![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(265.6, 99%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBV%3C/text%3E%3C/svg%3E)
Azure Managed Grafana
An Azure service used to deploy Grafana dashboards for analytics and monitoring solutions.
134 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(275.2, 41%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAM%3C/text%3E%3C/svg%3E)
@Bart van Dooren , Please find below details of the token/access management as used in Azure Managed Grafana
- We keep a login session cookie for 24 hours so that user doesn't need to log in frequently. If the session cookie times out, the client (normally browser) will automatically be redirected to AAD for login. Once the user logs in, the browser will be automatically redirected back to the previous location of the Grafana instance (together with user's access token/refresh token). Since it's based on single-signon, as long as the client has been logged into AAD, typically user doesn't need to do anything explicitly or even notice it.
- Once the user logs into Grafana, we will do Azure RBAC to check user's permission. This permission check result is normally cached for 5min only, i.e., if the user is granted different permission, there may be delay of up to 5min for the new role to be effective.
- We use some of the information in the user's access token for Azure RBAC check-in as mentioned in point 2. From Managed Grafana standpoint, there are no changes with token lifetime, so it accepts whatever lifetime is received for the token from Azure Active Directory, and this is stored in a cookie. Managed Grafana instance refreshes the token when it’s less than 30 sec from expiration and the new token gets put back into the cookie. This is done only if a refresh token is available in the cookie which was available in the very first original authentication process.
Therefore, from usage of view, two time matters here:
- session cookie for Azure Grafana instance times out after 24 hours. There will be automatic re-login
- Role assignment change may take up to 5min to be effective (once it's propagated by Azure RBAC, which is normally fast but could take longer)
Hope this helps.
If the answer did not help, please add more context/follow-up question for it, and we will help you out. Else, if the answer helped, please click Accept answer so that it can help others in the community looking for help on similar topics.