This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(124.80000000000001, 47%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
We have created an Azure Managed Grafana, and are trying to get Teams Sync to function with Azure AD groups, as we want to use Grafana Teams to control which Dashboards different users can see/edit. We are currently able to log into Grafana using users that have been added to a Azure AD Group that have been given the Grafana Viewer role in Azure AD, but these users are not automatically added to the Grafana Teams where we have tried to enable External Group Sync.
I have tried to follow this guide https://grafana.com/docs/grafana/v9.0/setup-grafana/configure-security/configure-team-sync/, and it seems like one should only need to add the Object ID of the Azure AD group to get the team members syncing, but this does not seem to result in any sync of the group. We have also tried typing in the group name, but this does not seem to help either.
We see that users get their own Grafana user after first logging in to Grafana with their Azure AD user. This Grafana user can be added to the Grafana Team, and is then able to see the dashboards the Team have access to. However, we are not able to add users that have not yet logon to Grafana (even though they are part of an Azure AD group with Grafana viewer rights), and users are not automatically added to the Grafana Team their Azure AD group has been added to upon first access to Grafana.
We have tried using both the managed identity that was created when the Azure Managed Grafana was created, and an application registration.
We feel like we are missing some specific configuration that we have not understood that we need to add.
The question is thus: Have anyone been able to sync an Azure AD group with a Grafana Team in Azure Managed Grafana, so that one can use Grafana Teams to control which users have access to which dashboards?
Thank you for any help.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(121.6, 8%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EYG%3C/text%3E%3C/svg%3E)
You can manually configure dashboard access inside Grafana, though you can only do that for users who've logged in instead of a priori when you're setting up RBAC on your instance. We'll investigate Team Sync. We don't have a timeline yet.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(288, 85%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAL%3C/text%3E%3C/svg%3E)
Hi @Ye Gu cx created a support ticket to our team regarding the same issue. Could you confirm that the external team sync feature is currently not supported?
Hi @Ye Gu .
Would it be possible to create this sync ourselves with the use of the Grafana APIs like
https://grafana.com/docs/grafana/v9.0/developers/http_api/team/#add-team-member?
Regards
Hans O. Martinsen
That's correct. Team Sync isn't supported currently.
Yes, that should be possible. Even with Team Sync, there needs to be a separate process to synchronize membership with an AAD group. Team Sync supports automatic sync with LDAP only.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(6.4, 3%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKT%3C/text%3E%3C/svg%3E)
Is there any update on this issue?
Update on which topic? Teams in Azure Managed Grafana is working! But no AAD Sync ATM. AAD Sync should come.
Yes, we're working on enabling AAD groups to be used with Grafana Team Sync.
Thanks Ye Gu :) Looking forward for this feature
Dashboard (or folder) level access control isn't supported currently. That's on our roadmap.
Hi @Ye Gu , I am not sure if I fully understand you.
If I manually add a user that has logged into Grafana (logged in using an Azure AD user) to a team that I have created in Grafana, I am able to control the dashboard access this user gets. However, I am not able to get External Group Sync to function, meaning I want a user to be automatically added to a Team upon first login to Grafana. Does this mean that External Group Sync with Azure AD groups has not yet been enabled?
Hello Miriam-5530,
hello Microsoft Team,
Actually i have the same question. It would be great if MS can implement that feature.
Greetings Philip
With Azure Managed Grafana, you can use an AAD group directly in the RBAC role assignments. This allows you to centralize and secure your identity management in AAD. We don't sync AAD data since there are many issues with that approach.
Hope this helps!
Thank you @Ye Gu for your answer.
We have done this and are able to login to our Grafana with Azure AD. However, we need to use Grafana Teams to controll who can access the different dashboards in Grafana. We assume that we can use the "External Group Sync" explained here: https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-team-sync/, but we are not able to get it working. Any tips on how to do that would be greatly appreciated.
Miriam