![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 55.00000000000001%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
25,080 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(48, 68%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKS%3C/text%3E%3C/svg%3E)
Hi marafado88,
Thank you for posting your query on Microsoft Q&A.
Based on your query, I understand that you would like to know the permissions required for viewer mode on Grafana.
The configuration that you made in Azure and Grafana is about the authentication using SSO. This configuration involves the user authentication which has been properly configured on both ends. But when it comes to viewer mode or what are the permissions that we need to have from Grafana, you may need to check with Grafana team itself.
If you would like to set some roles for the users in Azure, you can do that while adding the users and groups to the application. Here is the Microsoft document: Assign the Microsoft Entra test user. But these roles work within Azure itself.
If you would like to work with roles for the users in Grafana, you can please take a look with Grafana document: Assertion mapping.
- For Assertion attribute role, specify the name of the attribute within the SAML assertion to use as the user roles.
- For Assertion attribute name, specify the name of the attribute within the SAML assertion to use for the user full "friendly" names for SAML users.
- For Assertion attribute login, specify the name of the attribute within the SAML assertion to use for the user sign-in names for SAML users.
- For Assertion attribute email, specify the name of the attribute within the SAML assertion to use for the user email names for SAML users.
- For Assertion attribute organization, specify the name of the attribute within the SAML assertion to use for the "friendly" name for user organizations.
- For Assertion attribute groups, specify the name of the attribute within the SAML assertion to use for the "friendly" name for user groups.
- For Allowed organizations, you can limit user access to only the users who are members of certain organizations in the IdP.
- For Editor role values, specify the user roles from your IdP who all should be granted the
Editorrole in the Amazon Managed Grafana workspace.
This might help you in providing proper roles to the users to access Grafana and work with the dashboards.
Additional information:
Microsoft Entra single sign-on (SSO) integration with Amazon Managed Grafana
Configure Amazon Managed Grafana to use Azure AD
NOTE: We don't hold any responsible on Amazon Grafana documents from Amazon. We have shared the information for your knowledge.
I hope this information is helpful. Please feel free to reach out if you have any further questions.
If the answer is helpful, please click "Accept Answer" and kindly "upvote it". If you have extra questions about this answer, please click "Comment".