Grafana role assignment using Azure AD OAuth

GhostInThePotato 2020-01-31 21:31

With the introduction of Grafana 6.6.0, role assignment using OAuth with Azure AD is now possible.

I put the following into the config ini file to assign the Admin role to anyone in a certain Azure AD group and everyone else would become a Viewer:

    [auth.generic_oauth]
    name = Azure AD
    enabled = true
    allow_sign_up = true
    client_id = {{ .azure.client.id }}
    client_secret = {{ .azure.client.secret }}
    scopes = openid email profile
    auth_url = https://login.microsoftonline.com/{{ .azure.tenantid }}/oauth2/authorize
    token_url = https://login.microsoftonline.com/{{ .azure.tenantid }}/oauth2/token
    api_url =
    team_ids =
    allowed_organizations =
    role_attribute_path = contains(groups[*], '{{ .azure.admin_group }}') && 'Admin' || 'Viewer'

where

{{ .azure.client.id}} is the Azure AD, App registration, Application client ID

{{ .azure.client.secret}} is the client secret associated with the above registered app

{{ .azure.tenantid }} is the Azure AD tenant ID

{{ .azure.admin_group }} is the ObjectID of the Azure AD group you want as Admin roles

Related issues

How to export Extension Attributes from Azure AD to csv using Powershell

How to call AAD graph from Ibiza extension

Azure AD App Service Authorization for a Blazor App in Azure App Svc

Can I configure the SSO SAML with an App Registration (not Enterprise Application)?

How to enable tenant restriction in a correct way

How to start using Service principal already created to update WorkItem in devops

how to do authentication and authorization for the users for the specific regions in azure AD?

How to validate the user id token after user password changes in AD B2C

How to Validate appid of the Azure AD Access

Azure DevOps Test plans for basic User?