Legacy authentication for Container Insights

2025-08-24

Container Insights defaults to managed identity authentication, which has a monitoring agent that uses the cluster's managed identity to send data to Azure Monitor. It replaced the legacy certificate-based local authentication and removed the requirement of adding a Monitoring Metrics Publisher role to the cluster.

This article describes how to migrate to managed identity authentication if you enabled Container insights using legacy authentication method and also how to enable legacy authentication if you have that requirement.

Important

If you have a cluster with legacy authentication and Log Analytics workspace keys are rotated, then monitoring data will stop flowing to the Log Analytics workspace. You must disable and then reenable the Container insights addon to get monitoring data to start flowing again with the new rotated workspace keys. You should migrate to Container insights managed identity authentication which doesn't use Log Analytics workspace keys.

Find clusters using Legacy authentication

The following queries lists the clusters using legacy authentication in Container Insights. To run the queries, use the Resource Graph Explorer. The query runs in the existing Azure portal scope. For more information on how to set scope and run Azure Resource Graph queries in the portal, see Quickstart: Run Resource Graph query using Azure portal.

Query for AKS clusters

resources        
| where type =~ 'Microsoft.ContainerService/managedClusters'       
| project id, name, aksproperties = parse_json(tolower(properties)), location, identity        
| extend isEnabled = aksproperties.addonprofiles.omsagent.enabled         
| extend workspaceResourceId = iif(isEnabled == true, aksproperties.addonprofiles.omsagent.config.loganalyticsworkspaceresourceid, '')        
| extend useAADAuth  = aksproperties.addonprofiles.omsagent.config.useaadauth  
| where isEnabled =~ "true" and useAADAuth != true 
| extend parts = split(tostring(id), "/")
| extend subscriptionId = parts[2], AKSClusterName = parts[-1], resourceGroupName = parts[4] 
| project AKSClusterName, resourceGroupName, subscriptionId, location, AKSClusterId = tolower(id), workspaceResourceId

Query for on-prem clusters i.e. clusters using Arc.

KubernetesConfigurationResources          
| where type =~ "Microsoft.KubernetesConfiguration/extensions"           
| extend properties = parse_json(tolower(properties))           
| extend extensionType = properties.extensiontype            
| where extensionType in~ ('microsoft.azuremonitor.containers')           
| extend omsagentUseAADAuth = tostring(properties.configurationsettings.["omsagent.useaadauth"])           
| extend amalogsUseAADAuth = tostring(properties.configurationsettings.["amalogs.useaadauth"])            
| extend useAADAuth = iff(omsagentUseAADAuth == 'true' or amalogsUseAADAuth == 'true', 'true', 'false')            
| extend workspaceResourceId = tostring(properties.configurationsettings.loganalyticsworkspaceresourceid)            
| extend resourceId = tolower(split(id, "/providers/Microsoft.KubernetesConfiguration")[0]) 
| where useAADAuth != "true"
| extend parts = split(tostring(resourceId), "/")
| extend subscriptionId = parts[2], ClusterName = parts[-1], ResourceGroupName = parts[4] 
| project ClusterName, ResourceGroupName,resourceId, subscriptionId, workspaceResourceId

Migrate to managed identity authentication

If you enabled Container insights before managed identity authentication was available, you can use the following methods to migrate your clusters.

Azure portal
Azure CLI

You can migrate to Managed Identity authentication from the Monitor settings panel for your AKS cluster. From the Monitoring section, click on the Insights tab. In the Insights tab, click on the Monitor Settings option and check the box for Use managed identity

If you don't see the Use managed identity option, you are using an SPN cluster. In that case, you must use command line tools to migrate. See other tabs for migration instructions and templates.

AKS

AKS clusters must first disable monitoring and then upgrade to managed identity. Only Azure public cloud, Microsoft Azure operated by 21Vianet cloud, and Azure Government cloud are currently supported for this migration. For clusters with user-assigned identity, only Azure public cloud is supported.

Note

Minimum Azure CLI version 2.49.0 or higher.

Get the configured Log Analytics workspace resource ID:

az aks show -g <resource-group-name> -n <cluster-name> | grep -i "logAnalyticsWorkspaceResourceID"

Disable monitoring with the following command:

az aks disable-addons -a monitoring -g <resource-group-name> -n <cluster-name>

If the cluster is using a service principal, upgrade it to system managed identity with the following command:
```
az aks update -g <resource-group-name> -n <cluster-name> --enable-managed-identity
```
Enable the monitoring add-on with the managed identity authentication option by using the Log Analytics workspace resource ID obtained in step 1:
```
az aks enable-addons -a monitoring -g <resource-group-name> -n <cluster-name> --workspace-resource-id <workspace-resource-id>
```

Arc-enabled Kubernetes

Note

Managed identity authentication is not supported for Arc-enabled Kubernetes clusters with ARO.

Retrieve the Log Analytics workspace configured for Container insights extension.

az k8s-extension show --name azuremonitor-containers --cluster-name \<cluster-name\> --resource-group \<resource-group\> --cluster-type connectedClusters -n azuremonitor-containers

Enable Container insights extension with managed identity authentication option using the workspace returned in the first step.

az k8s-extension create --name azuremonitor-containers --cluster-name \<cluster-name\> --resource-group \<resource-group\> --cluster-type connectedClusters --extension-type Microsoft.AzureMonitor.Containers --configuration-settings amalogs.useAADAuth=true logAnalyticsWorkspaceResourceID=\<workspace-resource-id\>

Enable legacy authentication

If you require legacy authentication, see Enable Container insights which has examples of different options for enabling Container insights.

Next steps

If you experience issues when you upgrade the agent, review the troubleshooting guide for support.

Share via

Legacy authentication for Container Insights

Find clusters using Legacy authentication

Migrate to managed identity authentication

Enable legacy authentication

Next steps

Feedback

Additional resources