AzureFeeds

Introduction

Organizations enforcing Entra ID authentication on their Application Insights resources often face a sudden problem: browser-based telemetry stops flowing.

This happens when local authentication is disabled — a necessary step to enforce strict identity controls — but sending data from browser environments comes with inherent security challenges, and the Application Insights JavaScript SDK is no exception. As a result, telemetry from web clients is silently dropped, leaving gaps in monitoring and frustrated teams wondering how to re-enable secure telemetry ingestion.

This article provides a solution: using Azure API Management (APIM) as a secure proxy that authenticates telemetry using a managed identity before forwarding it to Application Insights. This pattern restores observability while honoring your organization’s authentication policies.

Solution Architecture

The proposed architecture involves routing JavaScript-based telemetry data through Azure API Management, which authenticates requests using its managed identity before forwarding them to the Application Insights ingestion endpoint. This setup ensures that only authenticated telemetry is ingested, aligning with security best practices.

It’s important to note that this change specifically targets telemetry originating from the browser. If your web application also uses Application Insights SDKs (e.g., for .NET, Node.js, Java, or Python) on the server side, those SDKs will continue to send telemetry directly to Application Insights. This is because server-side environments can natively support Entra ID authentication.

Step-by-Step Guide

1. Deploy Azure API Management

Begin by creating an instance of Azure API Management (APIM). Refer to the official documentation for detailed steps.

 

2. Enable Managed Identity for APIM

Create a managed identity for your API Management service. This identity will be used to authenticate against Application Insights. Instructions are available here.

 

3. Grant APIM Access to Application Insights

Navigate to your Application Insights resource

• 
  
  
  
  • Select Access control (IAM).
  
  
  • Select Add then Add role assignment.
  
  
  • Choose the Monitoring Metrics Publisher role.
  
  
  • Assign this role to the managed identity of your API Management instance
  
  
  
  

 

4. Disable Local Authentication in Application Insights

Disable local authentication in your Application Insights resource to ensure that only telemetry authenticated with Entra ID is ingested.

• 
  
  
  
  • In your Application Insights resource, select Properties
  
  
  • Set Local Authentication to Disabled
  
  
  
  

 

5. Add an API to API Management

Define a new API in API Management to act as the ingestion endpoint for telemetry sent from the Application Insights JavaScript SDK. This API will serve as the front door, routing incoming telemetry to the appropriate backend for processing. Configure the API to forward requests to the Application Insights ingestion endpoint with the required auth tokens.

• 
  
  
  
  • In the Azure portal, navigate to your API Management instance and select APIs from the resource menu.
  
  
  
  

• 
  
  
  
  • 
    
    
    
    • Add a new HTTP API with the following details:
    
    
    
    
  
  
  
  

• 
  
  
  
  • 
    
    
    
    • 
      
      
      
      • Display Name: App Insights Proxy
      
      
      • Web Service URL: The ingestion endpoint from your Application Insights connection string, appended with “/v2.1/track”. For example, “https://{your-region}.in.applicationinsights.azure.com/v2.1/track”
      
      
      • API URL Suffix: “v2/track”
      
      
      
      
    
    
    
    
  
  
  
  

 

 

6. Configure API Management Policies

In the Design section of your API:

• 
  
  
  
  • Select All operations.
  
  
  • Edit the Inbound processing policy. Leverage the CORS and authentication-managed-identity policies to configure the proxy API.
  
  
  
  

https://your-allowed-origin.com
POST

Origin

X-Requested-With

Content-Name

Content-Type

Accept

Cache-Control

Sdk-Context

X-Set-Cross-Origin-Resource-Policy

Content-Encoding

 

Replace ‘https://your-allowed-origin.com’ with the domain of your web application that hosts the Application Insights JavaScript SDK. This configuration handles CORS preflight requests made by the Application Insights JavaScript SDK and appends the necessary authentication token. You can configure this policy in other APIM policy scopes as desired.

 

 

7. Add POST Operation to API

Add a POST operation to handle telemetry data sent by the Application Insights SDK. With the newly created API:

• 
  
  
  
  • Select Add Operation
  
  
  • Set the URL Method to POST and the path to “/” to ensure that API Management doesn’t alter the request path. This keeps the client-facing URL aligned with the earlier API URL suffix setting and avoids appending extra segments to the backend URL, which is already fully defined in the Web Service URL setting.
  
  
  
  

 

 

 

8. Disable or Supply API Management Subscription Key

To allow unauthenticated clients (like browsers) to send telemetry to the new API:     

• 
  
  
  
  • Go to the Settings tab of the new API
  
  
  • Uncheck Subscription required
  
  
  
  

Note: If your API Management API requires a subscription key, then you can use the customHeaders configuration from the JavaScript SDK to include the key as the required HTTP header.

// … rest of the SDK setup
cfg:
{ // Application Insights Configuration
connectionString: “your-connection-string-value”,
customHeaders: [{ header: “Ocp-Apim-Subscription-Key”, value: “your_APIM-subscription_key_value” }]
}
});

 

9. Update Application Insights SDK Configuration

Modify your application’s connection string configuration in the JavaScript SDK to send telemetry to the new API Management proxy API instead of the default ingestion endpoint.

Whether you’re using the script-based integration or NPM-based integration, make sure the IngestionEndpoint value in your connection string points to your APIM proxy URL. This ensures telemetry is routed through API Management, where it can be authenticated and forwarded to Application Insights.

 

Using Script-based integration:

!(function (cfg){function e()
// … rest of the SDK setup
cfg: { // Application Insights Configuration
connectionString: “InstrumentationKey={your-ikey};IngestionEndpoint=https://{your-apim-name}.azure-api.net/;LiveEndpoint=https://…”
}});

 

Using NPM-based integration:

If you’re using the SDK via NPM, update the `connectionString` in your initialization code the same way:

import { ApplicationInsights } from ‘@microsoft/applicationinsights-web’

const appInsights = new ApplicationInsights({ config: {
connectionString: ‘InstrumentationKey={your-ikey};IngestionEndpoint=https://{your-apim-name}.azure-api.net/;LiveEndpoint=https://…’
/* …Other Configuration Options… */
} });
appInsights.loadAppInsights();
appInsights.trackPageView();

Conclusion

By leveraging Azure API Management as a telemetry proxy, you can enforce Entra ID authentication for Application Insights JavaScript telemetry. This approach enhances security without compromising observability, aligning with best practices for modern application monitoring.

Limitations: While this approach enables Entra ID authentication and blocks unauthenticated access to your Application Insights resource, it does not fully prevent spoofing from the browser. Because browser environments are inherently exposed, a determined actor could inspect network traffic and simulate telemetry requests to your APIM endpoint. This could result in polluted telemetry or excessive data ingestion that exhausts your daily cap.

Additional Considerations

Enhancing Telemetry Security with Policies

To further enhance security, consider implementing additional API Management policies such as ip-filter and rate-limit-by-key. For more control over the telemetry contents, policies like find-and-replace can help sanitize or redact sensitive telemetry data.

It’s important to note that this proxy setup does not replace the telemetry controls provided by the JavaScript SDK—features like client-side sampling and custom telemetry initializers still function as expected and remain your first line of defense for managing telemetry volume and quality.

Performance and Scalability Implications

When routing telemetry through Azure API Management, it’s essential to evaluate the performance trade-offs introduced by the proxy layer. While APIM is designed for high availability and scalability, introducing a proxy can add latency and impact throughput—especially under high telemetry volumes.

Key considerations include: 

• Latency: Each telemetry call routed through APIM introduces additional network hops and processing time. This may affect real-time telemetry scenarios or user experience if not properly tuned.


• Throughput: Ensure your APIM instance can handle the sustained volume of telemetry traffic. Monitor for throttling or dropped requests under load.


• Rate Limiting: Use policies like rate-limit-by-key to protect your backend and avoid exceeding ingestion quotas in Application Insights.


• Autoscaling: For production workloads, consider using the Premium tier with autoscaling to dynamically adjust capacity based on demand.

For detailed guidance on throughput capacity and scaling strategies, refer to:
Azure API Management scalability and performance documentation

This built-in flexibility ensures your telemetry proxy remains responsive and reliable as your monitoring needs evolve.