How to modify access permissions to Azure Monitor

By default, when a Grafana instance is created, Azure Managed Grafana grants it the Monitoring Reader role for all Azure Monitor data and Log Analytics resources within a subscription.

This means that the new Grafana instance can access and search all monitoring data in the subscription, including viewing the Azure Monitor metrics and logs from all resources, and any logs stored in Log Analytics workspaces in the subscription.

In this article, you'll learn how to manually grant permission for Azure Managed Grafana to access an Azure resource using a managed identity.


Sign in to Azure

Sign in to the Azure portal at with your Azure account.

Edit Azure Monitor permissions

To change permissions for a specific resource, follow these steps:

  1. Open a resource that contains the monitoring data you want to retrieve. In this example, we're configuring an Application Insights resource.

  2. Select Access Control (IAM).

  3. Under Grant access to this resource, select Add role assignment.

    Screenshot of the Azure platform to add role assignment in App Insights.

  4. The portal lists various roles you can give to your Managed Grafana resource. Select a role. For instance, Monitoring Reader. Select this role.

  5. Click Next. Screenshot of the Azure platform and choose Monitor Reader.

  6. For Assign access to, select Managed Identity.

  7. Click Select members.

    Screenshot of the Azure platform selecting members.

  8. Select the Subscription containing your Managed Grafana instance

  9. Select a Managed identity from the options in the dropdown list

  10. Select the Managed Grafana instance from the list.

  11. Click Select to confirm

    Screenshot of the Azure platform selecting the instance.

  12. Click Next, then Review + assign to confirm the application of the new permission

For more information about how to use Managed Grafana with Azure Monitor, go to Monitor your Azure services in Grafana.

Next steps