Grafana On Azure – AzureAD Authentication

This is part of a multi-part series on how to deploy and host Grafana safely, and cheaply on Azure, and how to get some decent visbility from Azure Monitor/App Insights through it. Hopefully parts of this will be useful.

• Part 1 – Hosting/Configuration
• Part 2 – Azure MySQL storage
• Part 3 – SSL with LetsEncrypt
• Part 4 – Azure AD Login (this post)
• Part 5 – Azure Monitor Datasource (Coming Soon)

Pre-requisites

If you’ve followed the previous 3 steps, you’ll have everything setup correctly. Otherwise, you’ll need the following:

1. Grafana instance (obviously)
2. Access to the grafana.ini file on that instance
3. Grafana using SSL (this is a requirement for AzureAD’s response/callback URLs)
4. AzureAD instance

Under both scenarios, you’ll need:

1. Access to create App Registrations in the Azure Portal.

Overview

In this post, we’ll be looking at adding Azure Active Directory (AzureAD) support to a Grafana instance. This is what I would advise if you’re hosting on Azure as you’re already likely to have all of your potential Grafana users setup in Active Directory, and either this is AzureAD native, or you have passwords sync’d with a standard Active Directory instance.

You will still be able to have local users, as well as AzureAD, and I’d recommend keeping the admin user with a very strong password for maintainence.

Using AzureAD as your authentcation system for Grafana also allows you to have Two-Factor Authentication (2FA) for Grafana by enabling this within AzureAD.

What is AzureAD?

This is the cloud based authentication system used to access the Azure portal. If you’re using Azure, you likely already have one. It’s the next generation Active Directory which is Microsoft’s centralised IAM system.

It provides interfaces for common authentication protocols like OIDC (OpenIdConnect) and SAML2. This is what Grafana will use to verify the identity of your users.

Step 1 – Create the Azure App

The first step is to create an Azure AD “Application” that will be what is used for Grafana to communicate get access to Azure. For this step, the application will be used to identify user information. We’ll be breaking the Application creation into 2 steps, the first will allow the use the application, then the second will allow you to map Azure AD groups to Grafana roles.

The Name is a friendly name that you users will see the first time they try to login. Use something recognisable to your user base, and also descriptive to ensure that you users trust the login.

The Redirect URI is required for this Grafana integration. You’ll need you domain here and the value should look like this:

https://<domain>/login/azuread

It’s important that this is a domain and not an IP as you’ll need to use HTTPS and have a valid certificate.

Once the app is created, you’ll need to record 2 details. The TenantId and the ClientId:

These will be needed for the grafana config in the next steps.

Next you’ll need to create a “Client Secret” which is how Azure can know that it’s your Grafana instance, rather than a someone else’s.

Client the “New client secret” link, then give this secret a descriptive name. The maximum expiration is 2 years, however, I’d recommend using 6 months and schedule a reminder to update it.

Once you’ve added the secret, you’ll need to copy this out as it will be required in the next steps. You’ll only be able to copy this secret at this stage, so it’s important that you copy it out. before leaving the page.

Step 2 – Grafana Config

Next you’ll need to tell grafana about the config from the Azure AD Application. There is a section specifically for this in the grafana.ini file called [auth.azuread] The important things here are:

Name = Friendly name, it’s not really used anywhere

Enabled = set this to true

client_id = that you copied from the main Azure AD app screen

client_secret = that you copied from the main Azure AD app screen

scopes = openid email profile

auth_url = https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize replacing {tenant} with the tenant ID from the main Azure AD App screen

auth_url = https://login.microsoftonline.com/{tenant}/oauth2/v2.0/tokenreplacing {tenant} with the tenant ID from the main Azure AD App screen

[auth.azuread]
name = Azure AD
enabled = true
;allow_sign_up = true
client_id = 
client_secret = 
scopes = openid email profile
auth_url = https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize
token_url = https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
;allowed_domains =
;allowed_groups =

Restart the service and you should now be able to login with your Azure AD credentials.

sudo systemctl restart grafana.server.service

Conclusion

In this post you’ve seen just how easy it is to enable AzureAD authentication. There is more that you can like enable groups for the users, and removing the ability to have a local login form. Those are all for another post.

In the next post, we’ll look at using this Azure AD application to enable access to Azure Monitor, and Azure Log Analytics.