Skip to content

[Azure App Insights] add support for Client Secret#48880

Merged
jakubgalecki0 merged 22 commits into
elastic:mainfrom
jakubgalecki0:app_insights_oauth2
Mar 11, 2026
Merged

[Azure App Insights] add support for Client Secret#48880
jakubgalecki0 merged 22 commits into
elastic:mainfrom
jakubgalecki0:app_insights_oauth2

Conversation

@jakubgalecki0

@jakubgalecki0 jakubgalecki0 commented Feb 16, 2026

Copy link
Copy Markdown
Contributor

Proposed commit message

Add support for client secret authentication in Azure App Insights

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works. Where relevant, I have used the stresstest.sh script to run them under stress conditions and race detector to verify their stability.
  • I have added an entry in ./changelog/fragments using the changelog tool.

Disruptive User Impact

Author's Checklist

  • [ ]

How to test this PR locally

Related issues

Use cases

- module: azure
  metricsets:
    - app_insights
  enabled: true
  period: 300s
  application_id: ''
  # auth_type: "api_key" (default) or "client_secret"
  auth_type: "client_secret"
  client_id: '${AZURE_CLIENT_ID:""}'
  client_secret: '${AZURE_CLIENT_SECRET:""}'
  tenant_id: '${AZURE_TENANT_ID:""}'
  #active_directory_endpoint: ''
  #api_key: ''
  metrics:
    - id: ["requests/count", "requests/duration"]
      segment: ["request/name"]

Backward Compatibility

Only api_key set up in the configuration

- module: azure
  metricsets:
    - app_insights
  enabled: true
  period: 60s
  application_id: ''
  # auth_type: "api_key" (default) or "client_secret"
  #auth_type: "api_key"
  #client_id: '${AZURE_CLIENT_ID:""}'
  #client_secret: '${AZURE_CLIENT_SECRET:""}'
  #tenant_id: '${AZURE_TENANT_ID:""}'
  #active_directory_endpoint: ''
  api_key: 'xxxxx'
  metrics:
    - id: ["requests/count", "requests/duration"]
      segment: ["request/name"]

Screenshots

Client Secret

image

Api Key

image

Logs

Client Secret Logs {"log.level":"debug","@timestamp":"2026-03-09T16:53:18.731+0100","log.logger":"azure.app_insights","log.origin":{"function":"github.com/elastic/beats/v7/x-pack/metricbeat/module/azure/app_insights.getAuthorizer","file.name":"app_insights/service.go","file.line":58},"message":"Using client secret authentication for App Insights","service.name":"metricbeat","ecs.version":"1.6.0"}

> {"log.level":"debug","@timestamp":"2026-03-09T16:53:18.732+0100","log.logger":"azure.app_insights","log.origin":{"function":"github.com/elastic/beats/v7/x-pack/metricbeat/module/azure/app_insights.getAuthorizer","file.name":"app_insights/service.go","file.line":58},"message":"Using client secret authentication for App Insights","service.name":"metricbeat","ecs.version":"1.6.0"}

{"log.level":"debug","@timestamp":"2026-03-09T16:53:18.732+0100","log.logger":"azure.app_insights.module","log.origin":{"function":"github.com/elastic/beats/v7/metricbeat/mb/module.(*metricSetWrapper).run","file.name":"module/wrapper.go","file.line":220},"message":"Starting metricSetWrapper[module=azure, name=app_insights, host=]","service.name":"metricbeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2026-03-09T16:53:48.735+0100","log.logger":"monitoring","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/monitoring/report/log.(*Reporter).logSnapshot","file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"metricbeat","monitoring":{"metrics":{"metricbeat":{"azure":{"app_insights":{"events":1,"success":1}}}},"ecs.version":"1.6.0"}}


Api Key Logs {"log.level":"debug","@timestamp":"2026-03-09T17:44:53.504+0100","log.logger":"azure.app_insights","log.origin":{"function":"github.com/elastic/beats/v7/x-pack/metricbeat/module/azu re/app_insights.getAuthorizer","file.name":"app_insights/service.go","file.line":61},"message":"Using API key authentication for App Insights","service.name":"metricbeat","ecs.version":"1.6.0"}

> {"log.level":"debug","@timestamp":"2026-03-09T17:44:53.504+0100","log.logger":"azure.app_insights","log.origin":{"function":"github.com/elastic/beats/v7/x-pack/metricbeat/module/azure/app_insights.getAuthorizer","file.name":"app_insights/service.go","file.line":61},"message":"Using API key authentication for App Insights","service.name":"metricbeat","ecs.version":"1.6.0"}

{"log.level":"debug","@timestamp":"2026-03-09T17:44:53.504+0100","log.logger":"azure.app_insights.module","log.origin":{"function":"github.com/elastic/beats/v7/metricbeat/mb/module.
(*metricSetWrapper).run","file.name":"module/wrapper.go","file.line":220},"message":"Starting metricSetWrapper[module=azure, name=app_insights,
host=]","service.name":"metricbeat","ecs.version":"1.6.0"}

{"log.level":"info","@timestamp":"2026-03-09T17:48:23.509+0100","log.logger":"monitoring","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/monitoring/report/log.(*Repor
ter).logSnapshot","file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"metricbeat","monitoring":{"metrics":{"beat":{"cpu":{"system"
:{"ticks":139,"time":{"ms":7}},"total":{"ticks":447,"time":{"ms":10},"value":447.5425416666666},"user":{"ticks":307,"time":{"ms":2}}},"info":{"ephemeral_id":"22f40622-ddf3-44d8-8549
-df43d4bc5351","uptime":{"ms":210113},"version":"9.4.0"},"memstats":{"gc_next":24875050,"memory_alloc":12452352,"memory_total":146460576,"rss":74399744},"runtime":{"goroutines":21}}

,"libbeat":{"config":{"module":{"running":1}},"output":{"events":{"acked":1,"active":0,"batches":1,"total":1},"read":{"bytes":176,"errors":1},"write":{"bytes":1400,"latency":{"histo
gram":{"count":4,"max":268,"mean":78.75,"median":18,"min":11,"p75":205.5,"p95":268,"p99":268,"p999":268,"stddev":109.30090347293567}},"latency_delta":{"histogram":{"count":1,"max":1
8,"median":18,"min":18,"p99":18}}}},"pipeline":{"clients":1,"events":{"active":0,"published":1,"total":1},"queue":{"acked":1,"added":{"bytes":1595,"events":1},"consumed":{"bytes":15
95,"events":1},"filled":{"bytes":0,"events":0,"pct":0},"max_bytes":0,"max_events":3200,"removed":{"bytes":1595,"events":1}}}},"metricbeat":{"azure":{"app_insights":{"events":1,"succ
ess":1}}},"system":{"load":{"1":3.3511,"15":4.5615,"5":4.0386,"norm":{"1":0.2793,"15":0.3801,"5":0.3365}}}},"ecs.version":"1.6.0"}}

@botelastic botelastic Bot added the needs_team Indicates that the issue/PR needs a Team:* label label Feb 16, 2026
@botelastic

botelastic Bot commented Feb 16, 2026

Copy link
Copy Markdown

This pull request doesn't have a Team:<team> label.

@github-actions

Copy link
Copy Markdown
Contributor

🤖 GitHub comments

Just comment with:

  • run docs-build : Re-trigger the docs validation. (use unformatted text in the comment!)
@mergify

mergify Bot commented Feb 16, 2026

Copy link
Copy Markdown
Contributor

This pull request does not have a backport label.
If this is a bug or security fix, could you label this PR @jakubgalecki0? 🙏.
For such, you'll need to label your PR with:

  • The upcoming major version of the Elastic Stack
  • The upcoming minor version of the Elastic Stack (if you're not pushing a breaking change)

To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

  • backport-8./d is the label to automatically backport to the 8./d branch. /d is the digit
  • backport-active-all is the label that automatically backports to all active branches.
  • backport-active-8 is the label that automatically backports to all active minor branches for the 8 major.
  • backport-active-9 is the label that automatically backports to all active minor branches for the 9 major.
@github-actions

github-actions Bot commented Feb 17, 2026

Copy link
Copy Markdown
Contributor

✅ Vale Linting Results

No issues found on modified lines!


The Vale linter checks documentation changes against the Elastic Docs style guide.

To use Vale locally or report issues, refer to Elastic style guide for Vale.

@muthu-mps muthu-mps requested a review from zmoog February 25, 2026 11:24
@muthu-mps

Copy link
Copy Markdown
Contributor

@coderabbitai full review

@coderabbitai

coderabbitai Bot commented Feb 27, 2026

Copy link
Copy Markdown
Contributor
✅ Actions performed

Full review triggered.

@coderabbitai

coderabbitai Bot commented Feb 27, 2026

Copy link
Copy Markdown
Contributor

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review
📝 Walkthrough

Walkthrough

Adds OAuth2 (client secret) authentication to the Azure App Insights Metricbeat module and a changelog fragment. Configuration and docs were updated to include tenant_id, client_id, client_secret, active_directory_endpoint and an auth_type selector while retaining api_key (and documenting api_key auth as the default). The module Config struct gained ApiKey, TenantId, ClientId, ClientSecret, ActiveDirectoryEndpoint fields and a Validate method enforcing complete auth configuration. Service code selects between OAuth2 (token-based) and API-key authorizers, introduces tokenCredentialAuthorizer, and removes the eventClient field. Unit tests were added for config validation and authorizer behavior. The application_id and api_key documented types were changed from []string to string.

Suggested labels

enhancement

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • 🛠️ Update Documentation: Commit on current branch
  • 🛠️ Update Documentation: Create PR

Warning

Review ran into problems

🔥 Problems

Git: Failed to clone repository. Please run the @coderabbitai full review command to re-trigger a full review. If the issue persists, set path_filters to include or exclude specific files.


Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@zmoog zmoog left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The primary concern with this PR is the overlap between the new azidentity package and the deprecated autorest/appinsights ones.

I’m not sure it's worth the effort to integrate both simultaneously. Is it strictly necessary to support client secret in App Insights right now? It might be better to modernize the stack by removing the deprecated packages first, then add the new authentication options afterward.

Comment thread x-pack/metricbeat/module/azure/_meta/config.reference.yml Outdated
Comment thread x-pack/metricbeat/module/azure/app_insights/app_insights.go
Comment thread x-pack/metricbeat/module/azure/app_insights/app_insights.go Outdated
Comment thread x-pack/metricbeat/module/azure/app_insights/service.go
@muthu-mps

Copy link
Copy Markdown
Contributor

The primary concern with this PR is the overlap between the new azidentity package and the deprecated autorest/appinsights ones.

I’m not sure it's worth the effort to integrate both simultaneously. Is it strictly necessary to support client secret in App Insights right now? It might be better to modernize the stack by removing the deprecated packages first, then add the new authentication options afterward.

Given the upcoming retirement timeline for API key authentication, as discussed, we will proceed with implementing the OAuth2 migration and removing the gating so that existing customers can migrate and then tackle the SDK migrations for it separately.

@zmoog

zmoog commented Mar 9, 2026

Copy link
Copy Markdown
Contributor

The primary concern with this PR is the overlap between the new azidentity package and the deprecated autorest/appinsights ones.
I’m not sure it's worth the effort to integrate both simultaneously. Is it strictly necessary to support client secret in App Insights right now? It might be better to modernize the stack by removing the deprecated packages first, then add the new authentication options afterward.

Given the upcoming retirement timeline for API key authentication, as discussed, we will proceed with implementing the OAuth2 migration and removing the gating so that existing customers can migrate and then tackle the SDK migrations for it separately.

Agreed.

I would only suggest using the name Client Secret instead of OAuth2. Since this isn't a generic OAuth2 client, using that label could cause confusion and set the wrong expectations for users (as we’ve already seen happen in other contexts).

@github-actions

github-actions Bot commented Mar 9, 2026

Copy link
Copy Markdown
Contributor
@github-actions

github-actions Bot commented Mar 9, 2026

Copy link
Copy Markdown
Contributor

Workflow run 22858442535 completed successfully, so there is no failed job to diagnose.

Root cause: no failure occurred in this run.
Recommended fix/remediation: no action needed for this specific run; if you expected a failure, share the failing workflow run ID and I can analyze that run's logs.

Tests run/results: GitHub Actions pre-commit job ran and passed.


What is this? | From workflow: PR Actions Detective

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.

@jakubgalecki0 jakubgalecki0 marked this pull request as ready for review March 9, 2026 14:43
@jakubgalecki0 jakubgalecki0 requested review from a team as code owners March 9, 2026 14:43
Comment thread x-pack/metricbeat/module/azure/app_insights/_meta/docs.md
@lucabelluccini

Copy link
Copy Markdown
Contributor

I've created a KB with the steps I suppose will be necessary to follow (https://support.elastic.dev/knowledge/view/d076963d). There are some TODOs. If someone can help filling them, we can confirm and make it public too. I wouldn't be against donating it to the docs team for a "how to migrate" section.

@andrzej-stencel andrzej-stencel left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks folks!

@jakubgalecki0

Copy link
Copy Markdown
Contributor Author

Testing after changes from review

Api Key

- module: azure
  metricsets:
    - app_insights
  enabled: true
  period: 30s
  application_id: 'xxx'
  # auth_type: "api_key" (default) or "client_secret"
  # auth_type: "client_secret"
  # client_id: '${AZURE_CLIENT_ID:""}'
  # client_secret: '${AZURE_CLIENT_SECRET:""}'
  # tenant_id: '${AZURE_TENANT_ID:""}'
  api_key: 'xxxx'
  metrics:
    - id: ["requests/count", "requests/duration"]
      segment: ["request/name"]
image

Client Secret

- module: azure
  metricsets:
    - app_insights
  enabled: true
  period: 30s
  application_id: 'xxx'
  # auth_type: "api_key" (default) or "client_secret"
  auth_type: "client_secret"
  client_id: '${AZURE_CLIENT_ID:""}'
  client_secret: '${AZURE_CLIENT_SECRET:""}'
  tenant_id: '${AZURE_TENANT_ID:""}'
  #api_key: ''
  metrics:
    - id: ["requests/count", "requests/duration"]
      segment: ["request/name"]
image
@jakubgalecki0 jakubgalecki0 enabled auto-merge (squash) March 11, 2026 10:47
@jakubgalecki0 jakubgalecki0 merged commit 73c3663 into elastic:main Mar 11, 2026
33 checks passed
strawgate pushed a commit that referenced this pull request Mar 11, 2026
* [Azure App Insights] add support for ouath2

* check that at least one auth is configured

* add changelog fragemnt and update docs

* small fixes

* fix yml files

* add auth_type to config

* remove sensitive data from debug log

* remove redundant log msg

* add required roles

* remove logger and ctx nil check

* add deprecation message and remove active_directory_endpoint

* fix doc

* add applies_to to docs
belimawr pushed a commit to belimawr/beats that referenced this pull request Mar 12, 2026
* [Azure App Insights] add support for ouath2

* check that at least one auth is configured

* add changelog fragemnt and update docs

* small fixes

* fix yml files

* add auth_type to config

* remove sensitive data from debug log

* remove redundant log msg

* add required roles

* remove logger and ctx nil check

* add deprecation message and remove active_directory_endpoint

* fix doc

* add applies_to to docs
belimawr pushed a commit to belimawr/beats that referenced this pull request Mar 12, 2026
* [Azure App Insights] add support for ouath2

* check that at least one auth is configured

* add changelog fragemnt and update docs

* small fixes

* fix yml files

* add auth_type to config

* remove sensitive data from debug log

* remove redundant log msg

* add required roles

* remove logger and ctx nil check

* add deprecation message and remove active_directory_endpoint

* fix doc

* add applies_to to docs
@muthu-mps muthu-mps added backport-8.19 Automated backport to the 8.19 branch backport-9.2 Automated backport to the 9.2 branch backport-9.3 Automated backport to the 9.3 branch labels Mar 17, 2026
mergify Bot pushed a commit that referenced this pull request Mar 17, 2026
* [Azure App Insights] add support for ouath2

* check that at least one auth is configured

* add changelog fragemnt and update docs

* small fixes

* fix yml files

* add auth_type to config

* remove sensitive data from debug log

* remove redundant log msg

* add required roles

* remove logger and ctx nil check

* add deprecation message and remove active_directory_endpoint

* fix doc

* add applies_to to docs

(cherry picked from commit 73c3663)

# Conflicts:
#	docs/reference/metricbeat/metricbeat-metricset-azure-app_insights.md
#	docs/reference/metricbeat/metricbeat-module-azure.md
#	x-pack/metricbeat/module/azure/app_insights/_meta/docs.md
mergify Bot pushed a commit that referenced this pull request Mar 17, 2026
* [Azure App Insights] add support for ouath2

* check that at least one auth is configured

* add changelog fragemnt and update docs

* small fixes

* fix yml files

* add auth_type to config

* remove sensitive data from debug log

* remove redundant log msg

* add required roles

* remove logger and ctx nil check

* add deprecation message and remove active_directory_endpoint

* fix doc

* add applies_to to docs

(cherry picked from commit 73c3663)
mergify Bot pushed a commit that referenced this pull request Mar 17, 2026
* [Azure App Insights] add support for ouath2

* check that at least one auth is configured

* add changelog fragemnt and update docs

* small fixes

* fix yml files

* add auth_type to config

* remove sensitive data from debug log

* remove redundant log msg

* add required roles

* remove logger and ctx nil check

* add deprecation message and remove active_directory_endpoint

* fix doc

* add applies_to to docs

(cherry picked from commit 73c3663)
muthu-mps added a commit that referenced this pull request Mar 21, 2026
* [Azure App Insights] add support for ouath2

(cherry picked from commit 73c3663)

Co-authored-by: jakubgalecki0 <jakub.galecki@elastic.co>
Co-authored-by: muthu-mps <101238137+muthu-mps@users.noreply.github.com>
muthu-mps added a commit that referenced this pull request Mar 21, 2026
* [Azure App Insights] add support for ouath2

(cherry picked from commit 73c3663)

Co-authored-by: jakubgalecki0 <jakub.galecki@elastic.co>
Co-authored-by: muthu-mps <101238137+muthu-mps@users.noreply.github.com>
muthu-mps added a commit that referenced this pull request Mar 24, 2026
…ecret (#49513)

* [Azure App Insights] add support for Client Secret (#48880)

(cherry picked from commit 73c3663)
---------

Co-authored-by: jakubgalecki0 <jakub.galecki@elastic.co>
Co-authored-by: muthu-mps <101238137+muthu-mps@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

backport-8.19 Automated backport to the 8.19 branch backport-9.2 Automated backport to the 9.2 branch backport-9.3 Automated backport to the 9.3 branch needs_team Indicates that the issue/PR needs a Team:* label

6 participants