Disable App Insights Instrument key for Canvas Apps
Application insights is a great product that lets you get some really cool details about how your apps and flows are working in your environments. We have App insights in Canvas Apps, Model-driven Apps and Power Automate flows in the Power Platform. Canvas app is a little different to the other two though, as Canvas Apps requires an Instrument Key to be inserted into the app to start the telemetry. With the Instrument key comes a problem though.
App insights is designed to work across tenants, meaning you could create a web application and get telemetry about the app so you can improve it, fix bugs etc. One of the capabilities in a Canvas App is the ability to create custom traces for App Insights, catching specific data when someone goes through an app. This could be capturing the stage at which a user got to before exiting, or the screen where an error was seen…or it could be used to log keystrokes and data a user is putting in 😲
But it’s ok, we have Customer Lockbox turned on, Customer Manage Keys, DLP’s, that should stop App Insights from leaking data outside the tenant right? Right? Wrong! It is not possible to block App insights or even get any visibility of any Canvas Apps using App Insights, via any reporting or the COE 😱
Theoretically you can download and unpack the Canvas Apps and check for Instrument keys via PowerShell, but when you are working in large or enterprise organisations, this becomes less feasible while the potential for misconfiguration or nefarious configuration increases.
But a brand new setting has appeared in the Power Platform Admin Centre that addresses this specific gap.
Toggling this to off will prevent Canvas Apps sending data to App Insights, either inside the tenant or outside the tenant. 👍
However, this is a tenant wide setting, so it will stop all Canvas Apps in your tenant sending data to App Insights, but not any other instances of App Insights like on Model-driven Apps. So be sure you want to turn this off before you do it.
Also, this does not remove the instrument key from the app, but just disables the App Insight export. And this works on all new apps, but apps older than v3.24031 will need to be republished for it to take effect.
Coincidentally, App Insights is deprecating the Instrument Key function from next year, so this will likely become less of an issue in the future.
I love a good governance feature and this one really helps organisations worrying about data loss/leakage.
Ciao for now!
MCJ
Kommentare