Skip to main content

Microsoft Entra ID SSO for Grafana

ThisPrerequisites: guide shows how to configure Grafana to use Microsoft Entra ID for single sign-on.

Why use Entra ID with Grafana

Benefits:

    centralized authentication optional automatic user provisioning support for role mapping better auditability easier offboarding and access governance

    Prerequisites

      Grafana is already deployed and reachable via HTTPS administrator access to Grafana permissionAbility to create an app registration with delegated standard rights and access to the Grafana Docker volume. Grafana should be installed and administrator access to the web interface should be available.

      These instructions describe how a Grafana Docker instance can be equipped with all the advantages of Single Sign On (SSO) using Microsoft Entra ID. Since there are different types of SSO, it is important to know that Grafana has many possibilities and offers granular, requirement-specific implementation options. For example, this means that automatic sign-up, role and user mapping, authentication scope and much more can be set.

      Create App Registration

      First, an app registration including client secret must be created in Microsoft Entra ID

      ID. aAll publicsettings DNScan namebe left at the default values. Important settings are the Redirect URIs under the Authentication tab. Set these URIs to your external or internal domain on which Grafana is available. These URIs will be used for GrafanaMicrosoft Entra

      StepID 1:to Createknow where to redirect the appuser registration

      in
      • Platform:Authentication Type: Web
      • Redirect URIs: 
        • https://<grafana-domain>/login/azuread
        grafana.yourdomain.com/ & https://<grafana-domain>/ grafana.yourdomain.com/login/azuread

        Recordimage.png

        Add the Tenantcorresponding permissions for OpenID Connect as delegated permissions and grant admin consent for your tenant.

          Permissions: Delegated OpenId permissions (email, offline_access, openid, profile)

          image.png

          Create a client secret for the application and save the tenant ID, Clientapplication ID and Clientclient Secret.secret in your password manager. You can find instructions for this information here: Get app details and grant permissions to app registration

          Step

          Enable 2:authentication Addlogin required delegated permissions

          provider

          ForTo basicequip sign-in,Grafana with SSO options, the standardSSO OpenIDAPI Connectmust scopesbe areactivated sufficient:in the configuration file. To do this, the following file “/etc/grafana/grafana.ini” must be adapted. This file is normally saved in a persistent location. Create the document if it does not already exist and add the following configuration line:

            [feature_toggles]
openidssoSettingsApi = true
profile
email

            Step 3: Configure Grafana

            InYou should then restart the Docker container or the application.

            Check whether configuration was successful

            If everything is set up correctly, you can log in with the administrator account in the webgui of your Grafana goinstallation.

            You should then be able to Administrationsee >the AuthenticationOAuth >providers supported by Grafana in the “Authentication” tab. 

            image.png

            Setup Microsoft Entra ID andprovider

            configure:

            This step requires the authentication details TenantID, ClientID, Client Secret from the first step.

            In the Grafana web interface select "Authentication" -> "Azure AD". There you can enter the credentials from Microsoft Entra ID. Enter the information as described here:

            • ClientDisplay IDName: Enter a name that will be displayed to the end user as a button when logging in.
            • Client secretid: Enter your ClientID from the App Registration of your Microsoft Entra ID.
            • Client secret: Here you have to enter the Client Secret as passphrase.
            Scopes: This allows you to receive multiple parameters from the Microsoft Entra ID user object. The Access Token is requested with these scopes at login. The default values are usually sufficient. Auth URL: Enter the following URL and fill your tenant id:
            https://login.microsoftonline.com/<tenant-idyourtenantid>/oauth2/v2.0/authorize             Token URL: Enter the following URL and fill your tenant id:
            https://login.microsoftonline.com/<tenant-idyourtenantid>/oauth2/v2.0/token
            Scopes: openid email profile Allow sign up: accordingIf this is enabled all user who have permission to sign in to your onboardingApp modelRegistration, are automatically signed up as user objects in Grafana. As you can still manage permissions within the App Registration this is usually recommended. Auto login: optionalThis logs

            Stepyour 4:users Optionalautomatically roleinto mapping

            Grafana

            Forif enterprisethey use,have mapan Access Token for Microsoft Entra roles or groups to Grafana roles:

              Viewer Editor AdminID.

              AppAfter rolesthese settings are usuallyproperly easierconfigured your users should be able to governsign thaninto broadGrafana. openFor signup.

              more

              Bestgranular practices

              settings
                and usethings HTTPSlike onlyrole prefermapping app-role-basedor authorizationdefault forGrafana cleanergroups, governance document who ownschange the appsettings registrationunder monitor"User secret expiration restrict tenant access where supported

                Summary

                Grafana with Microsoft Entra ID is a strong enterprise SSO pattern when you combine a clean web app registration, correct redirect URIs, controlled provisioningmapping" and role"Extra mapping.security measures".

                image.png

                Back to top