Introduction

Organizations enforcing Entra ID authentication on their Application Insights resources often face a sudden problem: browser-based telemetry stops flowing.

This happens when local authentication is disabled — a necessary step to enforce strict identity controls — but sending data from browser environments comes with inherent security challenges, and the Application Insights JavaScript SDK is no exception. As a result, telemetry from web clients is silently dropped, leaving gaps in monitoring and frustrated teams wondering how to re-enable secure telemetry ingestion.

This article provides a solution: using Azure API Management (APIM) as a secure proxy that authenticates telemetry using a managed identity before forwarding it to Application Insights. This pattern restores observability while honoring your organization's authentication policies.

Solution Architecture

The proposed architecture involves routing JavaScript-based telemetry data through Azure API Management, which authenticates requests using its managed identity before forwarding them to the Application Insights ingestion endpoint. This setup ensures that only authenticated telemetry is ingested, aligning with security best practices.

It's important to note that this change specifically targets telemetry originating from the browser. If your web application also uses Application Insights SDKs (e.g., for .NET, Node.js, Java, or Python) on the server side, those SDKs will continue to send telemetry directly to Application Insights. This is because server-side environments can natively support Entra ID authentication.

Step-by-Step Guide

1. Deploy Azure API Management

Begin by creating an instance of Azure API Management (APIM). Refer to the official documentation for detailed steps.

 

2. Enable Managed Identity for APIM

Create a managed identity for your API Management service. This identity will be used to authenticate against Application Insights. Instructions are available here.

 

3. Grant APIM Access to Application Insights

Navigate to your Application Insights resource

• • Select Access control (IAM).
  • Select Add then Add role assignment.
  • Choose the Monitoring Metrics Publisher role.
  • Assign this role to the managed identity of your API Management instance

 

4. Disable Local Authentication in Application Insights

Disable local authentication in your Application Insights resource to ensure that only telemetry authenticated with Entra ID is ingested.

• • In your Application Insights resource, select Properties
  • Set Local Authentication to Disabled

 

5. Add an API to API Management

Define a new API in API Management to act as the ingestion endpoint for telemetry sent from the Application Insights JavaScript SDK. This API will serve as the front door, routing incoming telemetry to the appropriate backend for processing. Configure the API to forward requests to the Application Insights ingestion endpoint with the required auth tokens.

• • In the Azure portal, navigate to your API Management instance and select APIs from the resource menu.

• • • Add a new HTTP API with the following details:

• • • • Display Name: App Insights Proxy
      • Web Service URL: The ingestion endpoint from your Application Insights connection string, appended with "/v2.1/track". For example, “https://{your-region}.in.applicationinsights.azure.com/v2.1/track”
      • API URL Suffix: "v2/track"

 

 

6. Configure API Management Policies

In the Design section of your API:

• • Select All operations.
  • Edit the Inbound processing policy. Leverage the CORS and authentication-managed-identity policies to configure the proxy API.

<inbound> <cors allow-credentials="true"> <allowed-origins> <origin>https://your-allowed-origin.com</origin> </allowed-origins> <allowed-methods> <method>POST</method> </allowed-methods> <allowed-headers> <header>Origin</header> <header>X-Requested-With</header> <header>Content-Name</header> <header>Content-Type</header> <header>Accept</header> <header>Cache-Control</header> <header>Sdk-Context</header> <header>X-Set-Cross-Origin-Resource-Policy</header> <header>Content-Encoding</header> </allowed-headers> </cors> <authentication-managed-identity resource="https://monitor.azure.com"/> <base> </inbound>

 

Replace ‘https://your-allowed-origin.com’ with the domain of your web application that hosts the Application Insights JavaScript SDK. This configuration handles CORS preflight requests made by the Application Insights JavaScript SDK and appends the necessary authentication token. You can configure this policy in other APIM policy scopes as desired.

 

 

7. Add POST Operation to API

Add a POST operation to handle telemetry data sent by the Application Insights SDK. With the newly created API:

• • Select Add Operation
  • Set the URL Method to POST and the path to “/” to ensure that API Management doesn’t alter the request path. This keeps the client-facing URL aligned with the earlier API URL suffix setting and avoids appending extra segments to the backend URL, which is already fully defined in the Web Service URL setting.

 

 

 

8. Disable or Supply API Management Subscription Key

To allow unauthenticated clients (like browsers) to send telemetry to the new API:     

• • Go to the Settings tab of the new API
  • Uncheck Subscription required

Note: If your API Management API requires a subscription key, then you can use the customHeaders configuration from the JavaScript SDK to include the key as the required HTTP header.

// ... rest of the SDK setup cfg: { // Application Insights Configuration connectionString: "your-connection-string-value", customHeaders: [{ header: "Ocp-Apim-Subscription-Key", value: "your_APIM-subscription_key_value" }] } });

 

9. Update Application Insights SDK Configuration

Modify your application’s connection string configuration in the JavaScript SDK to send telemetry to the new API Management proxy API instead of the default ingestion endpoint.

Whether you're using the script-based integration or NPM-based integration, make sure the IngestionEndpoint value in your connection string points to your APIM proxy URL. This ensures telemetry is routed through API Management, where it can be authenticated and forwarded to Application Insights.

 

Using Script-based integration:

<script type="text/javascript"> !(function (cfg){function e() // ... rest of the SDK setup cfg: { // Application Insights Configuration connectionString: “InstrumentationKey={your-ikey};IngestionEndpoint=https://{your-apim-name}.azure-api.net/;LiveEndpoint=https://…" }}); </script>

 

Using NPM-based integration:

If you're using the SDK via NPM, update the `connectionString` in your initialization code the same way:

import { ApplicationInsights } from '@microsoft/applicationinsights-web' const appInsights = new ApplicationInsights({ config: { connectionString: 'InstrumentationKey={your-ikey};IngestionEndpoint=https://{your-apim-name}.azure-api.net/;LiveEndpoint=https://...' /* ...Other Configuration Options... */ } }); appInsights.loadAppInsights(); appInsights.trackPageView();

Conclusion

By leveraging Azure API Management as a telemetry proxy, you can enforce Entra ID authentication for Application Insights JavaScript telemetry. This approach enhances security without compromising observability, aligning with best practices for modern application monitoring.

Limitations: While this approach enables Entra ID authentication and blocks unauthenticated access to your Application Insights resource, it does not fully prevent spoofing from the browser. Because browser environments are inherently exposed, a determined actor could inspect network traffic and simulate telemetry requests to your APIM endpoint. This could result in polluted telemetry or excessive data ingestion that exhausts your daily cap.

Additional Considerations

Enhancing Telemetry Security with Policies

To further enhance security, consider implementing additional API Management policies such as ip-filter and rate-limit-by-key. For more control over the telemetry contents, policies like find-and-replace can help sanitize or redact sensitive telemetry data.

It's important to note that this proxy setup does not replace the telemetry controls provided by the JavaScript SDK—features like client-side sampling and custom telemetry initializers still function as expected and remain your first line of defense for managing telemetry volume and quality.

Performance and Scalability Implications

When routing telemetry through Azure API Management, it’s essential to evaluate the performance trade-offs introduced by the proxy layer. While APIM is designed for high availability and scalability, introducing a proxy can add latency and impact throughput—especially under high telemetry volumes.

Key considerations include: 

• Latency: Each telemetry call routed through APIM introduces additional network hops and processing time. This may affect real-time telemetry scenarios or user experience if not properly tuned.
• Throughput: Ensure your APIM instance can handle the sustained volume of telemetry traffic. Monitor for throttling or dropped requests under load.
• Rate Limiting: Use policies like rate-limit-by-key to protect your backend and avoid exceeding ingestion quotas in Application Insights.
• Autoscaling: For production workloads, consider using the Premium tier with autoscaling to dynamically adjust capacity based on demand.

For detailed guidance on throughput capacity and scaling strategies, refer to:
Azure API Management scalability and performance documentation

This built-in flexibility ensures your telemetry proxy remains responsive and reliable as your monitoring needs evolve.

Recently the Pin Microsoft 365 Copilot Chat to the navigation bar | Microsoft Learn page received an update that coincided with a new entry in the for Copilot in the Microsoft 365 Message Center for admins. It reads:

“Starting in July 2025 and rolling out over time, Microsoft 365 Copilot Chat will be available in other Microsoft 365 apps like Word, Excel, PowerPoint, and more. The Pin Microsoft 365 Copilot Chat setting will also expand to govern Copilot Chat across all Microsoft 365 apps where available.”

In this Microsoft 365 Copilot Learning segment hosts Darryl Rowe and Michael Gannotti cover the note and Message Center update to discuss what it entails and to make some recommendations for organizational change management.

Resources: 

• Pin Microsoft 365 Copilot Chat to the navigation bar | Microsoft Learn
• Microsoft 365 Copilot – Microsoft Adoption 
• Microsoft 365 Copilot documentation | Microsoft Learn 

---

What goes into crafting an effective Python script? How do you organize your code, manage dependencies with PEP 723, and handle command-line arguments for the best results? Christopher Trudeau is back on the show this week, bringing another batch of PyCoder’s Weekly articles and projects.

We dig into a recent Real Python article about how to structure your Python scripts. It includes advice for adding inline script metadata as defined in PEP 723, which helps tools automatically create an environment and install dependencies when the script is run. The piece also covers choosing appropriate data structures, improving runtime feedback, and making your code more maintainable with constants and entry points.

We discuss a collection of software trends happening behind the scenes of the constant LLM news. The piece starts with local-first software, prioritizing processing and storing private data on personal devices rather than relying on the cloud. The other trends include common themes and tools we’ve shared over the past few years, including WebAssembly, SQLite’s renaissance, and improvements to cross-platform mobile development.

We also share several other articles and projects from the Python community, including a news roundup, the state of free-threaded Python, tips for improving Django management commands, advice for time management as a manager, a data science-focused IDE, and a project to check for multiple patterns in a single string.

Topics:

• 00:00:00 – Introduction
• 00:02:26 – Followup - marimo and LaTeX
• 00:03:26 – PEP 734: Multiple Interpreters in the Stdlib (Accepted)
• 00:03:52 – Python 3.13.4, 3.12.11, 3.11.13, 3.10.18 and 3.9.23 Security Releases
• 00:04:21 – Python Insider: Python 3.14.0 beta 3 is here!
• 00:04:30 – Django Bugfix Releases: 5.2.3, 5.1.11, and 4.2.23
• 00:04:52 – NumPy v2.3.0 Released
• 00:05:02 – scikit-learn 1.7 Released
• 00:05:12 – PyData Virginia 2025 Talks
• 00:05:52 – How Can You Structure Your Python Script?
• 00:12:08 – State of Free-Threaded Python
• 00:18:23 – 5 Non-LLM Software Trends to Be Excited About
• 00:29:50 – Video Course Spotlight
• 00:31:23 – Better Django Management Commands
• 00:33:56 – Advice for time management as a manager
• 00:46:49 – positron: Data Science IDE
• 00:50:05 – ahocorasick_rs: Check for Multiple Patterns in a Single String
• 00:52:41 – 10 Polars Tools and Techniques To Level Up Your Data Science - Podcast Episode
• 00:53:22 – Thanks and goodbye

News:

• PEP 734: Multiple Interpreters in the Stdlib (Accepted)
• Python 3.13.4, 3.12.11, 3.11.13, 3.10.18 and 3.9.23 Security Releases
• Python 3.13.5 Released
• Python Insider: Python 3.14.0 beta 3 is here!
• Django Bugfix Releases: 5.2.3, 5.1.11, and 4.2.23
• NumPy v2.3.0 Released
• scikit-learn 1.7 Released
• PyData Virginia 2025 Talks – A list of the recorded talks from PyData Virginia 2025.

Show Links:

• How Can You Structure Your Python Script? – Structure your Python script like a pro. This guide shows you how to organize your code, manage dependencies with PEP 723, and handle command-line arguments.
• State of Free-Threaded Python – This is a blog post from the Python Language Summit 2025 giving an update on the progress of free-threaded Python. You may also be interested in the complete list of Language Summit Blogs.
• PEP 779 – Criteria for supported status for free-threaded Python
• 5 Non-LLM Software Trends to Be Excited About – Tired of reading about AI and LLMs? This post talks about other tech that is rapidly changing in the software world, including local-first applications, web assembly, the improvement of cross-platform tools, and more.
• Better Django Management Commands – Writing Django management commands can involve a ton of boilerplate code. This article shows you how to use two libraries that could cut your management command code in half: django-click and django-typer.

Discussion:

• Advice for time management as a manager - benkuhn.net

Projects:

• positron: Data Science IDE
• ahocorasick_rs: Check for Multiple Patterns in a Single String

Additional Links:

• Visualize outputs - Mardown editor and LaTeX - marimo
• PyCon US 2025 - YouTube
• DjangoCon Europe 2025 Dublin - YouTube
• Executing Python Scripts With a Shebang
• Local-first software: You own your data, in spite of the cloud
• Code OSS
• Episode #510 - 10 Polars Tools and Techniques To Level Up Your Data Science - Talk Python To Me Podcast
• PyCoder’s Weekly - Submit a Link

Level up your Python skills with our expert-led courses:

• Execute Your Python Scripts With a Shebang
• Django Admin Customization
• SQLite and SQLAlchemy in Python: Move Your Data Beyond Flat Files

Support the podcast & join our community of Pythonistas

Download audio: https://dts.podtrac.com/redirect.mp3/files.realpython.com/podcasts/RPP_E255_02_PyCoders.0127f478a113.mp3

Lilia Pulova: Business Case Ownership—The Product Owner's Core Duty

Read the full Show Notes and search through the world's largest audio library on Agile and Scrum directly on the Scrum Master Toolbox Podcast website: http://bit.ly/SMTP_ShowNotes.

The Great Product Owner: Always Present and Inspirational

Lilia describes an exceptional Product Owner whose defining characteristic was consistent presence with the team. This presence went beyond just showing up - it was inspirational and made team members genuinely care about their delivery and the product they were building. The Product Owner served as the vital connection between the team and the organization's wider mission, helping everyone understand how their work contributed to the bigger picture. This constant engagement and visibility created a motivated team that took pride in their product development efforts.

The Bad Product Owner: Unprepared and Responsibility-Shifting

Lilia encountered a Product Owner who exemplified poor practices by consistently arriving at backlog refinement meetings without any preparation, expecting developers to provide business context instead. This approach was fundamentally wrong because developers aren't equipped to discuss business expectations or product direction - that's the Product Owner's responsibility. This individual habitually said "yes" to all tickets without consideration, shifted decision-making responsibility to the team, and relied on architects to manage the product and determine sprint priorities. Product Owners must own the business case rather than delegate it, and keep the business rationale constantly visible to the team.

Self-reflection Question: How do you ensure your Product Owner maintains proper preparation and ownership of business decisions rather than shifting these responsibilities to the development team?

[The Scrum Master Toolbox Podcast Recommends]

🔥In the ruthless world of fintech, success isn’t just about innovation—it’s about coaching!🔥

Angela thought she was just there to coach a team. But now, she’s caught in the middle of a corporate espionage drama that could make or break the future of digital banking. Can she help the team regain their mojo and outwit their rivals, or will the competition crush their ambitions? As alliances shift and the pressure builds, one thing becomes clear: this isn’t just about the product—it’s about the people.

🚨 Will Angela’s coaching be enough? Find out in Shift: From Product to People—the gripping story of high-stakes innovation and corporate intrigue.

Buy Now on Amazon

[The Scrum Master Toolbox Podcast Recommends]

About Lilia Pulova 

Lilia Pulova, a former Business Intelligence Analyst, discovered her passion as a Scrum Master by chance. A natural communicator with a love for languages, she now bridges the gap between business and tech, translating complex needs into streamlined processes that boost productivity and keep teams aligned and focused.

You can link with Lilia Pulova on LinkedIn. 

Download audio: https://traffic.libsyn.com/secure/scrummastertoolbox/20250627_Lilia_Pulova_F.mp3?dest-id=246429

I’ m currently working on a new feature in one of our microservices. As this new feature could have large performance impact, we did some performance benchmarks up front through BenchMarkDotNet. The results looked promising but we were not 100% confident that these results are representative for real life usage. Therefore we decided to implement A/B testing.

Yesterday I showed how to implement A/B testing in .NET using .NET Feature Management. Today I want to continue on the same topic and show you how we added telemetry.

Measuring and analyzing results

The most critical aspect of A/B testing is measuring results. You need to track relevant metrics for each variation to determine which performs better. The most simple way to do this is to fall back to the built-in logging in .NET Core :

Although this is a good starting point, we can simplify and improve this by taking advantage of the built-in telemetry through OpenTelemetry and/or Application Insights.

Using OpenTelemetry

As I want to compare the request performance, it is sufficient to add an extra tag to the existing activity. This can easily be done through Activity.Current.SetTag():

Inside our Aspire Dashboard this extra tag is visible at the span level:

Using Application Insights

In theory, when using Application Insights, you should not change anything as Application Insights should be able to pick up the information from the Activity context. However I noticed that nothing was added to the traced requests.

I solved it by directly calling the active telemetry instance and adding the tag there:

Now the extra tag appeared as a custom dimension:

More information

.NET feature flag management - Azure App Configuration | Microsoft Learn

.NET Observability with OpenTelemetry - .NET | Microsoft Learn

Application Insights for ASP.NET Core applications - Azure Monitor | Microsoft Learn