Some questions on authentication with Azure AD

I set up Grafana with our security people to authenticate against Azure AD. They gave me the following pieces of information:

directory id:
appid: (oauthid)
objid:
oauthkey:
a URL. " http://grafana.company.com/login/generic.oath"

In the grafana.ini file I am supposed to (according to Grafana help) modify the following section:
{auth.generic.oauth}
;enabled = false
;name = OAuth
;allow_sign_up = true
;client_id = some_id
;client_secret = some_secret
;scopes = user:email,read:org
;auth_url =
;token_url =
;api_url =
;team_ids =
;allowed_organizations =
;tls_skip_verify_insecure = false
;tls_client_cert =
;tls_client_key =
;tls_client_ca

Other then the appid being correlated to the client ID I don’t know where to put in the rest of the info that was provided to me and that I assume I will need. Can anybody assist as to where to go from here?

Nobody familiar with this? Is there anyway to reach somebody at Grafana for assistance?

https://grafana.com/docs/support/

Antony.

@pooh that’s a really old and outdated documentation.

@jtpryan please read this documentation: https://grafana.com/docs/auth/generic-oauth/#set-up-oauth2-with-azure-active-directory

Thank you. Unfortunately we do not have an Enterprise license. But I need to find somebody that has successfully gotten Azure AD working with Grafana to hopefully get on a call with myself and one of our AD people to correlate what they have with what Grafana wants. Or at least look at what I have and tell me where it lines up with Grafana.ini.

@mefraimsson Thanks, that is exactly the doc I’m working from, it is where I got the .ini settings I posted in the original post. Having that information is what I went to my Azure AD group with. They gave me back the pieces of information also in that post. My problem is I’m not sure what to do with their information as regards the grafana.ini file. They can’t help because they don’t know Grafana. The fantasy would be to have Grafana talk to my Azure people, but unless you have an enterprise license that isn’t going to happen. So all pointers bring me to this group. So I was hoping somebody else implemented Azure AD as an authentication solution that could help.

@pooh that’s a really old and outdated documentation.

A pity it’s still on the website, then, and comes up as the first Google result
for “Grafana support”.

@jtpryan please read this documentation:
https://grafana.com/docs/auth/generic-oauth/#set-up-oauth2-with-azure-acti
ve-directory

Regards,

Antony.

@pooh thanks a lot for letting us know. We’ll make sure to fix that.

After some discussions in Grafana Slack with @jtpryan I decided to share my working config publicly. The UI in Azure Portal has changed a lot so the doc is outdated. I tried to describe as much as I could the steps.

grafana.ini:
  paths:
    data: /var/lib/grafana/data
    logs: /var/log/grafana
    plugins: /var/lib/grafana/plugins
    provisioning: /etc/grafana/provisioning
  analytics:
    check_for_updates: true
  log:
    mode: console
  grafana_net:
    url: https://grafana.net
  server:
    # It is really important to set your Grafana root_url here
    # This URL must be set in your app in Azure AD. To do so, go to 
    # Azure Active Directory
    #   -> App registrations and find your app
    #     -> Authentication
    #       -> Redirect URIs
    # You can then set the redirect uri
    # Also you can set the logout URL if you want (it's optional but nice) https://grafana.yourdomain.com/logout
    root_url: "https://grafana.yourdomain.com"
  auth:
    # I disable this because I want to stil be able to log using my admin credentials (which uses Basic Auth)
    oauth_auto_login: false
  auth.anonymous:
    org_name: "Your Company Name Inc."
  auth.generic_oauth:
      # Will customize the button title that initiates OAuth2 API calls. Currently it will display a button under the
      # traditional email/password fields. It will display: "Sign in with Your Company Name Azure AD"
      name: "Your Company Name Azure AD"
      enabled: true
      # Create the user automatically in Grafana if it doesn't exists but is present in your Azure AD entitlement user list.
      # This list can be edited if you go to:
      # Azure Active Directory
      #   -> App registrations
      #     -> Enterprises applications and find your app
      #       -> Users and groups
      # In this section of the Azure portal, you may add any users you need. 
      # If your Azure AD allows it you can setup a group instead of adding users manually.
      allow_sign_up: true
      # This is the AppID of the Service principal (the Azure AD app) created by your security team
      client_id: 'appid'
      # Client secret generated in Azure AD. In Azure Portal, you can generate one when you go to 
      # Azure Active Directory
      #   -> App registrations and find your app
      #     -> Certificates & secrets
      #       -> New client secret
      client_secret: 'some_secret'
      # Scopes
      #   openid: (required; to indicate that the application intends to use OIDC to verify the user's identity)
      #   email: (so you know where to send the welcome email)
      #   name: (I don't know if it's necessary but it was in Grafana documentation here: https://grafana.com/docs/auth/generic-oauth/#set-up-oauth2-with-azure-active-directory)
      scopes: "openid email name"
      # You can easily get you tenant ID in Azure. Also available in Azure-CLI with command `az account show` if you are on the right subscription
      auth_url: https://login.microsoftonline.com/<you_tenant_id>/oauth2/authorize
      token_url: https://login.microsoftonline.com/<you_tenant_id>/oauth2/token
      # You can reuse the same url here
      api_url: https://graph.microsoft.com/oidc/userinfo

Thanks @ritchyboy would you be interested in contributing an update of the Grafana documentation to correlate the changes happened in Azure portal lately? https://grafana.com/docs/auth/generic-oauth/#set-up-oauth2-with-azure-active-directory

Thanks

@mefraimsson, I would be glad to do this. This documentation is critical for those who need to setup OpenID with Grafana while being restricted over their Azure AD permissions (I know some users here in that situation).

1 Like