Skip to main content
Version: 25.4

Set up Entra ID integration with Monitor

Monitor is the Flexxible monitoring module based on Grafana Cloud. Allows user access by invitation or through integration with Entra ID accounts. This guide describes the steps necessary to establish this integration.

Configuration in Microsoft Azure

Create an application registration

  1. Log in to Azure Portal.
  2. Select the tenant if you have access to multiple; to do this, click on Switch directory in the user menu.

guide_entraid1

  1. Once the subscription is selected, search for Microsoft Entra ID.

guide_entraid2

  1. To the left of the interface, you will see the following menu:

  2. Click Application registrations -> New registration.

guide_entraid3

guide_entraid4

  1. Enter a name to register the application and select the compatible account type.

register-app

  1. In Redirect URI select Web and add the following redirect URL:

    https://<grafana domain>/login/azuread

  2. Click Register to complete the application registration.

Create a client secret

  1. Access App registrations.
  2. In the registration menu, click on Manage -> Certificates & Secrets -> New client secret.

guide_entraid7

client_secret1

  1. In the Description field, write GrafanaCloud, and in Expires select 24 months.

client_secret2

  1. Click Add.
  2. Copy the key value. This is the client secret value for OAuth.

client_secret3

API permissions configuration

The necessary permissions for the API should be defined.

  1. Find the created application and in the menu click on API Permissions -> Add a permission.

api_permissions1

  1. Click on Microsoft Graph -> Delegated permissions. Select email, openid, and profile.

api_permissions2

  1. Once added, select the default created permission and click on Remove permission.

api_permissions3

  1. Grant organizational permissions to email, openid, and profile.

api_permissions4

api_permissions5

  1. Find the User.Read permission and add it so it can perform profile reading only.

api_permissions6

  1. After the configuration is done, the image should look like the following:

api_permissions7

Create application roles

The following application roles for Grafana should be created:

grafana_roles1

  1. In the menu, click on Application roles -> Create application role.

  2. In the Create application role panel, configure each role.

    For Grafana Admin enter the following values:

    • Display name: Grafana Admin
    • Allowed member type: Users/Groups
    • Value: Admin
    • Description: Grafana admin Users

    And for Grafana Viewer and Grafana Editor enter the values shown in the following image:

    grafana_roles2

Review the manifest.xml file

The manifest.xml file must be reviewed to change the value of the key "groupMembershipClaims" from null (default value) to "SecurityGroup, ApplicationGroup".

manifest1

manifest2

Requirements

Once the application registration is done, the organization must provide the following parameters to Flexxible so that they can create the configuration in Grafana.

  • Endpoints

    • OAuth 2.0 authorization endpoint (v2)
    • OAuth 2.0 token endpoint (v2)

  • App registration

    • Application (client) ID

  • Certification & Secrets

    • Secret Value

  • Group ID to be configured

  • Domain to authorize