Sync Grafana teams with Microsoft Entra groups (preview)

In this guide, you learn how to use Microsoft Entra groups with Grafana Team Sync (Microsoft Entra group sync) to set dashboard permissions in Azure Managed Grafana. Grafana allows you to control access to its resources at multiple levels. In Managed Grafana, you use the built-in Azure RBAC roles for Grafana to define access rights users have. These permissions are applied to all resources in your Grafana workspace by default. You can't, for example, grant someone edit permission to only one particular dashboard with RBAC. If you assign a user to the Grafana Editor role, that user can make changes to any dashboard in your Grafana workspace. Using Grafana's granular permission model, you can elevate or demote a user's default permission level for specific dashboards (or dashboard folders).

Setting up dashboard permissions for individual users in Managed Grafana is a little tricky. Managed Grafana stores the user assignments for its built-in RBAC roles in Microsoft Entra ID. For performance reasons, it doesn't automatically synchronize the user assignments to Grafana workspaces. Users in these roles don't show up in Grafana's Configuration UI until they've signed in once. You can only grant users extra permissions after they appear in the Grafana user list in Configuration. Microsoft Entra group sync gets around this issue. With this feature, you create a Grafana team in your Grafana workspace linked with a Microsoft Entra group. You then use that team in configuring your dashboard permissions. For example, you can grant a viewer the ability to modify a dashboard or block an editor from being able to make changes. You don't need to manage the team's member list separately since its membership is already defined in the associated Microsoft Entra group.

Important

Microsoft Entra group sync is currently in preview. See the Supplemental Terms of Use for Microsoft Azure Previews for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

Set up Microsoft Entra group sync

To use Microsoft Entra group sync, you add a new team to your Grafana workspace and link it to an existing Microsoft Entra group through its group ID. Follow these steps to set up a Microsoft Entra ID-backed Grafana team.

1. In the Azure portal, open your Grafana instance and select Configuration under Settings.

2. Select the Microsoft Entra team Sync Settings tab.

3. Select + Create new Grafana team.

   

4. Enter a name for the Grafana team and select Add.

   

5. In Assign access to, select the newly created Grafana team.

6. Select + Add a Microsoft Entra group.

7. In the search box, enter a Microsoft Entra group name and select the group name in the results. Click Select to go confirm.

   

8. Repeat the previous three steps to add more Microsoft Entra groups to the Grafana team as appropriate.

Remove Microsoft Entra group sync

If you no longer need a Grafana team, follow these steps to delete it. Deleting a Grafana team also removes the link to the Microsoft Entra group.

1. In the Azure portal, open your Azure Managed Grafana workspace.

2. Select Administration > Teams.

3. Select the X button to the right of a team you're deleting.

   

4. Select Delete to confirm.

Next steps

In this how-to guide, you learned how to set up Grafana teams backed by Microsoft Entra groups. To learn how to use teams to control access to dashboards in your workspace, see Manage dashboard permissions.