Configure self-managed Grafana to use Azure Monitor managed service for Prometheus with Microsoft Entra ID.

Azure Monitor managed service for Prometheus allows you to collect and analyze metrics at scale using a Prometheus-compatible monitoring solution. The most common way to analyze and present Prometheus data is with a Grafana dashboard. This article explains how to configure Prometheus as a data source for self-hosted Grafana using Microsoft Entra ID.

For information on using Grafana with managed system identity, see Configure Grafana using managed system identity.

Microsoft Entra authentication

To set up Microsoft Entra authentication, follow the steps below:

1. Register an app with Microsoft Entra ID.
2. Grant access for the app to your Azure Monitor workspace.
3. Configure your self-hosted Grafana with the app's credentials.

Register an app with Microsoft Entra ID

1. To register an app, open the Active Directory Overview page in the Azure portal.

2. Select New registration.

3. On the Register an application page, enter a Name for the application.

4. Select Register.

5. Note the Application (client) ID and Directory(Tenant) ID. They're used in the Grafana authentication settings.

6. On the app's overview page, select Certificates and Secrets.

7. In the client secrets tab, select New client secret.

8. Enter a Description.

9. Select an expiry period from the dropdown and select Add.

   Note

   Create a process to renew the secret and update your Grafana data source settings before the secret expires. Once the secret expires Grafana will lose the ability to query data from your Azure Monitor workspace.

   

10. Copy and save the client secret Value.

    Note

    Client secret values can only be viewed immediately after creation. Be sure to save the secret before leaving the page.

    

Allow your app access to your workspace

Allow your app to query data from your Azure Monitor workspace.

1. Open your Azure Monitor workspace in the Azure portal.

2. On the Overview page, take note of your Query endpoint. The query endpoint is used when setting up your Grafana data source.

3. Select Access control (IAM).

4. Select Add, then Add role assignment from the Access Control (IAM) page.

5. On the Add role Assignment page, search for Monitoring.

6. Select Monitoring data reader, then select the Members tab.

   

7. Select Select members.

8. Search for the app that you registered in the Register an app with Microsoft Entra ID section and select it.

9. Click Select.

10. Select Review + assign.

You've created your App registration and have assigned it access to query data from your Azure Monitor workspace. The next step is setting up your Prometheus data source in Grafana.

Setup self-managed Grafana to turn on Azure Authentication.

Grafana now supports connecting to Azure Monitor managed Prometheus using the Prometheus data source. For self-hosted Grafana instances, a configuration change is needed to use the Azure Authentication option in Grafana. For self-hosted Grafana or any other Grafana instances that are not managed by Azure, make the following changes:

1. Locate the Grafana configuration file. See the Configure Grafana documentation for details.

2. Identity your Grafana version.

3. Update the Grafana configuration file.

   For Grafana 9.0:

       [feature_toggles] 
       # Azure authentication for Prometheus (<=9.0) 
       prometheus_azure_auth = true 
   

   For Grafana 9.1 and later versions:

       [auth] 
       # Azure authentication for Prometheus (>=9.1) 
       azure_auth_enabled = true 
   

For Azure Managed Grafana, you don't need to make any configuration changes. Managed Identity is also enabled by default.

Configure your Prometheus data source in Grafana

1. Sign-in to your Grafana instance.

2. On the configuration page, select the Data sources tab.

3. Select Add data source.

4. Select Prometheus.

5. Enter a Name for your Prometheus data source.

6. In the URL field, paste the Query endpoint value from the Azure Monitor workspace overview page.

7. Under Auth, turn on Azure Authentication.

8. In the Azure Authentication section, select App Registration from the Authentication dropdown.

9. Enter the Direct(tenant) ID, Application (client) ID, and the Client secret from the Register an app with Microsoft Entra ID section.

10. Select Save & test

Frequently asked questions

This section provides answers to common questions.

I am missing all or some of my metrics. How can I troubleshoot?

You can use the troubleshooting guide for ingesting Prometheus metrics from the managed agent here.

Why am I missing metrics that have two labels with the same name but different casing?

Azure managed Prometheus is a case insensitive system. It treats strings, such as metric names, label names, or label values, as the same time series if they differ from another time series only by the case of the string. For more information, see Prometheus metrics overview.

I see some gaps in metric data, why is this occurring?

During node updates, you might see a 1-minute to 2-minute gap in metric data for metrics collected from our cluster level collectors. This gap occurs because the node that the data runs on is being updated as part of a normal update process. This update process affects cluster-wide targets such as kube-state-metrics and custom application targets that are specified. This occurs when your cluster is updated manually or via autoupdate. This behavior is expected and occurs due to the node it runs on being updated. This behavior doesn't affect any of our recommended alert rules.

Next steps

• Configure Grafana using managed system identity.
• Collect Prometheus metrics for your AKS cluster.
• Configure Prometheus alerting and recording rules groups.
• Customize scraping of Prometheus metrics.