This blog post demonstrates how to integrate Azure Active Directory (AAD) for Grafana. By default, Grafana provides a user name and password mechanism to log in to the dashboard. But integrating Grafana with Azure active directory provides better security.
To know how to install Grafana on an Ubuntu server click here
- An Ubuntu VM installed with Grafana 6.7+
- Public IP address with a DNS name
- SSL certificate for the domain
- Microsoft Azure cloud account.
Create a DNS name for the VM public IP
My Ubuntu server is up and running and at the time of provisioning, I have set a public IP address for it. Next, we have to create a DNS name for the IP.
To create a DNS name click on the public IP address and add the DNS name label in the next window. I have created the DNS name mygrafana1.eastus.cloudapp.azure.com and saved it.
SSL certificate installation
To Integrate Grafana with the Azure active directory we will use the “App Registration” service in the Azure. To register a domain with “App Registration” the domain or hostname should need an SSL certificate. For demo purposes, I will generate a self-signed certificate, as we are using a self-signed certificate when we access the Grafana on a browser it will show a risk warning.
To generate a self-signed certificate execute the below commands in the Ubuntu server. The FIrst command generates a certificate signing request (CSR) and then we generate certificate with this CSR. Create the “ssl-certs” directory under /etc/grafana folder to store the certificates.
techies@vm-grafana-1:/etc/grafana$ sudo mkdir ssl-certs techies@vm-grafana-1:/etc/grafana$ cd ssl-certs/ $ sudo openssl req -newkey rsa:2048 -nodes -keyout key.pem -out domain.csr Generating a RSA private key ..........................................................+++++ writing new private key to 'key.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:IN State or Province Name (full name) [Some-State]:SA Locality Name (eg, city) :redmount Organization Name (eg, company) [Internet Widgits Pty Ltd]:Techies Organizational Unit Name (eg, section) :tech Common Name (e.g. server FQDN or YOUR name) :mygrafana1.eastus.cloudapp.azure.com Email Address : Please enter the following 'extra' attributes to be sent with your certificate request A challenge password : An optional company name : techies@vm-grafana-1:/etc/grafana/ssl-certs$ ls domain.csr key.pem $ sudo openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out cert.crt
Give the same details given to generating the CSR for the second OpenSSL command as well. Now we should have below 2 certificates (cert.crt, key.pem)
techies@vm-grafana-1:/etc/grafana/ssl-certs$ ls cert.crt domain.csr key.pem
Use the above certificates and configure Grafana.ini file as follows.
# Protocol (http, https, h2, socket)
protocol = https
# The ip address to bind to, empty will bind to all interfaces
# The http portto use
http_port = 3000
# The public facing domain name used to access grafana from a browser
domain = mygrafana1.eastus.cloudapp.azure.com
# The full public facing url you use in browser, used for redirects and emails
# If you use reverse proxy and sub path specify full url (with sub path)
root_url = https://mygrafana1.eastus.cloudapp.azure.com:3000/
# https certs & key file
cert_file = /etc/grafana/ssl-certs/cert.crt
cert_key = /etc/grafana/ssl-certs/key.pem
We have configured Grafana to listen on port 3000 and to use HTTPS protocol. Added certificate paths in configuration to encrypt the communication.
Integration with Azure active directory
As per Grafana documentation we need to complete the below properties in Grafana.ini file
[auth.azuread] name = Azure AD enabled = true allow_sign_up = true client_id = APPLICATION_ID client_secret = CLIENT_SECRET scopes = openid email profile auth_url = https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/authorize token_url = https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/token allowed_domains = allowed_groups =
Let’s see how to find all the above properties. For the first 3 (name, enabled, and allo_sign_up) property you can give the default value. Next are client_id and client_secret. To create a new client id and secret login to azure portal -> App Registration -> New registration. Give a user-facing name for the app registration and under the redirect URI, give our grafana domain name (https://mygrafana1.eastus.cloudapp.azure.com:3000/login/azuread). Please note the “azuread” name is the auth name that we have given in the Grafana config file. Click the “Register” button to complete the registration.
From the “grafana-app-reg” overview window you can get the Client ID, copy and paste it into the Grafana config file.
Click on “Grafana-app-reg” and in the next window click on the “web” link to make changes again.
And then select tokens you would like to be issued by the authorization endpoint:
Next, click “Certificates &secrets” and create a New client secret. Copy the secret value and paste it into the Grafana.ini config file.
To get the auth_url and token_url click on “Endpoints” from the “grafana-app-reg” overview page.
Copy the auth_url and token_url from the next window and paste them into the Grafana.ini file (We only need to copy the unique id)
Now we have all the details required to complete the Azure AD auth in the Grafana.
[auth.azuread] name = Azure AD enabled = true allow_sign_up = true client_id = b598dcb0-9cf0-4bab-9e96-b452284dcacd client_secret = WFcp1XG_9~.1-jSgbwo-SH64~3IY6Mlyim scopes = openid email profile auth_url = https://login.microsoftonline.com/f0b1b4a5-310f-4851-9b29-e8d5e0ed7a9a/oauth2/v2.0/authorize token_url = https://login.microsoftonline.com/f0b1b4a5-310f-4851-9b29-e8d5e0ed7a9a/oauth2/v2.0/token allowed_domains = allowed_groups =
Save the configuration file and restart the Grafana service. Now the configuration part is completed next we need to add a user to this application. For this login to Azure portal -> Azure active directory -> Users -> new user. Add a name and password for the user.
To add this user to the App Registration go to the “grafana-app-reg” overview page and click on “Managed Application”
Click “Assign users and groups” to assign users to the application. Click Add user/group and select the user which we created.
Everything is set. Next, open a browser and access the Grafana URL. As I mentioned earlier you may a seen a warning risk message and it is because we have used a self-signed certificate.
The login screen now shows the “Sign in with Microsoft” button. Click this button to log in to the Grafana. Enter the user name and password which we created earlier to log in to the dashboard.
That’s it folks we have configured Azure Active Directory authentication for Grafana. For additional security I recommend you to enable Single Sign-on and disable Grafna log-in form. If you have any questions feel free to add them in the comment section.