether to use entra authentication. + /// Gets or sets a value indicating whether to use Entra authentication and which type. /// - public bool UseEntraAuthentication { get; set; } - - /// - /// Gets or sets a value indicating whether to authenticate to AI using a Service Principal. When using this option - /// you will also need to provide tenantId, clientId, and clientSecret of the service principal. - /// - public bool UseServicePrincipalAuthentication { get; set; } + public EntraAuthenticationType EntraAuthenticationType { get; set; } /// /// Gets or sets the ServicePrincipalCredentials of the Microsoft Entra application used to secure the control diff --git a/Lombiq.Hosting.Azure.ApplicationInsights/Extensions/ApplicationInsightsInitializerExtensions.cs b/Lombiq.Hosting.Azure.ApplicationInsights/Extensions/ApplicationInsightsInitializerExtensions.cs index a35d325..ae49d59 100644 --- a/Lombiq.Hosting.Azure.ApplicationInsights/Extensions/ApplicationInsightsInitializerExtensions.cs +++ b/Lombiq.Hosting.Azure.ApplicationInsights/Extensions/ApplicationInsightsInitializerExtensions.cs @@ -1,5 +1,6 @@ using Azure.Identity; using Lombiq.Hosting.Azure.ApplicationInsights; +using Lombiq.Hosting.Azure.ApplicationInsights.Models; using Lombiq.Hosting.Azure.ApplicationInsights.Services; using Lombiq.Hosting.Azure.ApplicationInsights.TelemetryInitializers; using Microsoft.ApplicationInsights.AspNetCore.Extensions; @@ -9,7 +10,6 @@ using Microsoft.ApplicationInsights.Extensibility.PerfCounterCollector.QuickPulse; using Microsoft.Extensions.Configuration; using Microsoft.Extensions.Options; -using System; using System.Linq; using ApplicationInsightsFeatureIds = Lombiq.Hosting.Azure.ApplicationInsights.Constants.FeatureIds; @@ -37,34 +37,23 @@ public static OrchardCoreBuilder AddOrchardCoreApplicationInsightsTelemetry( .GetSection("OrchardCore:Lombiq_Hosting_Azure_ApplicationInsights"); applicationInsightsConfigSection.Bind(applicationInsightsOptions); - // Check if UseServicePrincipalAuthentication is true, if so UseEntraAuthentication must also be true. - if (applicationInsightsOptions.UseServicePrincipalAuthentication && - !applicationInsightsOptions.UseEntraAuthentication) + services.Configure(config => { - throw new InvalidOperationException( - "UseServicePrincipalAuthentication is set to true, but UseEntraAuthentication is set to false. " + - "UseEntraAuthentication must be set to true when UseServicePrincipalAuthentication is set to true."); - } + if (applicationInsightsOptions.EntraAuthenticationType == EntraAuthenticationType.ServicePrincipal) + { + var credential = new ClientSecretCredential( + applicationInsightsOptions.ServicePrincipalCredentials.TenantId, + applicationInsightsOptions.ServicePrincipalCredentials.ClientId, + applicationInsightsOptions.ServicePrincipalCredentials.ClientSecret); + config.SetAzureTokenCredential(credential); + } - if (applicationInsightsOptions.UseEntraAuthentication) - { - services.Configure(config => + if (applicationInsightsOptions.EntraAuthenticationType == EntraAuthenticationType.ManagedIdentity) { - if (applicationInsightsOptions.UseServicePrincipalAuthentication) - { - var credential = new ClientSecretCredential( - applicationInsightsOptions.ServicePrincipalCredentials.TenantId, - applicationInsightsOptions.ServicePrincipalCredentials.ClientId, - applicationInsightsOptions.ServicePrincipalCredentials.ClientSecret); - config.SetAzureTokenCredential(credential); - } - else - { - var credential = new DefaultAzureCredential(); - config.SetAzureTokenCredential(credential); - } - }); - } + var credential = new DefaultAzureCredential(); + config.SetAzureTokenCredential(credential); + } + }); if (string.IsNullOrEmpty(applicationInsightsServiceOptions?.ConnectionString) && #pragma warning disable CS0618 // Type or member is obsolete diff --git a/Lombiq.Hosting.Azure.ApplicationInsights/Models/EntraAuthenticationType.cs b/Lombiq.Hosting.Azure.ApplicationInsights/Models/EntraAuthenticationType.cs new file mode 100644 index 0000000..aa186c0 --- /dev/null +++ b/Lombiq.Hosting.Azure.ApplicationInsights/Models/EntraAuthenticationType.cs @@ -0,0 +1,19 @@ +namespace Lombiq.Hosting.Azure.ApplicationInsights.Models; + +public enum EntraAuthenticationType +{ + /// + /// Don't use Entra authentication. + /// + None, + + /// + /// Use Managed Identity. + /// + ManagedIdentity, + + /// + /// Use a service principal, This requires setting up ServicePrincipalCredentials. + /// + ServicePrincipal, +} diff --git a/Readme.md b/Readme.md index 83cfc6e..3bf807f 100644 --- a/Readme.md +++ b/Readme.md @@ -110,13 +110,13 @@ Starting 30 September 2025, authentication using API keys is no longer supported > ⚠ This section is required if you have disabled `Local Authentication` on your AI resource, See [the docs](https://learn.microsoft.com/en-us/azure/azure-monitor/app/azure-ad-authentication?WT.mc_id=Portal-AppInsightsExtension&tabs=net#disable-local-authentication). -If you want to use Entra Authentication for Application Insights, or if you have disabled `Local Authentication` on your AI resource, you will have to set up the `UseEntraAuthentication` option to `true` in the `Lombiq_Hosting_Azure_ApplicationInsights` section of your configuration like below. +If you want to use Entra Authentication for Application Insights, or if you have disabled `Local Authentication` on your AI resource, you will have to set up the `EntraAuthenticationType` option to the authentication type you want to use (`ManagedIdentity` or `ServicePrincipal`) in the `Lombiq_Hosting_Azure_ApplicationInsights` section of your configuration like below. ```json5 { "OrchardCore": { "Lombiq_Hosting_Azure_ApplicationInsights": { - "UseEntraAuthentication": true + "EntraAuthenticationType": "ManagedIdentity" } } } @@ -130,16 +130,15 @@ Once Entra Authentication is set up and the `ConnectionString` has been properly #### Service principal -Using a Service Principal is the only way to authenticate using Entra if you are using a non-Azure (or local) environment. +Using a Service Principal is the only way to authenticate using Entra authentication if you are using a non-Azure (or local) environment. -If you want to use the Service Principal method for your Application Insights resource, you should set the `UseServicePrincipalAuthentication` option to `true` in addition to `UseEntraAuthentication` in the `Lombiq_Hosting_Azure_ApplicationInsights` section of your configuration. To securely stream metrics with Entra ID you will also have to provide the credentials of the service principal, to set this up [see the docs](https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal). +If you want to use the Service Principal method for your Application Insights resource, you should set the `EntraAuthenticationType` option to `ServicePrincipal` in the `Lombiq_Hosting_Azure_ApplicationInsights` section of your configuration. To securely stream metrics with Entra ID you will also have to provide the credentials of the service principal, to set this up [see the docs](https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal). ```json5 { "OrchardCore": { "Lombiq_Hosting_Azure_ApplicationInsights": { - "UseEntraAuthentication": true, - "UseServicePrincipalAuthentication": true, + "EntraAuthenticationType": "ServicePrincipal", "ServicePrincipalCredentials": { "TenantId": "your service principal tenant id", "ClientId": "your service principal client id", From 3452b8018f0310354213af0799d66bfa3d3b223c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zolt=C3=A1n=20Leh=C3=B3czky?= Date: Mon, 10 Jun 2024 21:03:22 +0200 Subject: [PATCH 25/29] Grammar --- .../Models/EntraAuthenticationType.cs | 4 ++-- Readme.md | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Lombiq.Hosting.Azure.ApplicationInsights/Models/EntraAuthenticationType.cs b/Lombiq.Hosting.Azure.ApplicationInsights/Models/EntraAuthenticationType.cs index aa186c0..0848be0 100644 --- a/Lombiq.Hosting.Azure.ApplicationInsights/Models/EntraAuthenticationType.cs +++ b/Lombiq.Hosting.Azure.ApplicationInsights/Models/EntraAuthenticationType.cs @@ -1,4 +1,4 @@ -namespace Lombiq.Hosting.Azure.ApplicationInsights.Models; +namespace Lombiq.Hosting.Azure.ApplicationInsights.Models; public enum EntraAuthenticationType { @@ -13,7 +13,7 @@ public enum EntraAuthenticationType ManagedIdentity, /// - /// Use a service principal, This requires setting up ServicePrincipalCredentials. + /// Use a service principal. This requires setting up ServicePrincipalCredentials. /// ServicePrincipal, } diff --git a/Readme.md b/Readme.md index 3bf807f..e73a53e 100644 --- a/Readme.md +++ b/Readme.md @@ -108,9 +108,9 @@ Starting 30 September 2025, authentication using API keys is no longer supported #### Setting up Entra Authentication for Application Insights -> ⚠ This section is required if you have disabled `Local Authentication` on your AI resource, See [the docs](https://learn.microsoft.com/en-us/azure/azure-monitor/app/azure-ad-authentication?WT.mc_id=Portal-AppInsightsExtension&tabs=net#disable-local-authentication). +> ⚠ This section is required if you have disabled `Local Authentication` on your AI resource, see [the docs](https://learn.microsoft.com/en-us/azure/azure-monitor/app/azure-ad-authentication?WT.mc_id=Portal-AppInsightsExtension&tabs=net#disable-local-authentication). -If you want to use Entra Authentication for Application Insights, or if you have disabled `Local Authentication` on your AI resource, you will have to set up the `EntraAuthenticationType` option to the authentication type you want to use (`ManagedIdentity` or `ServicePrincipal`) in the `Lombiq_Hosting_Azure_ApplicationInsights` section of your configuration like below. +If you want to use Entra Authentication for Application Insights, or if you have disabled `Local Authentication` on your AI resource, you will have to set the `EntraAuthenticationType` option to the authentication type you want to use (`ManagedIdentity` or `ServicePrincipal`) in the `Lombiq_Hosting_Azure_ApplicationInsights` section of your configuration like below. ```json5 { From cbf2623c9f73caab6e974a95d87e4850d3da50b2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zolt=C3=A1n=20Leh=C3=B3czky?= Date: Mon, 10 Jun 2024 21:03:37 +0200 Subject: [PATCH 26/29] JSON syntax fix --- Readme.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Readme.md b/Readme.md index e73a53e..ba8edb5 100644 --- a/Readme.md +++ b/Readme.md @@ -143,7 +143,7 @@ If you want to use the Service Principal method for your Application Insights re "TenantId": "your service principal tenant id", "ClientId": "your service principal client id", "ClientSecret": "your service principal client secret" - }, + } } } } From 8fc4bb90c434ed6273f3999856ca9f611c425aa2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zolt=C3=A1n=20Leh=C3=B3czky?= Date: Mon, 10 Jun 2024 21:44:22 +0200 Subject: [PATCH 27/29] Clarifying docs --- .../ServicePrincipalCredentials.cs | 6 +++--- Readme.md | 8 ++++---- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/Lombiq.Hosting.Azure.ApplicationInsights/ServicePrincipalCredentials.cs b/Lombiq.Hosting.Azure.ApplicationInsights/ServicePrincipalCredentials.cs index 1c7b90d..068878a 100644 --- a/Lombiq.Hosting.Azure.ApplicationInsights/ServicePrincipalCredentials.cs +++ b/Lombiq.Hosting.Azure.ApplicationInsights/ServicePrincipalCredentials.cs @@ -1,14 +1,14 @@ -namespace Lombiq.Hosting.Azure.ApplicationInsights; +namespace Lombiq.Hosting.Azure.ApplicationInsights; public class ServicePrincipalCredentials { /// - /// Gets or sets the tenant ID of the Microsoft Entra application used to secure the control channel. + /// Gets or sets the (directory) tenant ID of the Microsoft Entra application used to secure the control channel. /// public string TenantId { get; set; } /// - /// Gets or sets the client ID of the Microsoft Entra application used to secure the control channel. + /// Gets or sets the application (client) ID of the Microsoft Entra application used to secure the control channel. /// public string ClientId { get; set; } diff --git a/Readme.md b/Readme.md index ba8edb5..0cd3cbd 100644 --- a/Readme.md +++ b/Readme.md @@ -104,7 +104,7 @@ If you use the security defaults from [Lombiq Helpful Libraries - Orchard Core L ### Entra Authentication for the Live Metrics control channel -Starting 30 September 2025, authentication using API keys is no longer supported for [securing the Live Metrics control channel](https://learn.microsoft.com/en-us/azure/azure-monitor/app/live-stream#secure-the-control-channel). Instead, you'll have to set up Entra Authentication for that (you may omit this if not needed; configuring the connection string is necessary in any case, and enough for simply collecting telemetry). +Starting 30 September 2025, authentication using API keys is no longer supported for [securing the Live Metrics control channel](https://learn.microsoft.com/en-us/azure/azure-monitor/app/live-stream#secure-the-control-channel). Instead, you'll have to set up Entra Authentication for that. You may omit this if not needed; configuring the connection string is necessary in any case, and enough for simply collecting telemetry. Entra Authentication is only needed if you want to control the Live Metrics stream from the Azure Portal, like filtering telemetry. #### Setting up Entra Authentication for Application Insights @@ -122,17 +122,17 @@ If you want to use Entra Authentication for Application Insights, or if you have } ``` -To set up Entra Authentication for an application hosted on Azure you will have to set up a Managed Identity for the application and give it the `Monitoring Metrics Publisher` role to be able to publish metrics to AI. See how to set up a managed identity [here](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/managed-identities-status). See more on Assigning Azure roles [here](https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal). +To set up Entra Authentication for an application hosted on Azure you will have to set up a Managed Identity for the application and give it the `Monitoring Metrics Publisher` role to be able to publish metrics to AI. See how to set up a managed identity [here](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/managed-identities-status). See more on assigning Azure roles [here](https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal). You can also use a service principal to authenticate. To set this up, you will have to provide the service principal credentials in the configuration. See the [Service principal](#service-principal) section for more information. This is also the only way to authenticate if you are using a non-Azure (or local) environment - or an Azure resource that does not support Managed Identities. -Once Entra Authentication is set up and the `ConnectionString` has been properly set, metrics should be flowing in. +Once Entra Authentication is set up and the `ConnectionString` has been properly set, you should be able to control the Live Metrics stream from the Azure Portal, like filtering telemetry. #### Service principal Using a Service Principal is the only way to authenticate using Entra authentication if you are using a non-Azure (or local) environment. -If you want to use the Service Principal method for your Application Insights resource, you should set the `EntraAuthenticationType` option to `ServicePrincipal` in the `Lombiq_Hosting_Azure_ApplicationInsights` section of your configuration. To securely stream metrics with Entra ID you will also have to provide the credentials of the service principal, to set this up [see the docs](https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal). +If you want to use the Service Principal method for your Application Insights resource, you should set the `EntraAuthenticationType` option to `ServicePrincipal` in the `Lombiq_Hosting_Azure_ApplicationInsights` section of your configuration. To securely control the Live Metrics stream with Entra ID you will also have to provide the credentials of the service principal; to set this up, [see the docs](https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal) (you'll need to use the [client secret authentication option](https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal#option-3-create-a-new-client-secret)). ```json5 { From bac69f0a4a7aa655a592e2101a1cd0343c928221 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zolt=C3=A1n=20Leh=C3=B3czky?= Date: Fri, 14 Jun 2024 00:45:52 +0200 Subject: [PATCH 28/29] Not sending QuickPulseTelemetryModuleAuthenticationApiKey if Entra authentication is used --- .../ApplicationInsightsInitializerExtensions.cs | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/Lombiq.Hosting.Azure.ApplicationInsights/Extensions/ApplicationInsightsInitializerExtensions.cs b/Lombiq.Hosting.Azure.ApplicationInsights/Extensions/ApplicationInsightsInitializerExtensions.cs index ae49d59..fdb2c52 100644 --- a/Lombiq.Hosting.Azure.ApplicationInsights/Extensions/ApplicationInsightsInitializerExtensions.cs +++ b/Lombiq.Hosting.Azure.ApplicationInsights/Extensions/ApplicationInsightsInitializerExtensions.cs @@ -81,9 +81,13 @@ public static OrchardCoreBuilder AddOrchardCoreApplicationInsightsTelemetry( services.ConfigureTelemetryModule( (module, _) => module.EnableSqlCommandTextInstrumentation = applicationInsightsOptions.EnableSqlCommandTextInstrumentation); - services.ConfigureTelemetryModule( #pragma warning disable CS0618 // Type or member is obsolete - (module, _) => module.AuthenticationApiKey = applicationInsightsOptions.QuickPulseTelemetryModuleAuthenticationApiKey); + if (applicationInsightsOptions.EntraAuthenticationType == EntraAuthenticationType.None && + !string.IsNullOrEmpty(applicationInsightsOptions.QuickPulseTelemetryModuleAuthenticationApiKey)) + { + services.ConfigureTelemetryModule( + (module, _) => module.AuthenticationApiKey = applicationInsightsOptions.QuickPulseTelemetryModuleAuthenticationApiKey); + } #pragma warning restore CS0618 // Type or member is obsolete services.AddSingleton(); From 2b480d1feef2f88cd335af5ea9c8c42a1d5a76fd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zolt=C3=A1n=20Leh=C3=B3czky?= Date: Fri, 14 Jun 2024 00:57:28 +0200 Subject: [PATCH 29/29] Docs --- Readme.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Readme.md b/Readme.md index 0cd3cbd..e1fc5d0 100644 --- a/Readme.md +++ b/Readme.md @@ -122,7 +122,7 @@ If you want to use Entra Authentication for Application Insights, or if you have } ``` -To set up Entra Authentication for an application hosted on Azure you will have to set up a Managed Identity for the application and give it the `Monitoring Metrics Publisher` role to be able to publish metrics to AI. See how to set up a managed identity [here](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/managed-identities-status). See more on assigning Azure roles [here](https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal). +To set up Entra Authentication for an application hosted on Azure you will have to set up a Managed Identity for the application and give it the `Monitoring Metrics Publisher` role (see more on assigning Azure roles [here](https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal)) to be able to publish metrics to AI. A managed identity will allow your app to authenticate with the Application Insights resource; see how to set it up for specific Azure services [here](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/managed-identities-status). We recommend using the simpler system-assigned identity option, since then you can easily allow your app's identity to get a role under the Application Insights resource. Note that it might take a few minutes for the managed identity to work; until then, Live Metrics won't be available. You can also use a service principal to authenticate. To set this up, you will have to provide the service principal credentials in the configuration. See the [Service principal](#service-principal) section for more information. This is also the only way to authenticate if you are using a non-Azure (or local) environment - or an Azure resource that does not support Managed Identities.