Azure Active Directory Configuration for Grafana

This blog post demonstrates how to integrate Azure Active Directory (AAD)  for Grafana.  By default, Grafana provides a user name and password mechanism to log in to the dashboard. But integrating Grafana with Azure active directory provides better security.

To know how to install Grafana on an Ubuntu server click here

Pre-requisites

  • An Ubuntu VM installed with Grafana 6.7+
  • Public IP address with a DNS name
  • SSL certificate for the domain
  • Microsoft Azure cloud account.

Create a DNS name for the VM public IP

My Ubuntu server is up and running and at the time of provisioning, I have set a public IP address for it. Next, we have to create a DNS name for the IP.

 

To create a DNS name click on the public IP address and add the DNS name label in the next window. I have created the DNS name mygrafana1.eastus.cloudapp.azure.com and saved it.

SSL certificate installation

To Integrate Grafana with the Azure active directory we will use the “App Registration” service in the Azure. To register a domain with “App Registration” the domain or hostname should need an SSL certificate. For demo purposes, I will generate a self-signed certificate, as we are using a self-signed certificate when we access the Grafana on a browser it will show a risk warning.

To generate a self-signed certificate execute the below commands in the Ubuntu server. The FIrst command generates a certificate signing request (CSR) and then we generate certificate with this CSR. Create the “ssl-certs” directory under /etc/grafana folder to store the certificates.

techies@vm-grafana-1:/etc/grafana$ sudo mkdir ssl-certs
techies@vm-grafana-1:/etc/grafana$ cd ssl-certs/
$ sudo openssl req -newkey rsa:2048 -nodes -keyout key.pem -out domain.csr

Generating a RSA private key
..........................................................+++++
writing new private key to 'key.pem'

-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----

Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:SA
Locality Name (eg, city) []:redmount
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Techies
Organizational Unit Name (eg, section) []:tech
Common Name (e.g. server FQDN or YOUR name) []:mygrafana1.eastus.cloudapp.azure.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
techies@vm-grafana-1:/etc/grafana/ssl-certs$ ls
domain.csr  key.pem

$ sudo openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out cert.crt

Give the same details given to generating the CSR for the second OpenSSL command as well.  Now we should have below 2 certificates (cert.crt, key.pem)

techies@vm-grafana-1:/etc/grafana/ssl-certs$ ls
cert.crt  domain.csr  key.pem

Use the above certificates and configure Grafana.ini file as follows.

[server]

# Protocol (http, https, h2, socket)

protocol = https

# The ip address to bind to, empty will bind to all interfaces

http_addr =

# The http portto use

http_port = 3000

# The public facing domain name used to access grafana from a browser

domain = mygrafana1.eastus.cloudapp.azure.com

# The full public facing url you use in browser, used for redirects and emails

# If you use reverse proxy and sub path specify full url (with sub path)

root_url = https://mygrafana1.eastus.cloudapp.azure.com:3000/

# https certs & key file

cert_file = /etc/grafana/ssl-certs/cert.crt

cert_key = /etc/grafana/ssl-certs/key.pem

We have configured Grafana to listen on port 3000 and to use HTTPS protocol. Added certificate paths in configuration to encrypt the communication.

Integration with Azure active directory

As per Grafana documentation we need to complete the below properties in Grafana.ini file

[auth.azuread]
name = Azure AD
enabled = true
allow_sign_up = true
client_id = APPLICATION_ID
client_secret = CLIENT_SECRET
scopes = openid email profile
auth_url = https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/authorize
token_url = https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/token
allowed_domains =
allowed_groups =

Let’s see how to find all the above properties. For the first 3 (name, enabled, and allo_sign_up) property you can give the default value. Next are client_id and client_secret. To create a new client id and secret login to azure portal -> App Registration -> New registration. Give a user-facing name for the app registration and under the redirect URI, give our grafana domain name (https://mygrafana1.eastus.cloudapp.azure.com:3000/login/azuread). Please note the “azuread” name is the auth name that we have given in the Grafana config file. Click the “Register” button to complete the registration.

From the “grafana-app-reg” overview window you can get the Client ID, copy and paste it into the Grafana config file.

Click on “Grafana-app-reg” and in the next window click on the “web” link to make changes again.

And then select tokens you would like to be issued by the authorization endpoint:

Next, click “Certificates &secrets” and create a New client secret. Copy the secret value and paste it into the Grafana.ini  config file.

To get the auth_url and token_url click on “Endpoints” from the “grafana-app-reg” overview page.

Copy the auth_url and token_url from the next window and paste them into the Grafana.ini file (We only need to copy the unique id)

Now we have all the details required to complete the Azure AD  auth in the Grafana.

[auth.azuread]
name = Azure AD
enabled = true
allow_sign_up = true
client_id = b598dcb0-9cf0-4bab-9e96-b452284dcacd
client_secret = WFcp1XG_9~.1-jSgbwo-SH64~3IY6Mlyim
scopes = openid email profile
auth_url = https://login.microsoftonline.com/f0b1b4a5-310f-4851-9b29-e8d5e0ed7a9a/oauth2/v2.0/authorize
token_url = https://login.microsoftonline.com/f0b1b4a5-310f-4851-9b29-e8d5e0ed7a9a/oauth2/v2.0/token
allowed_domains =
allowed_groups =

Save the configuration file and restart the Grafana service. Now the configuration part is completed next we need to add a user to this application. For this login to Azure portal -> Azure active directory -> Users -> new user. Add a name and password for the user.

To add this user to the App Registration go to the “grafana-app-reg” overview page and click on “Managed Application”

Click “Assign users and groups” to assign users to the application. Click Add user/group and select the user which we created.

Everything is set. Next, open a browser and access the Grafana URL. As I mentioned earlier you may a seen a warning risk message and it is because we have used a self-signed certificate.

The login screen now shows the “Sign in with Microsoft” button. Click this button to log in to the Grafana. Enter the user name and password which we created earlier to log in to the dashboard.

That’s it folks we have configured Azure Active Directory authentication for Grafana. For additional security I recommend you to enable Single Sign-on and disable Grafna log-in form. If you have any questions feel free to add them in the comment section.

 

Leave a Reply

Your email address will not be published. Required fields are marked *