Introduction

Before beginning, make sure you have all the values required to make OAuth2 calls successfully. All requests will require your AAD tenant, your Application ID (with Application linked to your AAD app), your client ID for the AAD app, and a client secret for the AAD App (referred to as "keys" in the AAD App menu bar).

OAuth2 Authorization Code Flow

The main OAuth2 flow supported is through authorization codes. This method requires two HTTP requests to acquire a token with which to call the Application Insights API. There are two URLs, one endpoint per request. Their formats are as follows:

  1. Authorize URL (GET request):
GET https://login.microsoftonline.com/YOUR_AAD_TENANT/oauth2/authorize?
client_id=YOUR_CLIENT_ID
&response_type=code
&redirect_uri=YOUR_REDIRECT_URI
&resource=https://api.applicationinsights.io

When making a request to the Authorize URL, the client_id is the Application ID from your AAD App, copied from the App's properties menu. The redirect_uri is the home page/login URL from the same AAD App. Upon successful request, this endpoint will redirect to your login page with the authorization code appended to the URL. See following for example:

http://YOUR_REDIRECT_URI/?code=AUTHORIZATION_CODE&session_state=STATE_GUID

At this point you will have obtained an authorization code, which you need now to request an access token.

  1. Token URL (POST request)
POST /YOUR_AAD_TENANT/oauth2/token HTTP/1.1
Host: https://login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code
&client_id=YOUR_CLIENT_ID
&code=AUTHORIZATION_CODE
&redirect_uri=YOUR_REDIRECT_URI
&resource=https://api.applicationinsights.io
&client_secret=YOUR_CLIENT_SECRET

All values are as before, with some additions. The authorization code is the same code you received in the previous request after a successful redirect. We now combine it with the key we previously obtained from our AAD App, or if you did not save the key you can delete it and create a new one from the keys tab of the AAD App menu. The response will be JSON containing the token with the following schema. Exact values are indicated where they should not vary, with types indicated for the token values.

Response example:

{
    "access_token": "YOUR_ACCESS_TOKEN",
    "expires_in": "3600",
    "ext_expires_in": "1503641912",
    "id_token": "not_needed_for_log_analytics",
    "not_before": "1503638012",
    "refresh_token": "YOUR_REFRESH_TOKEN",
    "resource": "https://api.applicationinsights.io",
    "scope" = "Data.Read",
    "token_type": "bearer"
}

The access token portion of this response is what you present to the Application Insights API in the Authorization: Bearer header. You may also use the refresh token in the future to acquire a new access_token and refresh_token when yours have gone stale. For this request, the format and endpoint are as follows.

POST /YOUR_AAD_TENANT/oauth2/token HTTP/1.1
Host: https://login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded

client_id=YOUR_CLIENT_ID
&refresh_token=YOUR_REFRESH_TOKEN
&grant_type=refresh_token
&resource=https://api.applicationinsights.io
&client_secret=YOUR_CLIENT_SECRET

Response example:

{
  "token_type": "Bearer",
  "expires_in": "3600",
  "expires_on": "1460404526",
  "resource": "https://api.applicationinsights.io/",
  "access_token": "YOUR_TOKEN_HERE",
  "refresh_token": "YOUR_REFRESH_TOKEN_HERE"
}

OAuth2 Implicit Code Flow

The Application Insights API also supports the OAuth2 implicit flow. For this flow, only a single request is required but no refresh token may be acquired.

  1. Authorize URL
GET https://login.microsoftonline.com/YOUR_AAD_TENANT/oauth2/authorize?
client_id=YOUR_CLIENT_ID
&response_type=token
&redirect_uri=YOUR_REDIRECT_URI
&resource=https://api.applicationinsights.io

A successful request will produce a redirect to your redirect URI with the token in the URL as follows.

http://YOUR_REDIRECT_URI/#access_token=YOUR_ACCESS_TOKEN&token_type=Bearer&expires_in=3600&session_state=STATE_GUID

This access_token can be used as the Authorization: Bearer header value when passed to the Application Insights API to authorize requests.

More Information

Additional documentation on OAuth2 with Azure AD is availble from the following sources.

Azure AD Authorization Code flow

Azure AD Implicit Grant flow