> ## Documentation Index
> Fetch the complete documentation index at: https://otel.fyi/llms.txt
> Use this file to discover all available pages before exploring further.

# Azureauth

> OpenTelemetry extension for Azureauth

# Azureauth Extension

![Status](https://img.shields.io/badge/status-beta-yellow)

**Available in:** `contrib`

**Maintainers:** [@constanca-m](https://github.com/constanca-m), [@dyl10s](https://github.com/dyl10s)

**Source:** [opentelemetry-collector-contrib](https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/extension/azureauthextension)

## Overview

This extension can be used in two directions:

* **In exporters (outbound):** attaches the collector's Azure identity as a bearer token to outgoing requests.
* **In receivers (inbound):** when wired as an `extensionauth.Server` (for example, `protocols.http.auth.authenticator: azure_auth`), validates incoming bearer tokens as OIDC JWTs against a configured issuer and audience. Requires the `server` block (see [Inbound JWT validation](#inbound-jwt-validation)).

> **Security advisory:** Versions `v0.124.0` through `v0.150.0` contain a server-side authentication bypass (`GHSA-pjv4-3c63-699f`). Do not use `azure_auth` under a receiver `auth:` block on those versions. The outbound exporter usage is unaffected.

Additionally, the extension also implements `azcore.TokenCredential` so that Azure components can get the token by running the function `GetToken`. If the component supports HTTP client, then this should not be necessary, as the token will be placed in the authorization header.

It supports 4 different types of authentication:

* Managed identity for Azure resources
* Workload identity for Kubernetes
* Service principal with either a client secret or client certificate path for non Azure.
* And the default credentials. This is not recommended for production.

## Examples

### Managed identity

User based:

```yaml theme={null}
extensions:
  azure_auth:
    managed_identity:
      client_id: ${CLIENT_ID}
```

System based (leave `client_id` field empty):

```yaml theme={null}
extensions:
  azure_auth:
    managed_identity:
```

### Workload identity

```yaml theme={null}
extensions:
  azure_auth:
    workload_identity:
      client_id: ${CLIENT_ID}
      federated_token_file: ${FILE}
      tenant_id: ${TENANT_ID}
```

### Service principal

With client secret:

```yaml theme={null}
extensions:
  azure_auth:
    service_principal:
      client_id: ${CLIENT_ID}
      tenant_id: ${TENANT_ID}
      client_secret: ${CLIENT_SECRET}
```

With client certificate path:

```yaml theme={null}
extensions:
  azure_auth:
    service_principal:
      client_id: ${CLIENT_ID}
      tenant_id: ${TENANT_ID}
      client_certificate_path: ${CLIENT_CERTIFICATE_PATH}
```

### Default authentication

Not recommended for production.

```yaml theme={null}
extensions:
  azure_auth:
    use_default: true
```

### With custom scopes

You can set custom scopes if the audience required in the token does not match the host you are trying to reach.
This is useful for Azure Monitor Workspaces since the workspace hostname is specific to your instance whereas the audience required is `https://monitor.azure.com/.default`

```yaml: theme={null}
extensions:
  azure_auth:
    scopes:
      - https://monitor.azure.com/.default
```

### Inbound JWT validation

The `server` block is required only in this specific case:

* A server protocol's `auth.authenticator` points at `azure_auth` (for example, `receivers.otlp.protocols.http.auth.authenticator: azure_auth`). This is the only path that validates inbound bearer tokens.

Do not set `server` in any other case, including:

* Exporter-only usage.
* A receiver that loads `azure_auth` as an `azcore.TokenCredential` to call Azure APIs (for example, a receiver reading from Azure Blob Storage). That path does not validate incoming tokens, so `server` has no effect.

When set, incoming bearer tokens are validated as OIDC JWTs: signature against the issuer's JWKS, plus `iss`, `aud`, `exp`, and `nbf`. The audience is pinned from config and never derived from request headers. Requests are rejected on any missing config or failed check.

Fields:

* `server.issuer_url`: Entra ID tenant discovery URL (`https://login.microsoftonline.com/<tenant-id>/v2.0`).
* `server.audience`: `aud` value required in valid tokens (for example, `api://collector-ingest`).

```yaml theme={null}
extensions:
  azure_auth:
    use_default: true
    server:
      issuer_url: https://login.microsoftonline.com/${TENANT_ID}/v2.0
      audience: api://collector-ingest

receivers:
  otlp:
    protocols:
      http:
        endpoint: 0.0.0.0:4318
        auth:
          authenticator: azure_auth
```

## Configuration

### Example Configuration

```yaml theme={null}
azure_auth:

azure_auth/use_default:
  use_default: true

azure_auth/valid_server_auth:
  use_default: true
  server:
    issuer_url: https://login.microsoftonline.com/test/v2.0
    audience: api://collector-ingest

azure_auth/server_auth_empty_issuer:
  use_default: true
  server:
    audience: api://collector-ingest

azure_auth/server_auth_empty_audience:
  use_default: true
  server:
    issuer_url: https://login.microsoftonline.com/test/v2.0

azure_auth/valid_service_principal_secret:
  service_principal:
    client_id: test
    client_secret: test
    tenant_id: test

azure_auth/valid_service_principal_certificate:
  service_principal:
    client_id: test
    client_certificate_path: test
    tenant_id: test

azure_auth/service_principal_mutually_exclusive:
  service_principal:
    client_id: test
    client_certificate_path: test
    tenant_id: test
    client_secret: test

azure_auth/service_principal_empty_client_id:
  service_principal:
    client_secret: test
    tenant_id: test

azure_auth/service_principal_empty_tenant_id:
  service_principal:
    client_id: test
    client_secret: test

azure_auth/service_principal_empty_client_credential:
  service_principal:
    client_id: test
    tenant_id: test

azure_auth/valid_workload_identity:
  workload_identity:
    client_id: test
    federated_token_file: test
    tenant_id: test

azure_auth/workload_identity_empty_client_id:
  workload_identity:
    federated_token_file: test
    tenant_id: test

azure_auth/workload_identity_empty_tenant_id:
  workload_identity:
    client_id: test
    federated_token_file: test

azure_auth/workload_identity_empty_federated_token_file:
  workload_identity:
    client_id: test
    tenant_id: test
```

***

*Last generated: 2026-07-06*
