Merge pull request #278128 from maud-lv/ml-gsingleshare

Add information about permissions and scope

Author: AnnaMHuff

articles/managed-grafana/how-to-sync-teams-with-azure-ad-groups.md

@@ -1,46 +1,94 @@
 ---
-title: Sync Grafana teams with Microsoft Entra groups
-description: Learn how to set up Grafana teams using Microsoft Entra groups in Azure Managed Grafana
+title: Configure Grafana team sync with Microsoft Entra groups
+description: Learn how to configure Grafana Teams and allow access to Grafana folders and dashboards using Microsoft Entra groups in Azure Managed Grafana.
+#customer intent: As a Grafana administrator, I want to use Microsoft Entra groups to set up Grafana teams and control access to specific folders and dashboards.
 ms.service: managed-grafana
 ms.topic: how-to
 author: maud-lv
 ms.author: malev
-ms.date: 2/21/2024
+ms.date: 06/7/2024
 --- 
 
-# Sync Grafana teams with Microsoft Entra groups (preview)
+# Configure Grafana teams with Microsoft Entra groups and Grafana team sync
 
-In this guide, you learn how to use Microsoft Entra groups with [Grafana Team Sync](https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-team-sync/) (Microsoft Entra group sync) to set dashboard permissions in Azure Managed Grafana. Grafana allows you to control access to its resources at multiple levels. In Managed Grafana, you use the built-in Azure RBAC roles for Grafana to define access rights users have. These permissions are applied to all resources in your Grafana workspace by default. You can't, for example, grant someone edit permission to only one particular dashboard with RBAC. If you assign a user to the Grafana Editor role, that user can make changes to any dashboard in your Grafana workspace. Using Grafana's [granular permission model](https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-team-sync/), you can elevate or demote a user's default permission level for specific dashboards (or dashboard folders).
+In this guide, you learn how to useMicrosoft Entra groups with [Grafana Team Sync](https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-team-sync/) to manage dashboard permissions in Azure Managed Grafana.
 
-Setting up dashboard permissions for individual users in Managed Grafana is a little tricky. Managed Grafana stores the user assignments for its built-in RBAC roles in Microsoft Entra ID. For performance reasons, it doesn't automatically synchronize the user assignments to Grafana workspaces. Users in these roles don't show up in Grafana's **Configuration** UI until they've signed in once. You can only grant users extra permissions after they appear in the Grafana user list in **Configuration**. Microsoft Entra group sync gets around this issue. With this feature, you create a *Grafana team* in your Grafana workspace linked with a Microsoft Entra group. You then use that team in configuring your dashboard permissions. For example, you can grant a viewer the ability to modify a dashboard or block an editor from being able to make changes. You don't need to manage the team's member list separately since its membership is already defined in the associated Microsoft Entra group.
+In Azure Managed Grafana, you can use Azure's role-based access control (RBAC) roles for Grafana to define access rights. These permissions apply to all resources in your Grafana workspace by default, not per folder or dashboard. If you assign a user to the Grafana Editor role, that user can edit any dashboard in your Grafana workspace. However, with Grafana's [granular permission model](https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-team-sync/), you can adjust a user's default permission level for specific dashboards or dashboard folders. 
 
-> [!IMPORTANT]
-> Microsoft Entra group sync is currently in preview. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
+
+Microsoft Entra group sync helps you manage this. With it, you can create a *Grafana team* in a Grafana workspace, link it to a Microsoft Entra group, and then configure your dashboard permissions for that team. For example, you can allow a Grafana viewer to modify a dashboard, or prevent a Grafana editor from making changes.
 
 <a name='set-up-azure-ad-group-sync'></a>
 
-## Set up Microsoft Entra group sync
+## Prerequisites
+
+Before you start, make sure you have:
+
+- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free).
+- An Azure Managed Grafana instance. If needed, [create a new instance](quickstart-managed-grafana-portal.md).
+- A Microsoft Entra group. If needed, [create a basic group and add members](/entra/fundamentals/how-to-manage-groups#create-a-basic-group-and-add-members).
+
+## Assign a permission to a Microsoft Entra group
+
+The Microsoft Entra group must have a Grafana role to access the Grafana instance.
+
+1. In your Grafana workspace, open the **Access control (IAM)** menu select **Add** > **Add new role assignment**.
 
-To use Microsoft Entra group sync, you add a new team to your Grafana workspace and link it to an existing Microsoft Entra group through its group ID. Follow these steps to set up a Microsoft Entra ID-backed Grafana team.
+    :::image type="content" source="media/azure-ad-group-sync/add-role-assignment.png" alt-text="Screenshot of the Azure portal. Adding a new role assignment.":::
 
-1. In the Azure portal, open your Grafana instance and select **Configuration** under *Settings*.
-1. Select the **Microsoft Entra team Sync Settings** tab.
-1. Select **+ Create new Grafana team**.
+1. Assign a role, such as **Grafana viewer**, to the Microsoft Entra group. For more information about assigning a role, go to [Grant access](../role-based-access-control/quickstart-assign-role-user-portal.md#grant-access).
+
+### Create a Grafana team
+
+Set up a Microsoft Entra ID-backed Grafana team.
+
+1. In the Azure portal, open your Grafana instance and select **Configuration** under **Settings**.
+1. Select the **Microsoft Entra Team Sync Settings** tab.
+1. Select **Create new Grafana team**.
 
     :::image type="content" source="media/azure-ad-group-sync/team-sync-settings.png" alt-text="Screenshot of the Azure portal. Configuring Microsoft Entra team sync.":::
 
 1. Enter a name for the Grafana team and select **Add**.
 
     :::image type="content" source="media/azure-ad-group-sync/create-new-grafana-team.png" alt-text="Screenshot of the Azure portal. Creating a new Grafana team.":::
 
+### Assign a Microsoft Entra group to a Grafana team
+
 1. In **Assign access to**, select the newly created Grafana team.
 1. Select **+ Add a Microsoft Entra group**.
 
-1. In the search box, enter a Microsoft Entra group name and select the group name in the results. Click **Select** to go confirm.
+1. In the search box, enter a Microsoft Entra group name and select the group name in the results. Click **Select** to confirm.
 
     :::image type="content" source="media/azure-ad-group-sync/select-azure-ad-group.png" alt-text="Screenshot of the Azure portal. Finding and selecting a Microsoft Entra group.":::
 
-1. Repeat the previous three steps to add more Microsoft Entra groups to the Grafana team as appropriate.
+1. Optionally repeat the previous three steps to add more Microsoft Entra groups to the Grafana team.
+
+### Assign access to a Grafana folder or dashboard
+
+1. In the Grafana UI, open a folder or a dashboard.
+1. In the **Permissions** tab, select **Add a permission**.
+
+    :::image type="content" source="media/azure-ad-group-sync/add-permission.png" alt-text="Screenshot of the Azure portal, selecting Add a permission." lightbox="media/azure-ad-group-sync/add-permission.png":::
+
+1. Under **Add permission for**, select **Team**, then select the team name, the **View**, **Edit** or **Admin** permission, and save. You can add permissions for a user, a team or a role.
+
+    :::image type="content" source="media/azure-ad-group-sync/add-permission-for-team.png" alt-text="Screenshot of the Grafana UI, adding a permission for a team in a Grafana folder.":::
+
+    > [!TIP]
+    > To check existing access permissions for a dashboard, open a dashboard and go to the **Permissions** tab. This page shows all permissions assigned for this dashboard and all inherited permissions.
+    > :::image type="content" source="media/azure-ad-group-sync/view-permissions.png" alt-text="Screenshot of the Grafana UI, showing permission for a Grafana dashboard.":::
+
+### Scope down access
+
+You can limit access by removing permissions to access one or more folders.
+
+For example, to disable access to a user who has the Grafana Viewer role on a Grafana instance, remove their access to a Grafana folder by following these steps:
+
+1. In the Grafana UI, go to a folder you want to hide from the user.
+1. In the **Permissions** tab, select the **X** button to the right of the **Viewer** permission to remove this permission from this folder.
+1. Repeat this step for all folders you want to hide from the user.
+
+    :::image type="content" source="media/azure-ad-group-sync/remove-permission.png" alt-text="Screenshot of the Grafana UI, removing the Viewer permission in a Grafana folder.":::
 
 <a name='remove-azure-ad-group-sync'></a>