satomic
diff --git a/‎.azdo/pipelines/azure-dev.yml‎
Lines changed: 3 additions & 1 deletion b/‎.azdo/pipelines/azure-dev.yml‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎.github/workflows/azure-dev.yml‎
Lines changed: 6 additions & 2 deletions b/‎.github/workflows/azure-dev.yml‎
Lines changed: 6 additions & 2 deletions
diff --git a/‎README.md‎
Lines changed: 11 additions & 5 deletions b/‎README.md‎
Lines changed: 11 additions & 5 deletions
diff --git a/‎deploy/azure-container-apps.md‎
Lines changed: 49 additions & 3 deletions b/‎deploy/azure-container-apps.md‎
Lines changed: 49 additions & 3 deletions
diff --git a/‎infra/main.bicep‎
Lines changed: 10 additions & 2 deletions b/‎infra/main.bicep‎
Lines changed: 10 additions & 2 deletions
@@ -42,6 +42,9 @@ steps:
       GITHUB_ORGANIZATION_SLUGS: $(GH_ORGANIZATION_SLUGS)
       AZURE_RESOURCE_GROUP: $(AZURE_RESOURCE_GROUP)
       GITHUB_PAT: $(GH_PAT)
+      AZURE_AUTHENTICATION_ENABLED: $(AZURE_AUTHENTICATION_ENABLED)
+      AZURE_AUTHENTICATION_CLIENT_ID: $(AZURE_AUTHENTICATION_CLIENT_ID)
+      AZURE_AUTHENTICATION_OPEN_ID_ISSUER: $(AZURE_AUTHENTICATION_OPEN_ID_ISSUER)
 
   - task: AzureCLI@2
     displayName: Deploy Application
@@ -56,4 +59,3 @@ steps:
       AZURE_SUBSCRIPTION_ID: $(AZURE_SUBSCRIPTION_ID)
       AZURE_ENV_NAME: $(AZURE_ENV_NAME)
       AZURE_LOCATION: $(AZURE_LOCATION)
-
 
@@ -3,7 +3,7 @@ on:
   workflow_dispatch:
   push:
     # Run when commits are pushed to mainline branch (main or master)
-    # Set this to the mainline branch you are using 
+    # Set this to the mainline branch you are using
     branches:
       - main
 
@@ -23,9 +23,13 @@ jobs:
       AZURE_SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }}
       AZURE_ENV_NAME: ${{ vars.AZURE_ENV_NAME }}
       AZURE_LOCATION: ${{ vars.AZURE_LOCATION }}
+      AZURE_USER_PRINCIPAL_ID: ${{ secrets.AZURE_USER_PRINCIPAL_ID }}
       GITHUB_ORGANIZATION_SLUGS: ${{ vars.GH_ORGANIZATION_SLUGS }}
       AZURE_RESOURCE_GROUP: ${{ vars.AZURE_RESOURCE_GROUP }}
       ASSIGN_PERMISSIONS_TO_PRINCIPAL: false
+      AZURE_AUTHENTICATION_ENABLED: ${{ vars.AZURE_AUTHENTICATION_ENABLED }}
+      AZURE_AUTHENTICATION_CLIENT_ID: ${{ secrets.AZURE_AUTHENTICATION_CLIENT_ID }}
+      AZURE_AUTHENTICATION_OPEN_ID_ISSUER: ${{ vars.AZURE_AUTHENTICATION_OPEN_ID_ISSUER }}
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -38,7 +42,7 @@ jobs:
             --federated-credential-provider "github" `
             --tenant-id "$Env:AZURE_TENANT_ID"
         shell: pwsh
-        
+
       - name: Azure CLI Login (OIDC)
         uses: azure/login@v2
         with:
 
@@ -228,26 +228,32 @@ When setting up a deployment you will need to set the following variables for yo
 
 |**Variable**|**Description**|
 |-|-|
-|AZURE_ENV_NAME|The name of the Azure environment you want to deploy to, such as dev, test, prod, etc.|
-|AZURE_LOCATION|The Azure location you want to deploy to, such as eastus, westus, etc.|
+|AZURE_CLIENT_ID|The Client ID of the identity you want to use to deploy the application.|
+|AZURE_ENV_NAME|The name of the Azure environment you want to deploy to, such as `copilot-usage-advanced-dashboard-dev`.|
+|AZURE_LOCATION|The Azure location you want to deploy to, such as `eastus`, `westus`, etc.|
 |AZURE_RESOURCE_GROUP|The name of the resource group you want to deploy to.|
 |AZURE_SUBSCRIPTION_ID|The GUID for the subscription you want to deploy to.|
+|AZURE_USER_PRINCIPAL_ID|The Object ID of a user you want to grant access to to the Azure Key Vault.|
+|AZURE_TENANT_ID|The Azure Tenant ID of the identity you want to use to deploy the application.|
 |GH_ORGANIZATION_SLUGS|This is your GitHub Organization name. This can be a comma-separated list of orgs if you want to index multiple orgs.|
 |GH_PAT|This is your GitHub Personal Access Token.  Mark this variable as **secret** in your pipeline.|
+|AZURE_AUTHENTICATION_ENABLED|Enable Entra ID Single-Sign On (SSO) authentication.|
+|AZURE_AUTHENTICATION_CLIENT_ID|The Client ID of the Azure AD application.|
+|AZURE_AUTHENTICATION_OPEN_ID_ISSUER|The OpenID Connect issuer URL for Azure AD.|
 
 ## Azure DevOps
-If you are using Azure DevOps, make sure you change the name of the service connection to the name of your service connection.  You will need to change line 
+If you are using Azure DevOps, make sure you change the name of the service connection to the name of your service connection.  You will need to change line
 30 and 45 of the `azure-dev.yml` file located in the `.azdo/pipelines` folder.
 
 To create a service connection you can use the azd pipeline config --provider azdo command from the terminal.  You can read more here:
 https://learn.microsoft.com/en-us/azure/developer/azure-developer-cli/pipeline-azure-pipelines.
 
 You will need to install the "Install azd" extension from the [marketplace](https://marketplace.visualstudio.com/items?itemName=ms-azuretools.azd) in your Azure DevOps organization if you haven't already done so.
 
-You will need to manually create the DevOps variables yourself in the Azure DevOps GUI.  
+You will need to manually create the DevOps variables yourself in the Azure DevOps GUI.
 
 ## GitHub Actions
-You will create a pipeline using the `azure-dev.yml` file located in the `.github/workflows` folder. You will need to manually create the GitHub variables yourself in the GitHub GUI. 
+You will create a pipeline using the `azure-dev.yml` file located in the `.github/workflows` folder. You will need to manually create the GitHub variables yourself in the GitHub GUI.
 
 ## 1. Azure Container Apps
 if you are using Azure Container Apps, please refer to the [Azure Container Apps deployment document](deploy/azure-container-apps.md).
 
@@ -25,10 +25,11 @@ This document describes how to deploy the application in Azure Container Apps us
    azd env set GITHUB_ORGANIZATION_SLUGS ...
    ```
 
-1. **Optional*** Run the following commands to set the Grafana credentials. Note that not setting this values results in the deployment script generating credentials.
+1. **Optional** Run the following commands to set the Grafana credentials. Note that not setting this values results in the deployment script generating credentials.
 
    ```shell
    azd env set GRAFANA_USERNAME ...
+
    azd env set GRAFANA_PASSWORD ...
    ```
 
@@ -37,7 +38,52 @@ This document describes how to deploy the application in Azure Container Apps us
    ```shell
    azd up
    ```
-   
+
 1. After the deployment is complete, you can access the application using the URL provided in the output.
 
-1. The username & password for the Grafana dashboard can be found in the Key Vault. Note that these are not secure credentials and should be changed.
+1. The username & password for the Grafana dashboard can be found in the Key Vault. Note that the default values (if you didn't specify them or are not using Entra ID auth) are not secure credentials and should be changed.
+
+### Optional: Enable Entra ID SSO for Grafana
+
+The Grafana dashboard only uses the `Viewer` role. This means all users that can sign in can see the same data. If you need more fine-grained access, you should follow this URL to set up Entra ID SSO for Grafana: [Grafana Entra ID SSO](https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/azuread/). You can also limit which users can sign in to the Grafana dashboard using [Entra ID groups](https://learn.microsoft.com/en-us/entra/identity-platform/howto-restrict-your-app-to-a-set-of-users)
+
+1. Create an app registration in Entra ID (Azure Active Directory) with the following settings:
+
+   - **Name**: `copilot-usage-advanced-dashboard` (or something similar)
+   - **Supported account types**: Accounts in this organizational directory only (Single tenant)
+   - **Redirect URI**: Leave this blank for now, you can update it after the deployment.
+   - **Overview->Application (client) ID**: Copy this value, you will need it later.
+   - **Overview->Directory (tenant) ID**: Copy this value, you will need it later.
+   - **Authentication->Implicit grant and hybrid flows**: Check the box for `ID tokens` to enable OpenID Connect authentication.
+   - **API permissions**: Add the following delegated API permissions to allow Container Apps to sign-in users.
+     - Microsoft Graph
+       - `openid`
+       - `profile`
+       - `offline_access`
+       - `User.Read`
+
+1. Run the following command to set the Entra ID tenant ID
+
+   ```shell
+   azd env set AZURE_AUTHENTICATION_ENABLED true
+
+   azd env set AZURE_AUTHENTICATION_CLIENT_ID <your-app-registration-client-id>
+
+   azd env set AZURE_AUTHENTICATION_OPEN_ID_ISSUER https://login.microsoftonline.com/<your-tenant-id>
+   ```
+
+1. Run the following command to deploy the application.
+
+   ```shell
+   azd up
+   ```
+
+1. **Optional**: If you enabled Entra ID authentication, you will need to update the Entra ID app registration with values from the deployment.
+
+   - **Authentication->Redirect URI**: Update the app registration with the URL of the Grafana dashboard, e.g., `https://<your-container-app-name>.<location>.azurecontainerapps.io/.auth/login/aad/callback`.
+   - **Certificates & secrets->Federated credentials**: Add a new federated credential with the following settings:
+     - **Federated credential scenario**: Managed Identity
+     - **Select managed identity**: Select the managed identity created for the Container App (look in the Azure portal under the Container App's Identity section to find the name of the managed identity).
+     - **Name**: `copilot-usage-advanced-dashboard` (or something similar)
+
+1. After the deployment is complete, you can access the application using the URL provided in the output.
@@ -28,6 +28,8 @@ param grafanaDefinition object
 @description('Id of the user or app to assign application roles')
 param principalId string
 
+param userPrincipalId string = ''
+
 @description('If true, assign permissions to the principalId. If false, do not assign permissions to the principalId. This is useful for testing purposes or when you want to manage permissions manually.')
 param assignPermissionsToPrincipal bool = true
 
@@ -49,8 +51,10 @@ param grafanaImageName string = ''
 
 param doRoleAssignments bool = true
 
+param authentication object
+
 // Tags that should be applied to all resources.
-// 
+//
 // Note that 'azd-service-name' tags should be applied separately to service host resources.
 // Example usage:
 //   tags: union(tags, { 'azd-service-name': <service name in azure.yaml> })
@@ -71,7 +75,7 @@ module resources 'resources.bicep' = {
   params: {
     location: location
     tags: tags
-    principalId: assignPermissionsToPrincipal ? principalId : ''
+    principalId: empty(userPrincipalId) ? principalId : userPrincipalId
     updateGrafanaExists: updateGrafanaExists
     updateGrafanaDefinition: updateGrafanaDefinition
     cpuAdUpdaterExists: cpuAdUpdaterExists
@@ -87,6 +91,7 @@ module resources 'resources.bicep' = {
     githubPat: githubPat
     githubOrganizationSlugs: githubOrganizationSlugs
     doRoleAssignments: doRoleAssignments
+    authentication: authentication
   }
 }
 
@@ -103,3 +108,6 @@ output AZURE_CONTAINER_APPS_ENVIRONMENT_NAME string = resources.outputs.AZURE_CO
 output AZD_IS_PROVISIONED bool = true
 output SERVICE_UPDATEGRAFANA_RESOURCE_EXISTS bool = resources.outputs.SERVICE_UPDATEGRAFANA_RESOURCE_EXISTS
 output SERVICE_CPUADUPDATER_RESOURCE_EXISTS bool = resources.outputs.SERVICE_CPUADUPDATER_RESOURCE_EXISTS
+output GRAFANA_DASHBOARD_URL string = resources.outputs.GRAFANA_DASHBOARD_URL
+output GRAFANA_DASHBOARD_AUTHENTICATION_CALLBACK_URI string = resources.outputs.GRAFANA_DASHBOARD_AUTHENTICATION_CALLBACK_URI
+output MANAGED_IDENTITY_NAME string = resources.outputs.MANAGED_IDENTITY_NAME