Setting up Azure AD SSO (Single Sign-On) for Grafana in a Docker Compose environment involves configuring Grafana to use OAuth2 for authentication and registering an application in Azure Active Directory.
Here’s a step-by-step guide:
1. Register an Application in Azure Active Directory
This step creates the necessary application registration in Azure AD that Grafana will use to authenticate users.
Log in to Azure Portal: Go to portal.azure.com.
Navigate to Azure Active Directory: In the search bar, type “Azure Active Directory” and select it.
App registrations: In the left-hand menu, under Manage, click on App registrations.
New registration: Click + New registration.
Register an application:
- Name: Give your application a descriptive name (e.g.,
Grafana-SSO
). - Supported account types: Choose the option that best suits your organization (e.g., “Accounts in this organizational directory only (Default Directory only - Single tenant)”).
- Redirect URI (optional):
- Select Web from the dropdown.
- Enter the Redirect URI. This is the URL where Azure AD will send the authentication response after a user logs in. It typically follows the format:
http://YOUR_GRAFANA_URL/login/azuread
.- Example for local development:
http://localhost:3000/login/azuread
- Example for production:
https://your.grafana.domain.com/login/azuread
- Example for local development:
- Important: If you access Grafana via multiple URLs, add all of them as Redirect URIs.
- Name: Give your application a descriptive name (e.g.,
Register: Click the Register button.
Record Application (client) ID and Directory (tenant) ID: Once registered, you’ll be redirected to the application’s overview page. Make a note of the Application (client) ID and Directory (tenant) ID. You’ll need these for Grafana’s configuration.
Certificates & secrets: In the left-hand menu, under Manage, click on Certificates & secrets.
- New client secret: Click + New client secret.
- Description: Provide a description (e.g.,
Grafana Client Secret
). - Expires: Choose an expiration period. Never is an option for simplicity in testing, but for production, select a specific period and plan for rotation.
- Add: Click Add.
- Record Client Secret: Immediately copy the
Value
of the client secret. This value is shown only once and is crucial for Grafana to authenticate with Azure AD. If you lose it, you’ll have to create a new one.
API permissions (Optional but recommended for user attributes):
- In the left-hand menu, under Manage, click on API permissions.
- Add a permission: Click + Add a permission.
- Microsoft Graph: Select Microsoft Graph.
- Delegated permissions:
- Under OpenId permissions, select
openid
,profile
,email
. - Under User, select
User.Read
.
- Under OpenId permissions, select
- Add permissions: Click Add permissions.
- Grant admin consent (if applicable): If you are an administrator, click “Grant admin consent for [Your Tenant Name]” to grant these permissions to all users in your directory, otherwise, users will be prompted for consent on their first login.
2. Configure Grafana in Docker Compose
Now, you’ll update your docker-compose.yml
file to include the Azure AD OAuth2 configuration for Grafana.
Below is an example docker-compose.yml
snippet for Grafana with Azure AD SSO configuration.
1 | version: '3.8' |
Explanation of Grafana Environment Variables:
GF_AUTH_AZUREAD_ENABLED=true
: Enables the Azure AD OAuth2 authentication.GF_AUTH_AZUREAD_NAME="Azure AD"
: The text displayed on the login button in Grafana.GF_AUTH_AZUREAD_CLIENT_ID
: Replace<YOUR_APPLICATION_CLIENT_ID>
with the Application (client) ID from your Azure AD app registration.GF_AUTH_AZUREAD_CLIENT_SECRET
: Replace<YOUR_CLIENT_SECRET_VALUE>
with the secret Value you copied from Azure AD.GF_AUTH_AZUREAD_SCOPES
: Defines the user information Grafana requests.openid
,email
,profile
are standard. If you want group membership for role mapping, you might needGroup.Read.All
(requires admin consent).GF_AUTH_AZUREAD_AUTH_URL
: The authorization endpoint. Usehttps://login.microsoftonline.com/<YOUR_DIRECTORY_TENANT_ID>/oauth2/v2.0/authorize
. Replace<YOUR_DIRECTORY_TENANT_ID>
with your Azure AD Directory (tenant) ID.GF_AUTH_AZUREAD_TOKEN_URL
: The token endpoint. Usehttps://login.microsoftonline.com/<YOUR_DIRECTORY_TENANT_ID>/oauth2/v2.0/token
. Replace<YOUR_DIRECTORY_TENANT_ID>
with your Azure AD Directory (tenant) ID.GF_AUTH_AZUREAD_ALLOWED_GROUPS
(Optional): If you want to restrict Grafana login to specific Azure AD groups, provide a comma-separated list of their Object IDs. You can find group Object IDs in Azure AD under “Groups”.GF_AUTH_AZUREAD_ROLES_ATTRIBUTE_PATH
(Optional but powerful): This allows you to map Azure AD roles or group memberships to Grafana roles (Admin, Editor, Viewer). The example shown checks if the user has specific roles assigned in Azure AD (which you can configure in your Azure AD application manifest under “appRoles”). You’d define these roles in your Azure AD app manifest first.- Note: For group-based role mapping, you might need to configure the Azure AD application manifest to emit group claims in the token. Look for
groupMembershipClaims
in the manifest.
- Note: For group-based role mapping, you might need to configure the Azure AD application manifest to emit group claims in the token. Look for
GF_AUTH_AZUREAD_AUTO_MAP_USERS=true
: Automatically creates Grafana users for users logging in via Azure AD.GF_AUTH_AZUREAD_API_URL
: The Microsoft Graph API endpoint to fetch additional user details (like groups or specific attributes).GF_AUTH_AZUREAD_EMAIL_ATTRIBUTE_NAME
: The attribute from Azure AD’s user profile that Grafana should use as the user’s email.email
is common.GF_AUTH_AZUREAD_LOGIN_ATTRIBUTE_NAME
: The attribute from Azure AD’s user profile that Grafana should use as the user’s login name.upn
(User Principal Name) is common.
3. Run Grafana with Docker Compose
After saving your docker-compose.yml
file:
Open your terminal in the directory where your
docker-compose.yml
file is located.Start Grafana:
1
docker compose up -d
(Or
docker-compose up -d
for older Docker Compose versions).Access Grafana: Open your web browser and navigate to your Grafana URL (e.g.,
http://localhost:3000
or your domain).
You should now see an “Azure AD” login button (or whatever you named it) on the Grafana login page. Clicking it will redirect you to the Microsoft login page. After successful authentication with Azure AD, you’ll be redirected back to Grafana and logged in.
Important Considerations:
- HTTPS: For production environments, always use HTTPS for your Grafana instance. This requires a reverse proxy (like Nginx or Caddy) in front of Grafana to handle SSL termination. Your Grafana
GF_SERVER_ROOT_URL
and Azure AD Redirect URI should reflecthttps://
. - Firewall/Networking: Ensure that your Grafana instance can reach
login.microsoftonline.com
andgraph.microsoft.com
. - Client Secret Management: Never commit your client secrets directly to version control. Use Docker Secrets or environment variables from a secure source for production deployments.
- Grafana Admin Privileges: The first user who logs in via SSO when
auto_map_users
is enabled often becomes an Org Admin by default, or you can control this with role mapping. - Troubleshooting: If you encounter issues, check Grafana’s logs (
docker compose logs grafana
) for OAuth2 errors. Also, review your Azure AD app registration settings carefully, especially the Redirect URIs and API permissions.