Prior to 9.0 RC 2, the TenantId configuration option is optional. However when configuring dotnet-monitor, TenantId should always be explicitly set to your tenant's id and not a pseudo tenant (e.g. common or organizations).
When using Azure Active Directory for authentication, the following noteworthy properties on a token will be validated:
audwill be validated using theAppIdUriconfiguration option.isswill be validated using theTenantIdconfiguration option.roleswill be validated to make sure that theRequiredRoleconfiguration option is present.- Properties relating to the lifetime of the token will be validated.
It is not recommended to store secrets such as blob storage keys in JSON configuration. The following are recommendations for how to more securely store your configuration secrets for different platforms:
When running locally, a preferred alternative is to specify secrets via environment variables when launching dotnet monitor. The following is an example using PowerShell, setting the value of AzureBlobStorage__monitorBlob__AccountKey prior to beginning collection:
$env:Egress__AzureBlobStorage__monitorBlob__AccountKey = "accountKey"; dotnet-monitor collectFor Kubernetes, a preferred alternative is to mount your secrets in the file system with restricted access - for more information and an example of how to do this, view the Kubernetes documentation. For additional information on how secrets work in Kubernetes, view the following documentation.
By default, dotnet-monitor exposes Prometheus metrics using http with an unauthenticated endpoint and no other artifacts are available on this unauthenticated endpoint. This is to support the default scraping configuration. If your application contains custom metrics or tags, ensure that no sensitive data is being emitted in your metrics.