[Bug] Defender for Containers publisher Pods do not support managed identity authentication

**Describe the bug**
Microsoft Defender for Containers publisher Pods do not support managed identity authentication when integrating with AKS via custom Log Analytics workspace which has `disableLocalAuth: true` is set (this is the default also in the [LAW AVM module](https://github.com/Azure/bicep-registry-modules/blob/994a21aba84b545917ec360fa21a65a9971b050a/avm/res/operational-insights/workspace/main.bicep#L201)).
The Pods crash when trying to access to Log Analytics workspace with static keys.

According to MS support, this occurs because Defender for Containers still uses the legacy Log Analytics agent internally, which only supports workspace key authentication. The publisher pods have not yet migrated to the Azure Monitor Agent (AMA), which supports managed identity authentication.

Relevant Microsoft documentation:
- "The Defender sensor is registered with a Log Analytics workspace and used as a data pipeline." - [Defender for Containers Architecture  ](https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-containers-architecture)
- "Legacy authentication uses Log Analytics workspace keys. Migrate to managed identity authentication." -[Container Insights Authentication](https://learn.microsoft.com/en-us/azure/azure-monitor/containers/container-insights-authentication)

**To Reproduce**
Steps to reproduce:
1. Provision a Log Analytics Workspace with default settings (e.g. via AVM module, `disableLocalAuth: true` will be set )
2. Deploy Defender Profile via Bicep or CLI on an AKS cluster, see [link](https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-containers-enable?tabs=k8s-deploy-cli%2Ck8s-deploy-asc%2Ck8s-verify-asc%2Ck8s-remove-arc%2Caks-removeprofile-api&pivots=defender-for-container-aks#deploy-the-defender-sensor-all-options)
3. Allow the Defender publisher Pods to start
4. Observe Pod failures and authentication errors due to the use of static key authentication

**Expected behavior**
Defender for Containers publisher pods should authenticate using managed identity (Azure AD tokens) without requiring Log Analytics workspace to support local authentication.

Setting `disableLocalAuth: true` should *not* break authentication or cause pods to crash.

**Additional context**
According to Microsoft support, there are plans to retire workspace key authentication by **September, 2026** and transition Defender for Containers telemetry ingestion to AMA with full managed identity support.  
This migration will eliminate dependency on workspace keys and align the service with modern security best practices.

This circumstance is not publicly documented. Issue already detected and reported in https://github.com/Azure/AKS/issues/4240

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Bug] Defender for Containers publisher Pods do not support managed identity authentication #1010

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

[Bug] Defender for Containers publisher Pods do not support managed identity authentication #1010

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions