SSO for Grafana with AzureAD Authentication Using Client Certificates Instead ClientID/ClientSecret

Question

I'm trying to set up Grafana with SSO authentications- I have all the relevant endpoints to configure SSO and test it successfully but recently i was asked to not to use Client_ID/Client_Secret as shown below due to some security revisions..

[auth.azuread]
enabled = true
name = Azure AD
allow_sign_up = true
client_id = YOUR_AZURE_CLIENT_ID (This will be fetched via KeyVault)
client_secret = YOUR_AZURE_CLIENT_SECRET (This will be fetched via KeyVault)
scopes = openid email profile
auth_url = https://login.microsoftonline.com/org_id/oauth2/v2.0/authorize
token_url = https://login.microsoftonline.com/org_id/oauth2/v2.0/token
api_url = https://graph.microsoft.com/v1.0/me
allowed_domains = example.com
role_attribute_strict = false
allow_assign_grafana_admin = false
skip_org_role_sync = false
use_pkce = true
allowed_organizations = org_id

Instead, I am instructed to Managed Identity or certificates for authorization or want to know if its really possible because I have not found any related information so far.

I'm looking for guidance on the following points:

1. How do I configure Grafana to use client certificate authentication for Azure AD instead client_id and client_secret? e.g;

      client_id = YOUR_AZURE_CLIENT_ID (This will be fetched via KeyVault) 
      client_secret = YOUR_AZURE_CLIENT_SECRET (This will be fetched via KeyVault)
   

2. What settings should I specify in the [auth] section of the grafana.ini configuration file?
3. Are there any specific Azure AD settings I need to adjust to accept client certificate authentication requests from Grafana?
4. Are there any additional considerations or best practices I should be aware of when setting up client certificate authentication with Grafana and Azure AD?

Answer 1

Hi @muntazir abbas

Thank you for posting this in Microsoft Q&A.

I understand your query is related to configuring Grafana with SSO authentication using client certificates instead of client ID and client secret for Azure AD.

Please follow the below steps

1.Create the Azure AD application in Microsoft Entra Id

2.Go to App Registrations, search for your application, and click certificates & secrets, then upload certificate under certificates section.

Please follow this document to create certificate to authenticate your application.

3.To access resources in your subscription, you must assign a role to the application.

4.Copy the client id and tenant id of your application.

For your reference to create application and service principal: https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal

5.Once the client certificate has been uploaded to Azure AD, log in to your Grafana instance then Navigate to the Configuration tab.

6.Select Azure Active Directory from the Authentication section.

7.Enter the client ID and tenant ID that you copied from the previous step, upload the certificate.

8.Click Save to save the configuration. If the save was successful, Grafana will apply the new configurations.

This way you can configure SSO for Grafana with Azure AD Authentication Using Client Certificates Instead ClientID/Client Secret

Hope this helps. Do let us know if you any further queries.

Thanks,

Navya.

If the answer is helpful, please click "Accept Answer" and kindly "upvote" it.