Is it required to have "Monitoring Reader" RBAC role on Subscription level?

Alen Rokic 36 Reputation points
2023-09-25T09:54:10.0433333+00:00

In the docs this bullet is mentioned: "The box Add role assignment to this identity with 'Monitoring Reader' role on target subscription is checked by default."

In my organization I don't have Owner permissions on the Subscription Level. Only Contributor. How big og a requirement is this for Azure Managed Grafana to have "Monitoring Reader" on the Subscription level?

Because If I add Monitoring Reader role to a RG where I have Owner role, then I can add the get the data with Kusto from underlying App Insights and Log Analytics and display the data just fine in my Azure Managed Grafana. I do get a warning when I try "Pin to Grafana" from Azure Portal that I am missing Monitoring Reader on Subscription level, but yet it works for and I am able to see the Dashboard in Grafana.

I am aware that for every Azure Monitor resources I want to have in my Grafana I manually need to add the Monitoring Reader role, but that is manageable for me.

I am not sure if I will run into some other weird issues if I don't have Monitoring Reader on the Subscription level? Any thoughts?

Azure Managed Grafana
Azure Managed Grafana
An Azure service used to deploy Grafana dashboards for analytics and monitoring solutions.
105 questions
{count} votes

Accepted answer
  1. Wuyi Weng 151 Reputation points Microsoft Employee
    2023-10-05T17:44:41.43+00:00

    Hello @Alen Rokic , thanks for your interest of the Azure Managed Grafana product!

    For the above describe scenario, it is not "required" to have the "Monitoring Reader" role over the whole subscription.

    The "Monitoring Reader" role is being used for the Azure Managed Grafana's system assigned managed identity to read Azure Platform metrics, Azure Platform Logs and Azure Resource Graph. By having the "Monitoring Reader" role on the whole subscription, then the Azure Managed Grafana would be able to access all the resources' data without any extra manual effort. If you only want to access the data on a subset of resources in the subscription, doing manual role assignment on demand will definitely work.


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.