Edit

Configure self-managed Grafana to use Azure Monitor managed service for Prometheus with Azure Active Directory.

  • Article

Azure Monitor managed service for Prometheus allows you to collect and analyze metrics at scale using a Prometheus-compatible monitoring solution. The most common way to analyze and present Prometheus data is with a Grafana dashboard. This article explains how to configure Prometheus as a data source for self-hosted Grafana using Azure Active Directory.

For information on using Grafana with managed system identity, see Configure Grafana using managed system identity.

Azure Active Directory authentication

To set up Azure Active Directory authentication, follow the steps below:

  1. Register an app with Azure Active Directory.
  2. Grant access for the app to your Azure Monitor workspace.
  3. Configure your self-hosted Grafana with the app's credentials.

Register an app with Azure Active Directory

  1. To register an app, open the Active Directory Overview page in the Azure portal.

  2. Select New registration.

  3. On the Register an application page, enter a Name for the application.

  4. Select Register.

  5. Note the Application (client) ID and Directory(Tenant) ID. They're used in the Grafana authentication settings. A screenshot showing the App registration overview page.

  6. On the app's overview page, select Certificates and Secrets.

  7. In the client secrets tab, select New client secret.

  8. Enter a Description.

  9. Select an expiry period from the dropdown and select Add.

    Note

    Create a process to renew the secret and update your Grafana data source settings before the secret expires. Once the secret expires Grafana will lose the ability to query data from your Azure Monitor workspace.

    A screenshot showing the Add client secret page.

  10. Copy and save the client secret Value.

    Note

    Client secret values can only be viewed immediately after creation. Be sure to save the secret before leaving the page.

    A screenshot showing the client secret page with generated secret value.

Allow your app access to your workspace

Allow your app to query data from your Azure Monitor workspace.

  1. Open your Azure Monitor workspace in the Azure portal.

  2. On the Overview page, take note of your Query endpoint. The query endpoint is used when setting up your Grafana data source.

  3. Select Access control (IAM). A screenshot showing the Azure Monitor workspace overview page

  4. Select Add, then Add role assignment from the Access Control (IAM) page.

  5. On the Add role Assignment page, search for Monitoring.

  6. Select Monitoring data reader, then select the Members tab.

    A screenshot showing the Add role assignment page

  7. Select Select members.

  8. Search for the app that you registered in the Register an app with Azure Active Directory section and select it.

  9. Click Select.

  10. Select Review + assign. A screenshot showing the Add role assignment, select members page.

You've created your App registration and have assigned it access to query data from your Azure Monitor workspace. The next step is setting up your Prometheus data source in Grafana.

Setup self-managed Grafana to turn on Azure Authentication.

Grafana now supports connecting to Azure Monitor managed Prometheus using the Prometheus data source. For self-hosted Grafana instances, a configuration change is needed to use the Azure Authentication option in Grafana. For self-hosted Grafana or any other Grafana instances that are not managed by Azure, make the following changes:

  1. Locate the Grafana configuration file. See the Configure Grafana documentation for details.

  2. Identity your Grafana version.

  3. Update the Grafana configuration file.

    For Grafana 9.0:

        [feature_toggles] 
    # Azure authentication for Prometheus (<=9.0) 
    prometheus_azure_auth = true

    For Grafana 9.1 and later versions:

        [auth] 
    # Azure authentication for Prometheus (>=9.1) 
    azure_auth_enabled = true

For Azure Managed Grafana, you don't need to make any configuration changes. Managed Identity is also enabled by default.

Configure your Prometheus data source in Grafana

  1. Sign-in to your Grafana instance.

  2. On the configuration page, select the Data sources tab.

  3. Select Add data source.

  4. Select Prometheus.

  5. Enter a Name for your Prometheus data source.

  6. In the URL field, paste the Query endpoint value from the Azure Monitor workspace overview page.

  7. Under Auth, turn on Azure Authentication.

  8. In the Azure Authentication section, select App Registration from the Authentication dropdown.

  9. Enter the Direct(tenant) ID, Application (client) ID, and the Client secret from the Register an app with Azure Active Directory section.

  10. Select Save & test A screenshot showing the Grafana settings page for adding a data source.

Next steps