Azure Managed Grafana: single data source (azure monitor) for many subscriptions

Question

I'd like to deploy an azure managed grafana service to gather Azure monitor data from several azure subscriptions by using azure monitor data source. Azure subscription are grouped under a management group structure.

I'd like to use a managed identity and assign the required role at management group level so a single azure data source instance can be configured to gather all (ideally) subscriptions data, if that's is feasible.

But I have another requirement/need: my grafana users must have some kind of "authorization" (some basic rbac ?) so, for instance user A can only display and "see" dashboard containing information from a specific subscription he or she owns. User B must only see "data" belonging to the azure subscriptions he/she owns and so on.

Do you know if these requirements are feasible? In that case would you please point me some documentation if it's available.

Thanks in advance!

Answer 1

Hi @Matías Gutierrez Reto,

Welcome to Microsoft Q&A Forum, thank you for posting your query here!

Yes, you can deploy Azure Managed Grafana with a managed identity for accessing Azure Monitor data across multiple subscriptions under a management group. Additionally, you can configure Role-Based Access Control (RBAC) to restrict users' dashboard visibility to their respective subscription data.

Here's a high-level overview of the steps involved:

1. Deploy Azure Managed Grafana: Create an Azure Managed Grafana instance in the Azure portal. Enable a system-assigned or user-assigned managed identity for the Grafana instance
2. Configure Data Sources: Add Azure Monitor as a data source in your Grafana instance. Use the managed identity to authenticate and access Azure Monitor data
3. Set Up RBAC: Assign the appropriate Azure roles (e.g., Monitoring Reader) to the managed identity on each subscription to grant read-only access to monitoring data Use Azure RBAC to manage access to the Grafana instance itself, assigning roles like Grafana Viewer or Grafana Editor to users based on their needs
4. Restrict Dashboard Visibility: Configure Grafana teams and permissions to ensure users can only view dashboards related to their respective subscriptions

For detailed guidance, you can refer to the following documentation:

https://learn.microsoft.com/en-us/azure/managed-grafana/how-to-authentication-permissions

https://learn.microsoft.com/en-us/azure/managed-grafana/concept-role-based-access-control

https://learn.microsoft.com/en-us/azure/managed-grafana/how-to-data-source-plugins-managed-identity?tabs=azure-portal

let us know if you have any further queries. I’m happy to assist you further.   

Please do not forget to "Accept the answer” wherever the information provided helps you, this can be beneficial to other community members.