Merge pull request #229958 from maud-lv/ml-g-shareinstance

Edit instance access sharing and permissions docs

Author: PMEds28

articles/managed-grafana/how-to-permissions.md

@@ -4,17 +4,18 @@ description: Learn how to manually set up permissions that allow your Azure Mana
 author: maud-lv 
 ms.author: malev 
 ms.service: managed-grafana 
+ms.custom: engagement-fy23
 ms.topic: how-to 
-ms.date: 6/10/2022 
+ms.date: 3/08/2022 
 ---
 
 # How to modify access permissions to Azure Monitor
 
 By default, when a Grafana instance is created, Azure Managed Grafana grants it the Monitoring Reader role for all Azure Monitor data and Log Analytics resources within a subscription.
 
-This means that the new Grafana instance can access and search all monitoring data in the subscription, including viewing the Azure Monitor metrics and logs from all resources, and any logs stored in Log Analytics workspaces in the subscription.
+This means that the new Grafana instance can access and search all monitoring data in the subscription. It can view the Azure Monitor metrics and logs from all resources, and any logs stored in Log Analytics workspaces in the subscription.
 
-In this article, you'll learn how to manually grant permission for Azure Managed Grafana to access an Azure resource using a managed identity.
+In this article, learn how to manually grant permission for Azure Managed Grafana to access an Azure resource using a managed identity.
 
 ## Prerequisites
 
@@ -28,34 +29,63 @@ Sign in to the Azure portal at [https://portal.azure.com/](https://portal.azure.
 
 ## Edit Azure Monitor permissions
 
-To change permissions for a specific resource, follow these steps:
+To edit permissions for a specific resource, follow these steps.
+
+### [Portal](#tab/azure-portal)
 
 1. Open a resource that contains the monitoring data you want to retrieve. In this example, we're configuring an Application Insights resource.
 1. Select **Access Control (IAM)**.
 1. Under **Grant access to this resource**, select **Add role assignment**.
 
    :::image type="content" source="./media/permissions/permissions-iam.png" alt-text="Screenshot of the Azure platform to add role assignment in App Insights.":::
 
-1. The portal lists various roles you can give to your Managed Grafana resource. Select a role. For instance, **Monitoring Reader**. Select this role.
-1. Click **Next**.
+1. The portal lists all the roles you can give to your Azure Managed Grafana resource. Select a role. For instance, **Monitoring Reader**, and select **Next**.
       :::image type="content" source="./media/permissions/permissions-role.png" alt-text="Screenshot of the Azure platform and choose Monitor Reader.":::
 
-1. For **Assign access to**, select **Managed Identity**.
-1. Click **Select members**.
+1. For **Assign access to**, select **Managed identity**.
+1. Click on **Select members**.
 
       :::image type="content" source="media/permissions/permissions-members.png" alt-text="Screenshot of the Azure platform selecting members.":::
 
-1. Select the **Subscription** containing your Managed Grafana instance
-1. Select a **Managed identity** from the options in the dropdown list
-1. Select the Managed Grafana instance from the list.
+1. Select the **Subscription** containing your Managed Grafana instance.
+1. For **Managed identity**, select **Azure Managed Grafana**.
+1. Select one or several Managed Grafana instances.
 1. Click **Select** to confirm
 
       :::image type="content" source="media/permissions/permissions-managed-identities.png" alt-text="Screenshot of the Azure platform selecting the instance.":::
 
-1. Click **Next**, then **Review + assign** to confirm the application of the new permission
+1. Select **Next**, then **Review + assign** to confirm the assignment of the new permission.
 
 For more information about how to use Managed Grafana with Azure Monitor, go to [Monitor your Azure services in Grafana](../azure-monitor/visualize/grafana-plugin.md).
 
+### [Azure CLI](#tab/azure-cli)
+
+Assign a role assignment using the [az role assignment create](/cli/azure/role/assignment#az-role-assignment-create) command.
+
+In the code below, replace the following placeholders:
+
+- `<assignee>`: enter the assignee's object ID. For a managed identity, enter the managed identity's ID.
+- `<roleNameOrId>`: enter the role's name or ID. For Monitoring Reader, enter `Monitoring Reader` or `43d0d8ad-25c7-4714-9337-8ba259a9fe05`.
+- `<scope>`: enter the full ID of the resource Azure Managed Grafana needs access to.
+
+```azurecli
+az role assignment create --assignee "<assignee>" \
+--role "<roleNameOrId>" \
+--scope "<scope>"
+```
+
+Example: assigning permission for an Azure Managed Grafana instance to access an Application Insights resource using a managed identity.
+
+```azurecli
+az role assignment create --assignee "/subscriptions/abcdef01-2345-6789-0abc-def012345678/resourcegroups/my-rg/providers/Microsoft.Dashboard/grafana/mygrafanaworkspace" \
+--role "Monitoring Reader" \
+--scope "/subscriptions/abcdef01-2345-6789-0abc-def012345678/resourcegroups/my-rg/providers/microsoft.insights/components/myappinsights/
+```
+
+For more information about assigning Azure roles using the Azure CLI, refer to the [Role based access control documentation](../role-based-access-control/role-assignments-cli.md).
+
+---
+
 ## Next steps
 
 > [!div class="nextstepaction"]

articles/managed-grafana/how-to-share-grafana-workspace.md

@@ -1,59 +1,95 @@
 ---
 title: How to share an Azure Managed Grafana instance
-description: 'Azure Managed Grafana: learn how you can share access permissions and dashboards with your team and customers.' 
+description: 'Learn how you can share access permissions to Azure Grafana Managed.' 
 author: maud-lv 
 ms.author: malev 
 ms.service: managed-grafana 
+ms.custom: engagement-fy23
 ms.topic: how-to 
-ms.date: 3/31/2022 
+ms.date: 3/08/2023 
 ---
 
-# How to share an Azure Managed Grafana instance
+# How to share access to Azure Managed Grafana
 
-A DevOps team may build dashboards to monitor and diagnose an application or infrastructure that it manages. Likewise, a support team may use a Grafana monitoring solution for troubleshooting customer issues. In these scenarios, multiple users will be accessing one Grafana instance. Azure Managed Grafana enables such sharing by allowing you to set the custom permissions on an instance that you own. This article explains what permissions are supported and how to grant permissions to share dashboards with your internal teams or external customers.
+A DevOps team may build dashboards to monitor and diagnose an application or infrastructure that it manages. Likewise, a support team may use a Grafana monitoring solution for troubleshooting customer issues. In these scenarios, multiple users are accessing one Grafana instance. 
+
+Azure Managed Grafana enables such collaboration by allowing you to set custom permissions on an instance that you own. This article explains what permissions are supported and how to grant permissions to share an Azure Managed Grafana instance with your stakeholders.
 
 ## Prerequisites
 
 - An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free).
 - An Azure Managed Grafana instance. If you don't have one yet, [create a Managed Grafana instance](./how-to-permissions.md).
+- You must have Grafana Admin permissions on the instance.
 
 ## Supported Grafana roles
 
-Azure Managed Grafana supports the Admin, Viewer and Editor roles:
+Azure Managed Grafana supports the Grafana Admin, Grafana Editor, and Grafana Viewer roles:
 
-- The Admin role provides full control of the instance including viewing, editing, and configuring data sources.
-- The Editor role provides read-write access to the dashboards in the instance.
-- The Viewer role provides read-only access to dashboards in the instance.
+- The Grafana Admin role provides full control of the instance including managing role assignments, viewing, editing, and configuring data sources.
+- The Grafana Editor role provides read-write access to the dashboards in the instance.
+- The Grafana Viewer role provides read-only access to dashboards in the instance.
 
-The Admin role is automatically assigned to the creator of a Grafana instance. More details on Admin, Editor, and Viewer roles can be found at [Grafana organization roles](https://grafana.com/docs/grafana/latest/permissions/organization_roles/#compare-roles).
+More details on Grafana roles can be found in the [Grafana documentation](https://grafana.com/docs/grafana/latest/permissions/organization_roles/#compare-roles).
 
-Grafana user roles and assignments are fully integrated with the Azure Active Directory (Azure AD). You can add any Azure AD user or security group to a Grafana role and grant them access permissions associated with that role. You can manage these permissions from the Azure portal or the command line. This section explains how to assign users to the Viewer or Editor role in the Azure portal.
+Grafana user roles and assignments are fully [integrated within Azure Active Directory (Azure AD)](../role-based-access-control/built-in-roles.md#grafana-admin). You can assign a Grafana role to any Azure AD user, group, service principal or managed identity, and grant them access permissions associated with that role. You can manage these permissions from the Azure portal or the command line. This section explains how to assign Grafana roles to users in the Azure portal.
 
 > [!NOTE]
-> Azure Managed Grafana doesn't support personal [Microsoft accounts](https://account.microsoft.com) (a.k.a., MSA) currently.
-
-## Sign in to Azure
+> Azure Managed Grafana doesn't support personal Microsoft accounts (MSA) currently.
 
-Sign in to the Azure portal at [https://portal.azure.com/](https://portal.azure.com/) with your Azure account.
+## Add a Grafana role assignment
 
-## Assign an Admin, Viewer or Editor role to a user
+### [Portal](#tab/azure-portal)
 
-1. Open your Managed Grafana instance.
-1. Select **Access control (IAM)** in the navigation menu.
-1. Click **Add**, then **Add role assignment**
+1. Open your Azure Managed Grafana instance.
+1. Select **Access control (IAM)** in the left menu.
+1. Select **Add role assignment**.
 
       :::image type="content" source="media/share/iam-page.png" alt-text="Screenshot of Add role assignment in the Azure platform.":::
 
-1. Select one of the Grafana roles to assign to a user or security group. The available roles are:
-
-   - Grafana Admin
-   - Grafana Editor
-   - Grafana Viewer
+1. Select a Grafana role to assign among **Grafana Admin**, **Grafana Editor** or **Grafana Viewer**, then select **Next**.
 
     :::image type="content" source="media/share/role-assignment.png" alt-text="Screenshot of the Grafana roles in the Azure platform.":::
 
+1. Choose if you want to assign access to a **User, group, or service principal**, or to a **Managed identity**.
+1. Click on **Select members**, pick the members you want to assign to the Grafana role and then confirm with **Select**.
+1. Select **Next**, then **Review + assign** to complete the role assignment.
+
 > [!NOTE]
-> Dashboard and data source level sharing will be done from within the Grafana application. For more details, refer to [Grafana permissions](https://grafana.com/docs/grafana/latest/permissions/).
+> Dashboard and data source level sharing are done from within the Grafana application. For more information, refer to [Share a Grafana dashboard or panel](./how-to-share-dashboard.md). [Share a Grafana dashboard] and [Data source permissions](https://grafana.com/docs/grafana/latest/administration/data-source-management/#data-source-permissions).
+
+### [Azure CLI](#tab/azure-cli)
+
+Assign a role using the [az role assignment create](/cli/azure/role/assignment#az-role-assignment-create) command.
+
+In the code below, replace the following placeholders:
+
+- `<assignee>`:
+  - For an Azure AD user, enter their email address or the user object ID.
+  - For a group, enter the group object ID.
+  - For a service principal, enter the service principal object ID.
+  - For a managed identity, enter the object ID.
+- `<roleNameOrId>`:
+  - For Grafana Admin, enter `Grafana Admin` or `22926164-76b3-42b3-bc55-97df8dab3e41`.
+   - For Grafana Editor, enter `Grafana Editor` or `a79a5197-3a5c-4973-a920-486035ffd60f`.
+   - For Grafana Viewer, enter `Grafana Viewer` or `60921a7e-fef1-4a43-9b16-a26c52ad4769`.
+- `<scope>`: enter the full ID of the Azure Managed Grafana instance.
+
+```azurecli
+az role assignment create --assignee "<assignee>" \
+--role "<roleNameOrId>" \
+--scope "<scope>"
+```
+
+Example:
+
+```azurecli
+az role assignment create --assignee "[email protected]" \
+--role "Grafana Admin" \
+--scope "/subscriptions/abcdef01-2345-6789-0abc-def012345678/resourcegroups/my-rg/providers/Microsoft.Dashboard/grafana/my-grafana"
+```
+For more information about assigning Azure roles using the Azure CLI, refer to the [Role based access control documentation](../role-based-access-control/role-assignments-cli.md).
+
+---
 
 ## Next steps
 
@@ -64,4 +100,4 @@ Sign in to the Azure portal at [https://portal.azure.com/](https://portal.azure.
 > [Modify access permissions to Azure Monitor](./how-to-permissions.md)
 
 > [!div class="nextstepaction"]
-> [Call Grafana APIs in your automation](./how-to-api-calls.md)
+> [Share a Grafana dashboard or panel](./how-to-share-dashboard.md). 

articles/managed-grafana/index.yml

@@ -51,7 +51,7 @@ landingContent:
     linkLists:
       - linkListType: how-to-guide
         links:
-          - text: Modify permissions
+          - text: Modify access to Azure Monitor
             url: how-to-permissions.md
           - text: Share an instance
             url: how-to-share-grafana-workspace.md

articles/managed-grafana/media/share/iam-page.png

@@ -39,7 +39,7 @@ items:
     href: how-to-create-dashboard.md
   - name: Share a dashboard
     href: how-to-share-dashboard.md
-  - name: Share an Azure Managed Grafana instance
+  - name: Share a workspace
     href: how-to-share-grafana-workspace.md
   - name: Configure SMTP settings
     href: how-to-smtp-settings.md