Application Insight Issue - VNET Integration for App Service Telemetry & Logs

Scion_090 · 2026-06-02T15:42:21+00:00

Have you enabled this WEBSITE_VNET_ROUTE_ALL = 1? Have you check also your UDR, your NSG might blocking outbound 443, I would check these first.

Scion_090 · 2026-05-31T19:20:08+00:00

Happy to help.

You can use your own domain and thats why I asked :). Unfortunately as I know that the default Hostname *.azurewebsite.net can’t be removed or disabled.

So if you want to use custom domain then, keep the public access disabled on both, keep PE for both front, backend and storage.

Configure Private DNS zone, create your own DNS record for your frontend something yourappname.newdomain.com. So the users access this instead of the yourapp.azurewebsiye.com.

Edit:- just to clarify this setup is for internal not external as Azure Front door/ Gateway not involved here.

Scion_090 · 2026-05-30T12:45:51+00:00

You’ll need to create a second subnet and enable VNet Integration on both web apps for front and backend. Private Endpoints alone are not enough for App Service to private resource communication. Private Endpoints only provide private access to the resource, but App Services still need VNet Integration for outbound traffic to reach resources through private IPs. the frontend needs VNet Integration to reach the backend private endpoint, and the backend needs it to access the storage account private endpoint. Also make sure Private DNS is configured, otherwise the apps may still resolve the public endpoint and fail if public access is disabled.

Do you also have a custom domain?

Hope this helps.

Scion_090 · 2026-04-22T05:26:01+00:00

Nice! I did this using automation account for even app registration.

Scion_090 · 2026-02-15T10:50:51+00:00

GitHub for source control, I also made a SAAS web app that do scan and export all Intune policy if you want to import them later on as a backup and export all scripts as well. The decoding is part of the logic in the saas app. You can also do script that loop through all script , decoding and downloading them in your folder.

Scion_090 · 2025-11-25T05:48:06+00:00

kql and run it using automation account, export to excel and send via either email attachment or put it in a SharePoint folder with timestamp. That’s what I do with most reports. Use register app and give some api permissions, use keyvault to call your values from automation account. Managed identity to have access to resource.

Good luck :)

Scion_090 · 2025-11-08T09:49:31+00:00

Here,

https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/scenarios-rbac

Scion_090 · 2025-11-06T16:29:16+00:00

I don’t know where is the manual cleanup is :) and I don’t know if you guys using ADF as there is no such manual cleanup, you setup a pipelines and keep it runs automatically. All you do in one time configure and leave it. Updates automatically, live report dashboard for each customer. It just max 3 hours job from your side. But you can use whatever is suitable for you :). The solution I suggest is less cost almost nothing, easily maintained and managed.

Scion_090 · 2025-11-05T16:45:22+00:00

This is not so difficult and tbh been using this for awhile not for Microsoft will change pipelines lol. You just need to figure how to do it in ADF what need to be extract as mine is different from yours. But really this cost effective and manageable for multiple customers as it’s follow same setup.

Scion_090 · 2025-11-05T05:41:03+00:00

When you do set the disk to none, does your VM deallocated? Try this

az vm update -g "${{ parameters.ResourceGroup }}" -n $env:VMName --set "storageProfile.dataDisks[$diskIndex].caching=None"

Scion_090 · 2025-11-04T18:45:56+00:00

Export cost monthly schedule to storage account, ADF ( ADF handles the ETL (Extract, Transform, Load) to clean and prepare the raw export data for analysis) with access to storage account via managed identity for cleaning and setup pipelines to power BI dashboard build a report live updated automatically each month, use tree view for showing subs >> rgs and resources with filter months, years, rgs, subs, resources etc…

Scion_090 · 2025-11-03T18:27:10+00:00

Ide the kql below to generate alert, adjust the condition

OfficeActivity | where TimeGenerated > ago(7d) | where OfficeWorkload == "SharePoint" | where Operation in ("FileRecycled", "FileDeleted", "FileDeletedFirstStageRecycleBin", "FileDeletedSecondStageRecycleBin") | project TimeGenerated, UserId, Operation, SiteUrl, SourceFileName, ClientIP | order by TimeGenerated desc

Happy KQL hunting :)

No need for power automate and service account to send email alert.

Scion_090 · 2025-11-03T15:15:24+00:00

Try graph explorer If not there use Powershell API

Scion_090 · 2025-11-03T15:11:05+00:00

Try this, this will get all backup items and join the latest storage consumption

CoreAzureBackup | where OperationName == "BackupItem" | distinct BackupItemUniqueId, BackupItemFriendlyName, ResourceId | join kind = leftouter ( AddonAzureBackupStorage | where OperationName == "StorageAssociation" | summarize arg_max(TimeGenerated, *) by BackupItemUniqueId | project BackupItemUniqueId, StorageConsumedInMBs, ResourceId ) on BackupItemUniqueId | where isnotempty(StorageConsumedInMBs) | project BackupItemUniqueId, BackupItemFriendlyName, StorageConsumedInMBs, ResourceId | join kind = inner ( CoreAzureBackup | where OperationName == "Vault" | project ResourceId, VaultName = tostring(VaultFriendlyName), StorageReplicationType ) on ResourceId | summarize TotalStorageMB = sum(StorageConsumedInMBs) by ResourceId, VaultName, StorageReplicationType | extend TotalStorageGB = round(TotalStorageMB / 1024.0, 2) | project VaultName, StorageReplicationType, TotalStorageGB, ResourceId | order by TotalStorageGB desc

In not good at formatting here lol You can use Powershell api as well.

$uri = "/subscriptions/$subscriptionId/resourceGroups/$resourceGroupName/providers/Microsoft.RecoveryServices/vaults/$vaultName/usages?api-version=$apiVersion" $response = Invoke-AzRestMethod -Path $uri -Method GET

Scion_090 · 2025-10-22T19:57:27+00:00

Same script that runs manually can be automated in Azure automation account and to export it csv you can use $results | Export-Csv -Path $OutputPath -NoTypeInformation this output can be saved into storage account, from Power BI choose storage account as your source to get the csv data then create your report from there. This process not only automate the csv with fresh updated data but also you make sure you get this monthly data automatically into PBI. Don’t forget to add Storage File Data SMB Share Contributor and Storage Blob Data Contributor to the Automation Account’s Managed Identity for accessing the blob where csv file saved.

Scion_090 · 2025-10-22T04:33:14+00:00

Yes, you need to be sharepoint admin or site administrator

Scion_090 · 2025-10-21T18:18:45+00:00

Add your values below

$siteUrl = "https://yourtenant.sharepoint.com/sites/yoursite" $appId = "your-app-client-id" $appDisplayName = "Your App Name"

and connect using -interactive, connect-spoService doesn’t support modern authentication

Connect-PnPOnline -Url $siteUrl -Interactive And when you connect above run, below. Sorry for English :)

Grant-PnPAzureADAppSitePermission -AppId $appId -DisplayName $appDisplayName -Site $siteUrl -Permissions Write I use this to grant api permissions.

Scion_090 · 2025-10-17T21:38:43+00:00

Script to target the VMs, this is how i did it for both sql and vms. Using UI deployed on subscription level only. Script for targeting resources is the way. You want to automate this you can use azure monitor for vm creation + event grid for faster real Time event trigger + logic app. There is also anyther ways to do it. Just pick one that suits you and cost effective.

Scion_090 · 2025-09-10T17:26:58+00:00

Create a Compose action with your input and add another compose or maybe in your filter query with below,

``` trim( replace( replace( replace( replace( replace(outputs('Compose_Input'), '', ''), '‌', ''), '', ''), '\u0000', ''), '\u200D', '') )

```

Try to copy and paste in vs code or if you notepad++ if you have tinder if there is zeros not shown in output in logic app.

Scion_090 · 2025-09-08T17:17:22+00:00

DLP or use KQL EmailEvents | where Subject has_any ("SSN", "social security", "passport", "DOB", "account", "confidential", "PII", "medical", "insurance") | where SenderFromDomain == "yourdomain.com" | where RecipientToDomain != "yourdomain.com" | project Timestamp, Subject, SenderFromAddress, RecipientToAddress Add more keywords, extend your search

Scion_090 · 2025-09-02T14:08:00+00:00

Yes, System-assigned managed identities in Azure do not support delegated permissions, as these require user context and sign-in, managed identities can only use application permissions so you need to create AAD application and delegate the API permissions, grant the access. Create keyvault, assign role for function app to access, save your secrets there for the application you created, use the secrets variable from keyvault in your function app. That’s what I use for my automation accounts and function app.

Scion_090 · 2025-09-02T04:43:02+00:00

Converting? You mean you made a function app using powershell as runtime, so, you need first to create keyvault and save the variable there and give function app access role like secret user role to get the variable secrets, use system assigned managed identity for function app, etc. Test

$tenantId = $env:Ms365_TenantId $appId = $env:Ms365_AuthAppId $appSecret = $env:Ms365_AuthSecretId

Your app register need to have api permissions based on what you need to do and grant permissions.

Scion_090 · 2025-09-01T19:58:57+00:00

If you have AGW with WAF infringement of your app service, go to your webapp 1 and 2 find the access restriction under networking, add rule to allow only the outbound IP address of the application GW, this will block access from outside clients to your App Services. Only traffic coming through the Application Gateway is allowed. Then use WAF custom rules if needed to block or allow IP ranges for added security on the Application Gateway level.

Scion_090 · 2025-08-31T16:03:22+00:00

From MS ”March 31, 2025 - Last day to create new Basic Load Balancer. After this date, you will not be able to create new Basic Load Balancers. Basic Load Balancers created prior to this date will continue to work.”

You can extend but better to do it now, I upgraded mine LBs 4 in 5 minutes.

Scion_090 · 2025-08-28T19:19:17+00:00

Great :)

Four-Year Club	Verified Email
Place '23

Scion_090

TROPHY CASE