Configure Azure AD OAuth2 authentication for Grafana using Helmfile

Configure Azure AD OAuth2 authentication for Grafana using Helmfile

Introduction

Azure AD OAuth2 authentication allows Grafana to use Azure Active Directory (Azure AD) as an identity provider. This means users can log in to Grafana using their Azure AD credentials. The authentication process involves several steps to ensure secure access.

How it works:

  1. User Requests Access: When a user tries to access Grafana, they are redirected to Azure AD for authentication.
  2. Redirect to Azure AD: Grafana sends the user to the Azure AD login page.
  3. User Authentication: The user logs in using their Azure AD credentials.
  4. Authorization Code: After successful login, Azure AD sends an authorization code to Grafana.
  5. Token Exchange: Grafana exchanges this code for an access token from Azure AD.
  6. Access Granted: If the token is valid, Grafana grants the user access and assigns them a role based on their Azure AD role.

This guide will walk you through the steps to install Grafana using Helm and configure Azure AD OAuth2 authentication.

1. Create the Microsoft Entra ID Application


1) Log in to the Azure Portal.

2) Click on Microsoft Entra ID in the side menu.

3) If you have access to multiple tenants, select the desired tenant from the upper right.

4) Under Manage, click App Registrations > New Registration.

5) Enter a descriptive name.

6) Under Redirect URI, select Web.

7) Add the following redirect URLs:

    • https:://grafana-ai.takemetoprod.com/login/azuread
    • https://://grafana-ai.takemetoprod.com

8) Click Register.

2. Configure the Application


1) Note the Application ID (OAuth client ID).

2) Click Endpoints and note the OAuth 2.0 authorization endpoint (v2) URL and OAuth 2.0 token endpoint (v2) URL.

3) Click Certificates & secrets in the side menu and add a new client secret with:

  • Description: Grafana OAuth
  • Expires: Select an expiration period

4) Click Add and copy the client secret value.

3. Configure Application Roles in the Manifest File


1) Click Manifest.

2) Go to “appRoles"

3) add the following JSON code.

{
			"allowedMemberTypes": [
				"User"
			],
			"description": "Grafana org admin Users",
			"displayName": "Grafana Org Admin",
			"id": "38d11d0d-a722-43e1-9ea3-f21c004f7127",
			"isEnabled": true,
			"lang": null,
			"origin": "Application",
			"value": "Admin"
		},
		{
			"allowedMemberTypes": [
				"User"
			],
			"description": "Grafana read only Users",
			"displayName": "Grafana Viewer",
			"id": "15f8ecc5-334a-4b14-924f-8ba2a11fce88",
			"isEnabled": true,
			"lang": null,
			"origin": "Application",
			"value": "Viewer"
		},
		{
			"allowedMemberTypes": [
				"User"
			],
			"description": "Grafana Editor Users",
			"displayName": "Grafana Editor",
			"id": "c20727cc-d5a1-4457-9060-fb6e98ed6026",
			"isEnabled": true,
			"lang": null,
			"origin": "Application",
			"value": "Editor"
		}

4) Click App roles (Now you can see “Grafana Org Admin" “Grafana Viewer" “Grafana Editor"

4. Define Application Roles


1) Go to Microsoft Entra ID > Enterprise Applications > Manage.

2) Please search for your application and click it.

3) Click Users and Groups and add users or groups to the Grafana roles.

4) I have added dipchand as a user

5. Install Grafana Using Helmfile and Update grafana.ini Configuration:

repositories:
  - name: grafana
    url: https://grafana.github.io/helm-charts
releases:
  - name: grafana
    namespace: default
    chart: grafana/grafana
    values:
      - service:
          type: NodePort
          nodePort: 32000
          targetPort: 3000
          port: 80
   grafana.ini:
     server:
       domain: grafana-ai.takemetoprod.com
       root_url: https://grafana-ai.takemetoprod.com
     auth.generic_oauth:
       enabled: true
       name: AzureAD
       client_id: 46b9ea9f-1f74-4eb2-9e3e-759f3ac0d6a0
       client_secret: mGl8Q~cvbcbc-U1Vw1izo-8uaamyX-1gNCMx0bdrT
       scopes: openid email profile User.Read
       auth_url: https://login.microsoftonline.com/15fd-dfdgd-dsf89-fsdfsv-fsf8-fsdfsfdvd8/oauth2/v2.0/authorize
       token_url: https://login.microsoftonline.com/15fd-dfdgd-dsf89-fsdfsv-fsf8-fsdfsfdvd8/oauth2/v2.0/token
       api_url: https://graph.microsoft.com/oidc/userinfo
       redirect_uri: https://grafana-ai.takemetoprod.com/login/generic_oaut
       skip_org_role_sync: false\
     database:
       type: sqlite3
       path: grafana.db        

If the configuration is successful, you'll see an option to "Sign in with AzureAD" on the Grafana login page.

Summary

By following these steps, you will set up Grafana with Azure AD OAuth2 authentication, allowing users to log in using their Azure AD credentials.