ronaldbosma · ronaldbosma · Feb 21, 2026 · Feb 21, 2026 · Feb 21, 2026
diff --git a/infra/main.bicep b/infra/main.bicep
@@ -143,6 +143,7 @@ module apiManagement 'modules/services/api-management.bicep' = {
     tags: tags
     apiManagementSettings: apiManagementSettings
     appInsightsName: appInsightsSettings.appInsightsName
+    keyVaultName: keyVaultName
   }
   dependsOn: [
     appInsights
@@ -163,9 +164,11 @@ module assignRolesToDeployer 'modules/shared/assign-roles-to-principal.bicep' =
   params: {
     principalId: deployer().objectId
     isAdmin: true
+    appInsightsName: appInsightsSettings.appInsightsName
     keyVaultName: keyVaultName
   }
   dependsOn: [
+    appInsights
     keyVault
   ]
 }

diff --git a/infra/modules/services/api-management.bicep b/infra/modules/services/api-management.bicep
@@ -24,6 +24,9 @@ param apiManagementSettings apiManagementSettingsType
 @description('The name of the App Insights instance that will be used by API Management')
 param appInsightsName string
 
+@description('The name of the Key Vault that will contain the secrets')
+param keyVaultName string
+
 //=============================================================================
 // Variables
 //=============================================================================
@@ -84,6 +87,16 @@ resource apiManagementService 'Microsoft.ApiManagement/service@2024-10-01-previe
   }
 }
 
+// Assign roles to system-assigned identity of API Management
+
+module assignRolesToApimSystemAssignedIdentity '../shared/assign-roles-to-principal.bicep' = {
+  params: {
+    principalId: apiManagementService.identity.principalId
+    principalType: 'ServicePrincipal'
+    appInsightsName: appInsightsName
+    keyVaultName: keyVaultName
+  }
+}
 
 // Store the app insights connection string in a named value
 
@@ -110,6 +123,7 @@ resource apimAppInsightsLogger 'Microsoft.ApiManagement/service/loggers@2024-10-
       // If we would reference the connection string directly using appInsights.properties.ConnectionString,
       // a new named value is created every time we execute a deployment
       connectionString: '{{${appInsightsConnectionStringNamedValue.properties.displayName}}}'
+      identityClientId: 'SystemAssigned'
     }
     resourceId: appInsights.id
   }

diff --git a/infra/modules/services/app-insights.bicep b/infra/modules/services/app-insights.bicep
@@ -36,6 +36,9 @@ resource logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2025-07
     sku: {
       name: 'PerGB2018'
     }
+    features: {
+      disableLocalAuth: true // Disable Non-EntraID based Auth
+    }
   }
 }
 
@@ -53,5 +56,6 @@ resource appInsights 'Microsoft.Insights/components@2020-02-02' = {
     publicNetworkAccessForQuery: 'Enabled'
     WorkspaceResourceId: logAnalyticsWorkspace.id
     RetentionInDays: appInsightsSettings.retentionInDays
+    DisableLocalAuth: true // Disable Non-EntraID based Auth
   }
 }
diff --git a/infra/modules/shared/assign-roles-to-principal.bicep b/infra/modules/shared/assign-roles-to-principal.bicep
@@ -1,5 +1,5 @@
 //=============================================================================
-// Assign roles to principal on resources like Key Vault
+// Assign roles to principal on resources like App Insights and Key Vault
 //=============================================================================
 
 //=============================================================================
@@ -15,6 +15,9 @@ param principalType string?
 @description('The flag to determine if the principal is an admin or not')
 param isAdmin bool = false
 
+@description('The name of the App Insights instance on which to assign roles')
+param appInsightsName string
+
 @description('The name of the Key Vault on which to assign roles')
 param keyVaultName string
 
@@ -26,11 +29,16 @@ var keyVaultRole string = isAdmin
   ? '00482a5a-887f-4fb3-b363-3b7fe8e74483'    // Key Vault Administrator
   : '4633458b-17de-408a-b874-0445c86b69e6'    // Key Vault Secrets User
 
+var monitoringMetricsPublisher string = '3913510d-42f4-4e42-8a64-420c390055eb' // Monitoring Metrics Publisher
 
 //=============================================================================
 // Existing Resources
 //=============================================================================
 
+resource appInsights 'Microsoft.Insights/components@2020-02-02' existing = {
+  name: appInsightsName
+}
+
 resource keyVault 'Microsoft.KeyVault/vaults@2025-05-01' existing = {
   name: keyVaultName
 }
@@ -39,6 +47,18 @@ resource keyVault 'Microsoft.KeyVault/vaults@2025-05-01' existing = {
 // Resources
 //=============================================================================
 
+// Assign role Application Insights to the principal
+
+resource assignAppInsightRolesToPrincipal 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+  name: guid(principalId, appInsights.id, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', monitoringMetricsPublisher))
+  scope: appInsights
+  properties: {
+    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', monitoringMetricsPublisher)
+    principalId: principalId
+    principalType: principalType
+  }
+}
+
 // Assign role on Key Vault to the principal
 
 resource assignRolesOnKeyVaultToPrincipal 'Microsoft.Authorization/roleAssignments@2022-04-01' = {