Configure Bring Your Own Storage for Profiler and Snapshot Debugger

Important

If you're using Azure Private Link or customer-managed keys with Application Insights, you must configure Bring Your Own Storage (BYOS) to use Application Insights Profiler for .NET or Snapshot Debugger. This article shows you how to set up BYOS.

By default, when you use Application Insights Profiler for .NET or Snapshot Debugger, artifacts generated by your application are uploaded into Azure Storage accounts managed by Microsoft over the public internet. Microsoft controls and covers the cost for:

Processing
Analysis
Encryption-at-rest and lifetime management policies

Bring Your Own Storage (BYOS) is a configuration option that gives you more control over where these artifacts are stored and how they're accessed. When you configure BYOS, you control and cover the cost for encryption-at-rest policies, lifetime management policies, and network access.

BYOS is required in these scenarios:

You're using Azure Private Link with Application Insights
You're using customer-managed keys for encryption

BYOS is optional but recommended when you want to:

Control network access to diagnostic data
Use custom encryption-at-rest policies
Manage data retention policies for diagnostic artifacts
Meet specific compliance or security requirements

Note

Currently, BYOS isn't supported for storing Code Optimizations trace data in Application Insights.

What you'll configure

In this guide, you learn how to:

Create and verify prerequisites to ensure your storage account is ready.
Grant Diagnostic Services access to your storage account.
Link your storage account with your Application Insights resource.

Prerequisites

Before you begin, ensure you have:

An Azure subscription with appropriate permissions
An existing Application Insights resource
A storage account created in the same location as your Application Insights resource
One of the following tools installed:
- Azure PowerShell 4.2.0 or greater, or
- Azure CLI, or
- Access to Azure portal for Azure Resource Manager template deployment

Verify your storage account location

To verify your storage account is in the correct location:

Open the Azure portal.
Navigate to your storage account.
Check the Location field matches your Application Insights resource location.

Important

If you're using Private Link, you must also configure your storage account to allow connection from Trusted Microsoft Services. See Storage network security documentation for details.

Step 1: Grant Diagnostic Services access to your storage account

The Diagnostic Services Trusted Storage Access application needs permission to write data to your storage account.

Assign the Storage Blob Data Contributor role

In the Azure portal, navigate to your storage account.
Select Access control (IAM) from the left menu.
Select Add > Add role assignment.
On the Add role assignment page, configure the following:

Setting Value

Role tab Select Storage Blob Data Contributor

Members tab > Assign access to Select User, group, or service principal

Members tab > Members Select + Select members
In the Select members pane:
1. Search for Diagnostic Services Trusted Storage Access.
2. Select the application from the results.
3. Select Select.
Select Review + assign.

Setting	Value
Role tab	Select Storage Blob Data Contributor
Members tab > Assign access to	Select User, group, or service principal
Members tab > Members	Select + Select members

Verify the role assignment

Stay on the Access control (IAM) page.
Select the Role assignments tab.
Verify Diagnostic Services Trusted Storage Access appears with the Storage Blob Data Contributor role.

Tip

If you don't see the application in the list, wait a few minutes and refresh the page. Role assignments can take up to 5 minutes to propagate.

Step 2: Link your storage account to Application Insights

Choose one of the following methods to link your storage account. We recommend using PowerShell or Azure CLI for easier troubleshooting.

Install the Application Insights PowerShell module

Open PowerShell as an administrator.
Install the Application Insights PowerShell extension:
```
Install-Module -Name Az.ApplicationInsights -Force
```
If prompted to install from PSGallery, type Y and press Enter.

Connect-AzAccount -Subscription "{subscription_id}"

Replace {subscription_id} with your actual subscription ID.

Tip

To find your subscription ID, run Get-AzSubscription or check the Azure portal under Subscriptions.

For more information, see Connect-AzAccount documentation.

Remove previous storage account links (if any)

If your Application Insights resource was previously linked to a different storage account, remove that link:

Remove-AzApplicationInsightsLinkedStorageAccount -ResourceGroupName "{resource_group_name}" -Name "{application_insights_name}"

Replace:

{resource_group_name} with your resource group name
{application_insights_name} with your Application Insights resource name

Example:

Remove-AzApplicationInsightsLinkedStorageAccount -ResourceGroupName "byos-test" -Name "byos-test-westus2-ai"

Note

If no previous storage account is linked, you might see a "not found" message. This is expected and you can proceed.

Link your storage account

Get a reference to your storage account:
```
$storageAccount = Get-AzStorageAccount -ResourceGroupName "{resource_group_name}" -Name "{storage_account_name}"
```
Replace:
- {resource_group_name} with your resource group name
- {storage_account_name} with your storage account name
Link the storage account to Application Insights:
```
New-AzApplicationInsightsLinkedStorageAccount -ResourceGroupName "{resource_group_name}" -Name "{application_insights_name}" -LinkedStorageAccountResourceId $storageAccount.Id
```
Replace:
- {resource_group_name} with your resource group name
- {application_insights_name} with your Application Insights resource name

Complete example:

# Set your values
$resourceGroup = "byos-test"
$storageAccountName = "byosteststoragewestus2"
$appInsightsName = "byos-test-westus2-ai"

# Remove any previous linked storage account (optional)
Remove-AzApplicationInsightsLinkedStorageAccount -ResourceGroupName $resourceGroup -Name $appInsightsName

# Get storage account
$storageAccount = Get-AzStorageAccount -ResourceGroupName $resourceGroup -Name $storageAccountName

# Link to Application Insights
New-AzApplicationInsightsLinkedStorageAccount -ResourceGroupName $resourceGroup -Name $appInsightsName -LinkedStorageAccountResourceId $storageAccount.Id

Verify the link was created

After running the link command, you should see output similar to:

Id        : /subscriptions/{subscription}/resourcegroups/byos-test/providers/microsoft.insights/components/byos-test-westus2-ai/linkedstorageaccounts/serviceprofiler
Name      : serviceprofiler
Type      : microsoft.insights/components/linkedstorageaccounts
LinkedStorageAccount : /subscriptions/{subscription}/resourceGroups/byos-test/providers/Microsoft.Storage/storageAccounts/byosteststoragewestus2

If you see an error, check that:

Your storage account and Application Insights resource are in the same location
You granted the Storage Blob Data Contributor role correctly in Step 1
You're signed in to the correct subscription

Install the Application Insights extension

Install the Application Insights CLI extension:
```
az extension add -n application-insights
```
If the extension is already installed, update it:
```
az extension update -n application-insights
```

az login

If you have multiple subscriptions, set the active subscription:

az account set --subscription "{subscription_id}"

Replace {subscription_id} with your actual subscription ID.

Link your storage account

Run the following command to link your storage account:

az monitor app-insights component linked-storage link --resource-group "{resource_group_name}" --app "{application_insights_name}" --storage-account "{storage_account_name}"

Replace:

{resource_group_name} with your resource group name
{application_insights_name} with your Application Insights resource name
{storage_account_name} with your storage account name

Example:

az monitor app-insights component linked-storage link --resource-group "byos-test" --app "byos-test-westus2-ai" --storage-account "byosteststoragewestus2"

Verify the link was created

You should see output similar to:

{
  "id": "/subscriptions/{subscription}/resourcegroups/byos-test/providers/microsoft.insights/components/byos-test-westus2-ai/linkedstorageaccounts/serviceprofiler",
  "linkedStorageAccount": "/subscriptions/{subscription}/resourceGroups/byos-test/providers/Microsoft.Storage/storageAccounts/byosteststoragewestus2",
  "name": "serviceprofiler",
  "resourceGroup": "byos-test",
  "type": "microsoft.insights/components/linkedstorageaccounts"
}

If you see an error, check that:

Your storage account and Application Insights resource are in the same location
You granted the Storage Blob Data Contributor role correctly in Step 1
The extension is properly installed

Note

To update or remove a linked storage account, see the Application Insights CLI documentation.

Create the Resource Manager template

Create a new file named byos.template.json on your local machine.

Copy and paste the following content into the file:

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "applicationinsights_name": {
      "type": "String"
    },
    "storageaccount_name": {
      "type": "String"
    }
  },
  "variables": {},
  "resources": [
    {
      "name": "[concat(parameters('applicationinsights_name'), '/serviceprofiler')]",
      "type": "Microsoft.Insights/components/linkedStorageAccounts",
      "apiVersion": "2020-03-01-preview",
      "properties": {
        "linkedStorageAccount": "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageaccount_name'))]"
      }
    }
  ],
  "outputs": {}
}

Save the file.

Deploy the template using PowerShell

Open PowerShell.
Sign in to Azure:
```
Connect-AzAccount -Subscription "{subscription_id}"
```
Replace {subscription_id} with your subscription ID.

Deploy the template:

New-AzResourceGroupDeployment -ResourceGroupName "{resource_group_name}" -TemplateFile "{path_to_template_file}"

Replace:

{resource_group_name} with your resource group name
{path_to_template_file} with the full path to your byos.template.json file

Example:

New-AzResourceGroupDeployment -ResourceGroupName "byos-test" -TemplateFile "D:\Docs\byos.template.json"

When prompted, provide the following parameters:

Parameter	Description	Example
`application_insights_name`	The name of your Application Insights resource	`byos-test-westus2-ai`
`storage_account_name`	The name of your storage account	`byosteststoragewestus2`

Verify the deployment

You should see output similar to:

Supply values for the following parameters:
(Type !? for Help.)
application_insights_name: byos-test-westus2-ai
storage_account_name: byosteststoragewestus2

DeploymentName          : byos.template
ResourceGroupName      : byos-test
ProvisioningState       : Succeeded
Timestamp               : 4/16/2020 1:24:57 AM
Mode                    : Incremental
TemplateLink            :
Parameters              :
                          Name                            Type                       Value
                          ==============================  =========================  =========
                          application_insights_name        String                     byos-test-westus2-ai
                          storage_account_name             String                     byosteststoragewestus2

Outputs                 :
DeploymentDebugLogLevel :

Look for ProvisioningState : Succeeded to confirm the deployment worked.

If the deployment fails, check that:

The template file path is correct
Your storage account and Application Insights resource are in the same location
You granted the Storage Blob Data Contributor role correctly in Step 1

Step 3: Enable the .NET Profiler or Snapshot Debugger

Now that your storage account is linked, enable the diagnostic tools:

In the Azure portal, navigate to your application resource (for example, App Service).
In the left menu, select Application Insights.
On the Application Insights page, locate the Code-level diagnostics section.
Toggle on Application Insights Profiler or Snapshot Debugger as needed.
Select Save at the top of the page.

Verify BYOS is working

After enabling the .NET Profiler or Snapshot Debugger:

Wait 5-10 minutes for data collection to begin.
Navigate to your storage account in the Azure portal.
Select Containers from the left menu.
Verify that new containers have been created for storing artifacts.

If you don't see new containers after 15 minutes, see the Troubleshooting section.

How your storage account is accessed

Understanding how artifacts flow through your storage account can help with troubleshooting:

Agents upload artifacts - Agents running in your virtual machines or Azure App Service upload artifacts (profiles, snapshots, and symbols) to blob containers in your account. This process contacts the .NET Profiler or Snapshot Debugger to obtain a shared access signature token to a new blob in your storage account.
Diagnostic Services process data - The .NET Profiler or Snapshot Debugger analyzes the incoming blob and writes back the analysis results and log files into blob storage. Depending on available compute capacity, this process might occur anytime after upload.
You view the results - When you view Profiler traces or Snapshot Debugger analysis, the service fetches the analysis results from blob storage.

Troubleshooting

For assistance with troubleshooting BYOS, see the dedicated troubleshooting documentation:

Common issues:

Storage account not in the same location - Verify your storage account and Application Insights resource are in the same Azure region.
Role assignment not propagated - Wait 5-10 minutes after assigning the Storage Blob Data Contributor role before linking your storage account.
Private Link not configured - If using Private Link, ensure you configured your storage account to allow Trusted Microsoft Services.

Frequently asked questions

This section provides answers to common questions about configuring BYOS for .NET Profiler and Snapshot Debugger.

If I enabled the .NET Profiler/Snapshot Debugger and BYOS, is my data migrated into my storage account?

No, it won't. Only new data collected after enabling BYOS is stored in your storage account.

Does BYOS work with encryption-at-rest and customer-managed keys?

Yes. To be precise, BYOS is a requirement to have the .NET Profiler/Snapshot Debugger enabled with customer-manager keys.

Does BYOS work in an environment isolated from the internet?

Yes. BYOS is a requirement for isolated network scenarios.

Does BYOS work with both customer-managed keys and Private Link enabled?

Yes, it's possible.

If I enabled BYOS, can I go back to using Diagnostic Services storage accounts to store my collected data?

Yes, you can. However, we don't currently support data migration from your BYOS to the Diagnostic Services storage accounts.

Yes. You're responsible for all costs related to storage and networking for your BYOS storage account.

Next steps

Troubleshoot BYOS for .NET Profiler and Snapshot Debugger
Learn more about Application Insights Profiler for .NET
Learn more about Snapshot Debugger

Feedback

Was this page helpful?

Last updated on 2026-01-14

Share via

Configure Bring Your Own Storage for Profiler and Snapshot Debugger

What you'll configure

Prerequisites

Verify your storage account location

Step 1: Grant Diagnostic Services access to your storage account

Assign the Storage Blob Data Contributor role

Verify the role assignment

Step 2: Link your storage account to Application Insights

Install the Application Insights PowerShell module

Sign in to Azure

Remove previous storage account links (if any)

Link your storage account

Verify the link was created

Step 3: Enable the .NET Profiler or Snapshot Debugger

Verify BYOS is working

How your storage account is accessed

Troubleshooting

Frequently asked questions

If I enabled the .NET Profiler/Snapshot Debugger and BYOS, is my data migrated into my storage account?

Does BYOS work with encryption-at-rest and customer-managed keys?

Does BYOS work in an environment isolated from the internet?

Does BYOS work with both customer-managed keys and Private Link enabled?

If I enabled BYOS, can I go back to using Diagnostic Services storage accounts to store my collected data?

After I enable BYOS, do I take over all the related costs of storage and networking?

Next steps

Feedback

Additional resources