Connect Grafana to Azure Monitor Prometheus metrics

Azure Managed Grafana

An Azure Managed Grafana instance is automatically configured with a managed identity. The identity has the Monitoring Data Reader role assigned to it at the subscription level. This role allows the identity to read any monitoring data for the subscription. This identity is used to authenticate Grafana to Azure Monitor. You don't need to do anything to configure the identity.

Create the Prometheus data source in Grafana

To configure Prometheus as a data source, follow these steps:

1. Open your Azure Managed Grafana workspace in the Azure portal.

2. Select the endpoint to view the Grafana workspace.

3. Select Connections > Data sources.

4. Select Add data source.

5. Search for and select Prometheus.

6. Paste the query endpoint from your Azure Monitor workspace into the Prometheus server URL field.

7. Under Authentication, select Azure Auth.

8. Under Azure Authentication, select Managed Identity from the Authentication dropdown list.

9. Scroll to the bottom of the page and select Save & test.

   

Self-managed Grafana

The following section describes how to configure self-managed Grafana on an Azure VM to use Azure-hosted Prometheus data.

Configure system identity

To allow access all Azure Monitor workspaces in a resource group or subscription, follow these steps:

1. Open the Identity page for your VM in the Azure portal.

2. Set the Status to On.

3. Select Save.

4. Select Azure role assignments to review the existing access in your subscription.

   

5. If the Monitoring Data Reader role isn't listed for your subscription or resource group, select + Add role assignment.

6. In the Scope dropdown list, select either Subscription or Resource group. Selecting Subscription allows access to all Azure Monitor workspaces in the subscription. Selecting Resource group allows access only to Azure Monitor workspaces in the selected resource group.

7. Select the specific subscription or resource group where your Azure Monitor workspace is located.

8. From the Role dropdown list, select Monitoring Data Reader.

9. Select Save.

   

Configure Grafana for Azure Authentication

Versions 9.x and greater of Grafana support Azure Authentication, but it isn't enabled by default. To enable Azure Authentication, update your Grafana configuration and restart the Grafana instance. To find your grafana.ini file, review the Configure Grafana document from Grafana Labs.

To enable Azure Authentication, follow these steps:

1. Locate and open the grafana.ini file on your VM.
2. Under the [auth] section of the configuration file, change the azure_auth_enabled setting to true.
3. Under the [azure] section of the configuration file, change the managed_identity_enabled setting to true
4. Restart the Grafana instance.

Create the Prometheus data source in Grafana

To configure Prometheus as a data source, follow these steps:

1. Open Grafana in your browser.

2. Select Connections > Data sources.

3. Select Add data source.

4. Search for and select Prometheus.

5. Paste the query endpoint from your Azure Monitor workspace into the Prometheus server URL field.

6. Under Authentication, select Azure Auth.

7. Under Azure Authentication, select Managed Identity from the Authentication dropdown list.

8. Scroll to the bottom of the page and select Save & test.

   

Grafana hosted outside Azure

If your Grafana instance isn't hosted in Azure, you can use Microsoft Entra ID to connect to your Prometheus data in your Azure Monitor workspace.

To set up Microsoft Entra ID authentication, follow these steps:

1. Register an app with Microsoft Entra ID.
2. Grant access for the app to your Azure Monitor workspace.
3. Configure your self-hosted Grafana with the app's credentials.

Register an app with Microsoft Entra ID

1. To register an app, open the Active Directory Overview page in the Azure portal.

2. Select App registration.

3. On the Register an application page, enter a name for the application.

4. Select Register.

5. Note the Application (client) ID value and Directory (tenant) ID value. They're used in the Grafana authentication settings.

   

6. On the app's overview page, select Certificates and Secrets.

7. On the Client secrets tab, select New client secret.

8. Enter a description.

9. Select an expiration period from the dropdown list, and then select Add.

   Note

   Create a process to renew the secret and update your Grafana data source settings before the secret expires. After the secret expires, Grafana loses the ability to query data from your Azure Monitor workspace.

   

10. Copy and save the client secret value.

    Note

    You can view client secret values only immediately after creation. Save the secret before you leave the page.

    

Allow your app access to your workspace

Allow your app to query data from your Azure Monitor workspace.

1. Open your Azure Monitor workspace in the Azure portal.

2. On the overview page, note your Query endpoint value. The query endpoint is used when you set up your Grafana data source.

3. Select Access control (IAM).

   

4. On the Access Control (IAM) page, select Add > Add role assignment.

5. On the Add role assignment page, search for Monitoring.

6. Select Monitoring data reader, and then select the Members tab.

   

7. Choose Select members.

8. Search for the app that you registered in the Register an app with Microsoft Entra ID section and select it.

9. Choose Select.

10. Select Review + assign.

    

You created your app registration and assigned it access to query data from your Azure Monitor workspace. The next step is to set up your Prometheus data source in Grafana.

Configure Grafana for Azure Authentication

Grafana now supports connecting to Azure Monitor managed Prometheus by using the Prometheus data source. For self-hosted Grafana instances, a configuration change is needed to use the Azure Authentication option in Grafana. For Grafana instances that Azure doesn't manage, make the following changes.

Versions 9.x and greater of Grafana support Azure Authentication, but it isn't enabled by default. To enable Azure Authentication, update your Grafana configuration and restart the Grafana instance. To find your grafana.ini file, review the Configure Grafana document from Grafana Labs.

1. Locate and open the grafana.ini file on your VM.
2. Identify your Grafana version.
3. For Grafana 9.0, in the [feature_toggles] section, set prometheus_azure_auth to true.
4. For Grafana 9.1 and later versions, in the [auth] section, set the azure_auth_enabled setting to true.
5. Restart the Grafana instance.

Create the Prometheus data source in Grafana

To configure Prometheus as a data source, follow these steps:

1. Open Grafana in your browser.

2. Select Connections > Data sources.

3. Select Add data source.

4. Search for and select Prometheus.

5. Paste the query endpoint from your Azure Monitor workspace into the URL field.

6. Under Authentication, select Azure Auth. For earlier Grafana versions, under Auth, turn on Azure Authentication.

7. Under Azure Authentication, select App Registration from the Authentication dropdown list.

8. Enter the Direct (tenant) ID value, the Application (client) ID value, and the Client Secret value that were generated when you created your app registration.

9. Scroll to the bottom of the page and select Save & test.