You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/managed-grafana/how-to-sync-teams-with-azure-ad-groups.md
+15-15Lines changed: 15 additions & 15 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,40 +1,41 @@
1
1
---
2
-
title: Create Grafana teams with Microsoft Entra groups
3
-
description: Learn how to set up Grafana teams and allow access to Grafana folders and dashboards using Microsoft Entra groups in Azure Managed Grafana.
4
-
#customer intent: As a Grafana administrator, I want to set up a Grafana team using Microsoft Entra groups to allow access to specific folders and dashboards.
2
+
title: Configure Grafana team sync with Microsoft Entra groups
3
+
description: Learn how to configure Grafana Teams and allow access to Grafana folders and dashboards using Microsoft Entra groups in Azure Managed Grafana.
4
+
#customer intent: As a Grafana administrator, I want to use Microsoft Entra groups to set up Grafana teams and control access to specific folders and dashboards.
5
5
ms.service: managed-grafana
6
6
ms.topic: how-to
7
7
author: maud-lv
8
8
ms.author: malev
9
9
ms.date: 06/7/2024
10
10
---
11
11
12
-
#Create and manage Grafana teams with Microsoft Entra groups
12
+
#Configure Grafana teams with Microsoft Entra groups and Grafana team sync
13
13
14
-
In this guide, you learn how to use Microsoft Entra groups with [Grafana Team Sync](https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-team-sync/) to set dashboard permissions in Azure Managed Grafana.
14
+
In this guide, you learn how to use This guide will help you use Microsoft Entra groups with [Grafana Team Sync](https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-team-sync/) to manage dashboard permissions in Azure Managed Grafana.
15
15
16
-
Grafana allows you to control access to its resources at multiple levels. In Azure Managed Grafana, you use the built-in Azure role-based access control(RBAC) roles for Grafana to define access rights users have. These permissions are applied to all resources in your Grafana workspace by default. You can't, for example, grant someone edit permission to only one particular dashboard with RBAC. If you assign a user to the Grafana Editor role, that user can make changes to any dashboard in your Grafana workspace. Using Grafana's [granular permission model](https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-team-sync/), you can elevate or demote a user's default permission level for specific dashboards, or dashboard folders.
16
+
In Azure Managed Grafana, you can use Azure's role-based access control(RBAC) roles for Grafana to define access rights. These permissions apply to all resources in your Grafana workspace by default, not per folder or dashboard. If you assign a user to the Grafana Editor role, that user can edit any dashboard in your Grafana workspace. However, with Grafana's [granular permission model](https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-team-sync/), you can adjust a user's default permission level for specific dashboards or dashboard folders.
17
17
18
-
Managed Grafana stores the user assignments for its built-in RBAC roles in Microsoft Entra ID. For performance reasons, it doesn't automatically synchronize the user assignments to Grafana workspaces. Users in these roles don't show up in Grafana's **Configuration** UI until they've signed in once. You can only grant users extra permissions after they appear in the Grafana user list in **Configuration**. Microsoft Entra group sync gets around this issue. With this feature, you create a *Grafana team* in your Grafana workspace linked with a Microsoft Entra group. You then configure your dashboard permissions for that team. For example, you can grant a Grafana viewer the ability to modify a dashboard, or block a Grafana editor from being able to make changes.
19
18
20
-
Setting up Microsoft Entra group sync is done by following these steps in a given Azure Managed Grafana workspace:
19
+
Microsoft Entra group sync helps you manage this. With it, you can create a *Grafana team* in a Grafana workspace, link it to a Microsoft Entra group, and then configure your dashboard permissions for that team. For example, you can allow a Grafana viewer to modify a dashboard, or prevent a Grafana editor from making changes.
20
+
21
+
To set up Microsoft Entra group sync, follow these steps in your Azure Managed Grafana workspace:
21
22
22
23
1. Assign a Grafana role to a Microsoft Entra Group
23
24
1. Create a Grafana team in an Azure Managed Grafana workspace
24
-
1. Assign the Microsoft Entra group in the Grafana team
25
+
1. Assign the Microsoft Entra group to the Grafana team
25
26
1. In the Grafana UI, assign permissions at the folder or dashboard level
26
27
27
28
<a name='set-up-azure-ad-group-sync'></a>
28
29
29
30
## Prerequisites
30
31
31
-
To follow the steps in this guide, you must have:
32
+
Before you start, make sure you have:
32
33
33
34
- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free).
34
35
- An Azure Managed Grafana instance. If needed, [create a new instance](quickstart-managed-grafana-portal.md).
35
36
- A Microsoft Entra group. If needed, [create a basic group and add members](/entra/fundamentals/how-to-manage-groups.md#create-a-basic-group-and-add-members).
36
37
37
-
## Give the Microsoft Entra group the required permission on the Grafana instance
38
+
## Assign a permission to the Microsoft Entra group
38
39
39
40
The Microsoft Entra group must have a Grafana role to access the Grafana instance.
40
41
@@ -69,7 +70,7 @@ Set up a Microsoft Entra ID-backed Grafana team.
69
70
70
71
:::image type="content" source="media/azure-ad-group-sync/select-azure-ad-group.png" alt-text="Screenshot of the Azure portal. Finding and selecting a Microsoft Entra group.":::
71
72
72
-
1. Optionally repeat the previous three steps to add more Microsoft Entra groups to the Grafana team as appropriate.
73
+
1. Optionally repeat the previous three steps to add more Microsoft Entra groups to the Grafana team.
73
74
74
75
### Assign access to a Grafana folder or dashboard
75
76
@@ -85,16 +86,15 @@ Set up a Microsoft Entra ID-backed Grafana team.
85
86
> [!TIP]
86
87
> To check existing access permissions for a dashboard, open a dashboard and go to the **Permissions** tab. This page shows all permissions assigned for this dashboard and all inherited permissions.
87
88
88
-
:::image type="content" source="media/azure-ad-group-sync/view-permissions.png" alt-text="Screenshot of the Grafana UI, adding a permission for a team in a Grafana folder.":::
89
-
89
+
:::image type="content" source="media/azure-ad-group-sync/view-permissions.png" alt-text="Screenshot of the Grafana UI, showing permission for a Grafana dashboard.":::
90
90
91
91
### Scope down access
92
92
93
93
You can scale down access by removing permissions to access one or more folders.
94
94
95
95
For example, if a user, group of users has the Grafana Viewer role on a Grafana instance, disable their access to a folder by following these steps:
96
96
97
-
1. In the Grafana UI, go to a folder you want to hide from the user
97
+
1. In the Grafana UI, go to a folder you want to hide from the user.
98
98
1. In the **Permissions** tab, select the **X** button to the right of the **Viewer** permission to remove this permission from this folder.
99
99
1. Repeat this step for all folders you want to hide from the user.
0 commit comments