Some questions on authentication with Azure AD

I set up Grafana with our security people to authenticate against Azure AD. They gave me the following pieces of information:

directory id:
appid: (oauthid)
objid:
oauthkey:
a URL. " http://grafana.company.com/login/generic.oath"

In the grafana.ini file I am supposed to (according to Grafana help) modify the following section:
{auth.generic.oauth}
;enabled = false
;name = OAuth
;allow_sign_up = true
;client_id = some_id
;client_secret = some_secret
;scopes = user:email,read:org
;auth_url =
;token_url =
;api_url =
;team_ids =
;allowed_organizations =
;tls_skip_verify_insecure = false
;tls_client_cert =
;tls_client_key =
;tls_client_ca

Other then the appid being correlated to the client ID I don’t know where to put in the rest of the info that was provided to me and that I assume I will need. Can anybody assist as to where to go from here?

Nobody familiar with this? Is there anyway to reach somebody at Grafana for assistance?

https://grafana.com/docs/support/

Antony.

@pooh that’s a really old and outdated documentation.

@jtpryan please read this documentation: https://grafana.com/docs/auth/generic-oauth/#set-up-oauth2-with-azure-active-directory

Thank you. Unfortunately we do not have an Enterprise license. But I need to find somebody that has successfully gotten Azure AD working with Grafana to hopefully get on a call with myself and one of our AD people to correlate what they have with what Grafana wants. Or at least look at what I have and tell me where it lines up with Grafana.ini.

@mefraimsson Thanks, that is exactly the doc I’m working from, it is where I got the .ini settings I posted in the original post. Having that information is what I went to my Azure AD group with. They gave me back the pieces of information also in that post. My problem is I’m not sure what to do with their information as regards the grafana.ini file. They can’t help because they don’t know Grafana. The fantasy would be to have Grafana talk to my Azure people, but unless you have an enterprise license that isn’t going to happen. So all pointers bring me to this group. So I was hoping somebody else implemented Azure AD as an authentication solution that could help.

@pooh that’s a really old and outdated documentation.

A pity it’s still on the website, then, and comes up as the first Google result
for “Grafana support”.

@jtpryan please read this documentation:
https://grafana.com/docs/auth/generic-oauth/#set-up-oauth2-with-azure-acti
ve-directory

Regards,

Antony.

@pooh thanks a lot for letting us know. We’ll make sure to fix that.

After some discussions in Grafana Slack with @jtpryan I decided to share my working config publicly. The UI in Azure Portal has changed a lot so the doc is outdated. I tried to describe as much as I could the steps.

grafana.ini:
  paths:
    data: /var/lib/grafana/data
    logs: /var/log/grafana
    plugins: /var/lib/grafana/plugins
    provisioning: /etc/grafana/provisioning
  analytics:
    check_for_updates: true
  log:
    mode: console
  grafana_net:
    url: https://grafana.net
  server:
    # It is really important to set your Grafana root_url here
    # This URL must be set in your app in Azure AD. To do so, go to 
    # Azure Active Directory
    #   -> App registrations and find your app
    #     -> Authentication
    #       -> Redirect URIs
    # You can then set the redirect uri
    # Also you can set the logout URL if you want (it's optional but nice) https://grafana.yourdomain.com/logout
    root_url: "https://grafana.yourdomain.com"
  auth:
    # I disable this because I want to stil be able to log using my admin credentials (which uses Basic Auth)
    oauth_auto_login: false
  auth.anonymous:
    org_name: "Your Company Name Inc."
  auth.generic_oauth:
      # Will customize the button title that initiates OAuth2 API calls. Currently it will display a button under the
      # traditional email/password fields. It will display: "Sign in with Your Company Name Azure AD"
      name: "Your Company Name Azure AD"
      enabled: true
      # Create the user automatically in Grafana if it doesn't exists but is present in your Azure AD entitlement user list.
      # This list can be edited if you go to:
      # Azure Active Directory
      #   -> App registrations
      #     -> Enterprises applications and find your app
      #       -> Users and groups
      # In this section of the Azure portal, you may add any users you need. 
      # If your Azure AD allows it you can setup a group instead of adding users manually.
      allow_sign_up: true
      # This is the AppID of the Service principal (the Azure AD app) created by your security team
      client_id: 'appid'
      # Client secret generated in Azure AD. In Azure Portal, you can generate one when you go to 
      # Azure Active Directory
      #   -> App registrations and find your app
      #     -> Certificates & secrets
      #       -> New client secret
      client_secret: 'some_secret'
      # Scopes
      #   openid: (required; to indicate that the application intends to use OIDC to verify the user's identity)
      #   email: (so you know where to send the welcome email)
      #   name: (I don't know if it's necessary but it was in Grafana documentation here: https://grafana.com/docs/auth/generic-oauth/#set-up-oauth2-with-azure-active-directory)
      scopes: "openid email name"
      # You can easily get you tenant ID in Azure. Also available in Azure-CLI with command `az account show` if you are on the right subscription
      auth_url: https://login.microsoftonline.com/<you_tenant_id>/oauth2/authorize
      token_url: https://login.microsoftonline.com/<you_tenant_id>/oauth2/token
      # You can reuse the same url here
      api_url: https://graph.microsoft.com/oidc/userinfo

Thanks @ritchyboy would you be interested in contributing an update of the Grafana documentation to correlate the changes happened in Azure portal lately? https://grafana.com/docs/auth/generic-oauth/#set-up-oauth2-with-azure-active-directory

Thanks

@mefraimsson, I would be glad to do this. This documentation is critical for those who need to setup OpenID with Grafana while being restricted over their Azure AD permissions (I know some users here in that situation).

1 Like

OK, good news! I got it working as far as getting the Azure AD button on the login screen I get the following message:

Sorry, but we’re having trouble signing you in.

AADSTS50011: The reply url specified in the request does not match the reply urls configured for the application: ‘<client_id>’.

I reached out to our Azure AD people and they told me…

I don’t see the reply URL in your .ini
The grafana appID is configured w/ reply URL - insert URL here

Where can I put that in the .ini file?

In the doc:

Note: It’s important to ensure that the root_url in Grafana is set in your Azure Application Reply URLs (App -> Settings -> Reply URLs)

In Azure AD, the Reply URL is the same as the Sign-on URL. According to the doc, the URL you want to put in Azure AD should look like this: https://<grafana domain>/login/generic_oauth

Let me know if it helps.

Thanks.

This is the URL they told me the grafana appID is configured with:

grafana dot company dot com /login/generic_oath

Where “company” is our company name.

So is that what I put in the root_url setting in the grafana.ini file?

The full public facing url you use in browser, used for redirects and emails

If you use reverse proxy and sub path specify full url (with sub path)

;root_url = http://localhost:3000

Should be root_url = grafana dot company dot com /login/generic_oath?

Or should that line have the url of the page that actually shows the login screen?

Sorry about the “dot” stuff, they won’t let me post links.

@jtpryan only configure root_url if you use a reverse proxy. If you have a reverse proxy that allows you to access grafana using for example the url https://grafana.company.com then you should configure root_url = https://grafana.company.com.

Then s @ritchyboy explains above you can use the Reply URL of https://grafana.company.com/login/generic_oauth.

So it appears I have everything set up the way I should but now I’m getting this:

If you’re seeing this Grafana has failed to load its application files

  1. This could be caused by your reverse proxy settings.

  2. If you host grafana under subpath make sure your grafana.ini root_url setting includes subpath

  3. If you have a local dev build make sure you build frontend using: yarn start, yarn start:hot, or yarn build

  4. Sometimes restarting grafana-server can help

So how have you configured your reverse proxy and Grafana root_url?

OK, found the right guy here and no, we are not using reverse proxy.

I tried 3 different settings for root_url:

;root_url = http://localhost:3000 (did not work)
;root_url = https://jimmy-5039-docker-dist-load-test-deploy-grafana-nonprod.np.uscm.company.com (did not work)
root_url = https://grafana.company.com/login/generic_oath

The first one is (as you know) the default. This gives me the AD button,which, when selected. Gives me

"AADSTS50011: The reply url specified in the request does not match the reply urls configured for the application: ‘168c1435-6436-4130-bc10-042e1069f35c’.

The second one is the page for the actual dashboard which gives me the same result as number 1

The last one is what I was told by the AD people is the reply URL. This one gives me no landing page, just:
If you’re seeing this Grafana has failed to load its application files

  1. This could be caused by your reverse proxy settings.
  2. If you host grafana under subpath make sure your grafana.ini root_url setting includes subpath
  3. If you have a local dev build make sure you build frontend using: yarn start, yarn start:hot, or yarn build
  4. Sometimes restarting grafana-server can help

Please note that beginning a line with ; in configuration file is treated as a comment, see documentation.

Yes, I realize that, I kept all three in the ini file for reference and only uncommented one at a time. So right now I am using #3