|
1 | 1 | --- |
2 | | -title: Sync Grafana teams with Microsoft Entra groups |
| 2 | +title: Create Grafana teams with Microsoft Entra groups |
3 | 3 | description: Learn how to set up Grafana teams using Microsoft Entra groups in Azure Managed Grafana |
4 | 4 | ms.service: managed-grafana |
5 | 5 | ms.topic: how-to |
6 | 6 | author: maud-lv |
7 | 7 | ms.author: malev |
8 | | -ms.date: 2/21/2024 |
| 8 | +ms.date: 06/7/2024 |
9 | 9 | --- |
10 | 10 |
|
11 | | -# Sync Grafana teams with Microsoft Entra groups (preview) |
| 11 | +# Create Grafana teams with Microsoft Entra groups |
12 | 12 |
|
13 | 13 | In this guide, you learn how to use Microsoft Entra groups with [Grafana Team Sync](https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-team-sync/) (Microsoft Entra group sync) to set dashboard permissions in Azure Managed Grafana. Grafana allows you to control access to its resources at multiple levels. In Managed Grafana, you use the built-in Azure RBAC roles for Grafana to define access rights users have. These permissions are applied to all resources in your Grafana workspace by default. You can't, for example, grant someone edit permission to only one particular dashboard with RBAC. If you assign a user to the Grafana Editor role, that user can make changes to any dashboard in your Grafana workspace. Using Grafana's [granular permission model](https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-team-sync/), you can elevate or demote a user's default permission level for specific dashboards (or dashboard folders). |
14 | 14 |
|
15 | 15 | Setting up dashboard permissions for individual users in Managed Grafana is a little tricky. Managed Grafana stores the user assignments for its built-in RBAC roles in Microsoft Entra ID. For performance reasons, it doesn't automatically synchronize the user assignments to Grafana workspaces. Users in these roles don't show up in Grafana's **Configuration** UI until they've signed in once. You can only grant users extra permissions after they appear in the Grafana user list in **Configuration**. Microsoft Entra group sync gets around this issue. With this feature, you create a *Grafana team* in your Grafana workspace linked with a Microsoft Entra group. You then use that team in configuring your dashboard permissions. For example, you can grant a viewer the ability to modify a dashboard or block an editor from being able to make changes. You don't need to manage the team's member list separately since its membership is already defined in the associated Microsoft Entra group. |
16 | 16 |
|
17 | | -> [!IMPORTANT] |
18 | | -> Microsoft Entra group sync is currently in preview. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability. |
19 | | - |
20 | 17 | <a name='set-up-azure-ad-group-sync'></a> |
21 | 18 |
|
| 19 | +## Prerequisites |
| 20 | + |
| 21 | +To follow the steps in this guide, you must have: |
| 22 | + |
| 23 | +- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free). |
| 24 | +- An Azure Managed Grafana instance. If needed, [create a new instance](quickstart-managed-grafana-portal.md). |
| 25 | +- A Microsoft Entra group. I needed, [create a basic group and add members](/entra/fundamentals/how-to-manage-groups#create-a-basic-group-and-add-members). |
| 26 | + |
22 | 27 | ## Set up Microsoft Entra group sync |
23 | 28 |
|
24 | | -To use Microsoft Entra group sync, you add a new team to your Grafana workspace and link it to an existing Microsoft Entra group through its group ID. Follow these steps to set up a Microsoft Entra ID-backed Grafana team. |
| 29 | +To use Microsoft Entra group sync, you assign a Grafana role to a Microsoft Entra Group, create a Grafana team, and link this Microsoft Entra group to this |
| 30 | + |
| 31 | +group to add a team to your Grafana workspace, and link this team to an existing Microsoft Entra group through its group ID. |
| 32 | + |
| 33 | +## Give this group the desired permission on the Grafana instance. |
| 34 | + |
| 35 | +The Microsoft Entra group must have a Grafana role to access the Grafana instance. |
| 36 | + |
| 37 | + 1. In your Grafana workspace, open the **Access control (IAM)** menu select **Add** > **Add new role assignment**. |
| 38 | + 1. Assign a role, such as **Grafana viewer**, to the Microsoft Entra group |
| 39 | + |
| 40 | +### Create a Grafana team |
| 41 | + |
| 42 | +Follow these steps to set up a Microsoft Entra ID-backed Grafana team. |
25 | 43 |
|
26 | 44 | 1. In the Azure portal, open your Grafana instance and select **Configuration** under *Settings*. |
27 | | -1. Select the **Microsoft Entra team Sync Settings** tab. |
28 | | -1. Select **+ Create new Grafana team**. |
| 45 | +1. Select the **Microsoft Entra Team Sync Settings** tab. |
| 46 | +1. Select **Create new Grafana team**. |
29 | 47 |
|
30 | 48 | :::image type="content" source="media/azure-ad-group-sync/team-sync-settings.png" alt-text="Screenshot of the Azure portal. Configuring Microsoft Entra team sync."::: |
31 | 49 |
|
32 | 50 | 1. Enter a name for the Grafana team and select **Add**. |
33 | 51 |
|
34 | 52 | :::image type="content" source="media/azure-ad-group-sync/create-new-grafana-team.png" alt-text="Screenshot of the Azure portal. Creating a new Grafana team."::: |
35 | 53 |
|
| 54 | +### Assign a Microsoft Entra group to a Grafana team |
| 55 | + |
36 | 56 | 1. In **Assign access to**, select the newly created Grafana team. |
37 | 57 | 1. Select **+ Add a Microsoft Entra group**. |
38 | 58 |
|
39 | | -1. In the search box, enter a Microsoft Entra group name and select the group name in the results. Click **Select** to go confirm. |
| 59 | +1. In the search box, enter a Microsoft Entra group name and select the group name in the results. Click **Select** to confirm. |
40 | 60 |
|
41 | 61 | :::image type="content" source="media/azure-ad-group-sync/select-azure-ad-group.png" alt-text="Screenshot of the Azure portal. Finding and selecting a Microsoft Entra group."::: |
42 | 62 |
|
43 | 63 | 1. Repeat the previous three steps to add more Microsoft Entra groups to the Grafana team as appropriate. |
44 | 64 |
|
| 65 | +### Scope down access to a specific folder |
| 66 | + |
| 67 | +To scope down access to a specific folder, remove permissions to all other folders. |
| 68 | + |
| 69 | +1. Decide which Microsoft Entra group will have access to the folder and give this group the desired permission on the Grafana instance. |
| 70 | + 1. In your Grafana workspace, open the **Access control (IAM)** menu select **Add** > **Add new role assignment**. |
| 71 | + 1. Select a role such as **Grafana Viewer**. |
| 72 | + 1. Assign access to the group of your choice. |
| 73 | +1. Add group In Azure portal, use the Microsoft Entra Team Sync Settings page add an AAD group into Grafana Team. This will map users in an AAD group to a Grafana Team. |
| 74 | +- In Grafana, grant this AAD group view permission to a folder |
| 75 | +- Remove the view permission for view role on all other folders, that way having ‘Grafana Viewer’ role still doesn’t mean they get read access to all other folders. |
| 76 | + |
| 77 | +You can actually map multiple AAD groups to a single Grafana team, effectively granting multiple AAD groups view permission with just one Grafana team. |
| 78 | + |
45 | 79 | <a name='remove-azure-ad-group-sync'></a> |
46 | 80 |
|
47 | 81 | ## Remove Microsoft Entra group sync |
|
0 commit comments