Edit

Share Azure dashboards by using Azure role-based access control

  • Article
  • 3 minutes to read

After configuring a dashboard, you can publish it and share it with other users in your organization. You allow others to view your dashboard by using Azure role-based access control (Azure RBAC) to assign roles to either a single user or a group of users. You can select a role that allows them only to view the published dashboard, or a role that also allows them to modify it.

Tip

Within a dashboard, individual tiles enforce their own access control requirements based on the resources they display. You can share any dashboard broadly, even if some data on specific tiles might not be visible to all users.

Understand access control for dashboards

From an access control perspective, dashboards are no different from other resources, such as virtual machines or storage accounts. Published dashboards are implemented as Azure resources. Each dashboard exists as a manageable item contained in a resource group within your subscription.

Azure RBAC lets you assign users to roles at four different levels of scope: management group, subscription, resource group, or resource. Azure RBAC permissions are inherited from higher levels down to the individual resource. In many cases, you may already have users assigned to roles for the subscription that will give them access to the published dashboard.

For example, any users who have the Owner or Contributor role for a subscription can list, view, create, modify, or delete dashboards within the subscription. Users with a custom role that includes the Microsoft.Portal/Dashboards/Write permission can also perform these tasks.

Users with the Reader role for the subscription (or a custom role with Microsoft.Portal/Dashboards/Read permission) can list and view dashboards within that subscription, but they can't modify or delete them. These users are able to make private copies of dashboards for themselves. They can also make local edits to a published dashboard for their own use, such as when troubleshooting an issue, but they can't publish those changes back to the server.

To expand access to a dashboard beyond the access granted at the subscription level, assign permissions to an individual dashboard, or to a resource group that contains several dashboards. For example, if a user should have limited permissions across the subscription, but needs to be able to edit one particular dashboard, you can assign a different role with more permissions (such as Contributor) for that dashboard only.

Publish a dashboard

To share access to a dashboard, you must first publish it. When you do so, other users in your organization will be access and modify the dashboard based on their Azure RBAC roles.

  1. In the dashboard, select Share.

    Screenshot showing the Share option for an Azure portal dashboard.

  2. In Sharing + access control, select Publish.

    Screenshot showing how to publish an Azure portal dashboard.

    By default, sharing publishes your dashboard to a resource group named dashboards. To select a different resource group, clear the checkbox.

  3. To add optional tags to the dashboard, enter one or more name/value pairs.

  4. Select Publish.

Your dashboard is now published. If the permissions that users inherit from the subscription are sufficient, you don't need to do anything more. Otherwise, read on to learn how to expand access to specific users or groups.

Assign access to a dashboard

For each dashboard that you have published, you can assign Azure RBAC built-in roles to groups of users (or to individual users). This lets them use that role on the dashboard, even if their subscription-level permissions wouldn't normally allow it.

  1. After publishing the dashboard, select Manage sharing, then select Access control.

  2. In Access Control, select Role assignments to see existing users that are already assigned a role for this dashboard.

  3. To add a new user or group, select Add then Add role assignment.

    Screenshot showing how to add a role assignment for an Azure portal dashboard.

  4. Select the role you want to grant, such as Contributor or Reader, and then select Next.

  5. Select Select members, then select one or more Azure Active Directory (Azure AD) groups and/or users. If you don't see the user or group you're looking for in the list, use the search box. When you have finished, choose Select.

  6. Select Review + assign to complete the assignment.

Next steps