Some questions on authentication with Azure AD

That doesn’t look right. Should be https://grafana.company.com.

But above I read:

Then s @ritchyboy explains above you can use the Reply URL of https://grafana.company.com/login/generic_oauth .

Yes, but that’s something you configure in Azure Portal.

OK, that is what my Azure portal people told me was the reply URL:

“The grafana appID is configured w/ reply URL - https://grafana.company.com/login/generic_oath

So if you visit https://grafana.company.com you should come to startpage/login page of Grafana if you have configured everything correctly.

No, that just gives me a “Site can’t be reached”. Keep in mind this instance of Grafana is running within a docker container on worker nodes at AWS.

Then your first step is to make sure that you can reach Grafana using some URL.

OK, I’m not sure if this all got lost in the beginning, but just to reiterate:

We are deploying a docker container with an image of jmeter writing to an image of influxDB that is then read by an image of Grafana. This is all for internal use by developers testing software in the company. They will launch a Jenkins job with parameters that they have defined to build and deploy this stack. The stack will have a name <stack_name> defined by them. The URL they will hit to display the Grafana dashboard will be made up of https://<stack_name>.<domain_name).com so for example:

https://mystack.dist-load-test-deploy-grafana-nonprod.np.us.company.com. Everything after mystack is the domain.

So, if I do all of this without Azure AD, it works fine and we get the dashboard presented and can login with admin/admin. But this does not meet company security guidelines so we need to interject Azure AD into all of this. That is where it fails and where I am at this point.

That is the long answer to your “some URL” question:grinning:

Thank you for all your responses to this. I realize we do not have a corporate license for this but if it is possible to get a call with you guys and our AD group I might be able to put this thing to bed.

Really hard to help you when we don’t get the complete picture of Grafana configuration, Azure configuration and possibly screenshots/grafana server log. Strip any sensitive information out.

Seems like you was very close in Some questions on authentication with Azure AD so would try that again and make sure that reply url is configured properly in Azure.

Yeah, I know it’s hard, and I appreciate all your help. My problem is in this company I can’t control the AD environment and rely on others, which takes time. That being said, how do I get the Grafana server log? I need to do this from the shell.

OK, new error attached. I think I’m closer. I get this one when I click the Sign in with Azure AD button.

The change I made was to have the AD people add the url that the button points to. But this does NOT match the root_url in the .ini file.

Anyway, I do not have a grafana.log file anywhere I can find on the server. I looked according to your documentation. Is there somewhere I need to turn logging on?

Should something be on the ‘scopes’ line? Right now I have it commented out.

That was it! I put in scopes = openid and it logs in with AD.

1 Like

Now all I have to do is figure out how to make it open up to the dashboard without selecting it from the pull down.

Hmmmm, guess I spoke too soon. Because we are using Docker and a stack for this solution each URL for Grafana is deployed with a unique string. That is https://.company.com. So, each group that uses our pipeline to do performance testing gets a unique string by which they can see the results. So, yes, it worked for me, but only with my stack. AD evidently does not do domain / wildcard authentication and Grafana needs to have the exact same string to validate. I’m disappointed, it looks like we need to find another reporting solution.

Another thought. Would some sort of redirection help? So when I click on my personalized URL for my dashboard it redirects me to a login screen which then passes me through to my original URL.

Also, would purchasing a licensed version of Grafana give us added functionality that could solve this problem?

@jtpryan glad you got it to work. Not sure I follow what you’re trying to achieve here, “each URL for Grafana is deployed with a unique string”?

If you find the Grafana’s oauth solution not suitable for your authentication use case I would recommend to look into using the Grafana Auth Proxy instead: https://grafana.com/docs/auth/auth-proxy/#auth-proxy-authentication

Hello Guys,
I have the below working configuration for Grafana 7.0.1 running on windows 2016 server.

  1. Configure Azure AD application as per requirements and add Redirect URIs setting :

  2. Grafana Custom.ini file settings(created from sample.ini file)

#################################### Azure AD OAuth #######################

[auth.azuread]

name = Azure AD

enabled = true

allow_sign_up = true

client_id = xxxxxxxxxxxxxxxx

client_secret = xxxxxxxxxxxxx

scopes = openid email profile 

auth_url = xxxxxxxxxx

token_url = xxxxxxxxxx

;allowed_domains =

;allowed_groups =



#################################### Server ####################################

[server]

# Protocol (http, https, h2, socket)

protocol = https

# The ip address to bind to, empty will bind to all interfaces

;http_addr =

# The http port to use

http_port = 8080

# The public facing domain name used to access grafana from a browser

;domain = localhost

# Redirect to correct domain if host header does not match domain

# Prevents DNS rebinding attacks

;enforce_domain = false

# The full public facing url you use in browser, used for redirects and emails

# If you use reverse proxy and sub path specify full url (with sub path)

root_url = https://127.0.0.1:8080

# Serve Grafana from subpath specified in `root_url` setting. By default it is set to `false` for compatibility reasons.

;serve_from_sub_path = false

# Log web requests

;router_logging = false

# the path relative working path

;static_root_path = public

# enable gzip

;enable_gzip = false

# https certs & key file

cert_file = C:\Program Files\GrafanaLabs\grafana\conf\certificate.crt

cert_key = C:\Program Files\GrafanaLabs\grafana\conf\privateKey.key

# Unix socket path

;socket =

With the above configuration settings i was able to successfully login to Grafana with Azure AD credentials

I’m also attempting to setup Grafana login using Azure AD. I have my Custom.ini much like yours, but after clicking the “Sign in with Microsoft” button I receive and error like this:

This site can’t provide a secure connection

server-name.azadprod.local sent an invalid response.

  • [Try running Windows Network Diagnostics](javascript:diagnoseErrors()).

ERR_SSL_PROTOCOL_ERROR

Any ideas? Thanks.

Hi @mefraimsson and Grafana Team here,

I am facing the same issue what you people discussing here. below is the issue details and current status. please help me on this. attached are the screenshots for more info.

I am using grafana 7.1 latest version. I have followed below link to implement Oauth2 authentication with Azure AD while accessing grafana dashboard. I am getting below error while login into it. I see there is a misconfiguration with redirect URL and root_url. I login using “http://xyz.eastus.cloudapp.azure.com:3000/login”. Once I login to the grafana dashboard the Url looks like “http://xyz.eastus.cloudapp.azure.com:3000

AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application: ‘’.