![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(6.4, 1%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMS%3C/text%3E%3C/svg%3E)
Azure Managed Grafana
An Azure service used to deploy Grafana dashboards for analytics and monitoring solutions.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 63%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(70.4, 6%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
Hello Mahmoodi, Somayeh (Admin),
Kindly check below answers below
Can I use a custom domain with Azure Managed Grafana (AMG) and Entra External ID authentication?
- AMG does not natively support custom domains. The official stance is that you cannot directly configure AMG to respond to your own DNS name; it only works with the default *.grafana.azure.com endpoint. Attempts to CNAME map your domain will result in 404 because AMG does not allow host header overrides. [stackoverflow.com]
- Custom URL domains for Entra External ID are supported, but they require a reverse proxy like Azure Front Door to route traffic from your custom domain to the Entra sign-in endpoints. This is documented in Microsoft Entra External ID custom URL domain guidance. [learn.microsoft.com]
- So, if you want a branded sign-in experience for external users, you can configure a custom URL domain for authentication flows, but AMG itself will still serve dashboards from its default URL unless you implement a reverse proxy layer.
2. Do I need to register an app for this scenario?
Yes.
- To enable Entra ID (Azure AD) OAuth for Grafana, you must register an application in the tenant where authentication occurs. This app registration provides the client ID, client secret, and redirect URIs (e.g., https://<grafana-domain>/login/azuread).
- If AMG is in an external tenant, the app registration must be created in that external tenant. You’ll also configure roles and permissions in Entra ID for Grafana users.
3. Do I have to use Azure Front Door for reverse proxy? Is there a cheaper option?
- Azure Front Door is the recommended solution for custom URL domains and global routing, but it adds cost.
- Cheaper alternatives:
- Azure Application Gateway: Works as a reverse proxy and supports SSL termination and path-based routing.
- Self-managed Nginx or IIS reverse proxy on an Azure VM: This is the lowest-cost option if you’re comfortable managing infrastructure. Nginx is commonly used for Grafana reverse proxy setups. [c-sharpcorner.com], [stackoverflow.com]
- Azure AD Application Proxy: If your goal is secure external access without exposing AMG publicly, this can be an option, but it’s more for internal apps.
Trade-off: Front Door gives global performance and integrated WAF/CDN, while Nginx/IIS is cheaper but requires manual SSL and scaling.
Let us know if you have further questions?