How to modify access permissions to Azure Monitor
By default, when a Grafana instance is created, it comes with a Monitoring Reader role granted on all Azure Monitor data and Log Analytics resources within the subscription.
This means that the new Grafana instance can access and search all monitoring data in the subscription. It can view the Azure Monitor metrics and logs from all resources, and any logs stored in Log Analytics workspaces in the subscription.
In this article, learn how to manually grant permission for Azure Managed Grafana to access an Azure resource using a managed identity.
Prerequisites
- An Azure account with an active subscription. Create an account.
- An Azure Managed Grafana instance. If you don't have one yet, create an Azure Managed Grafana instance.
- An Azure resource with monitoring data and write permissions, such as User Access Administrator or Owner
Sign in to Azure
Sign in to the Azure portal at https://portal.azure.cn/ with your Azure account.
Edit Azure Monitor permissions
To edit permissions for a specific resource, follow these steps.
Open a resource that contains the monitoring data you want to retrieve. In this example, we're configuring an Application Insights resource.
Select Access Control (IAM).
Under Grant access to this resource, select Add role assignment.
The portal lists all the roles you can give to your Azure Managed Grafana resource. Select a role. For instance, Monitoring Reader, and select Next.
For Assign access to, select Managed identity.
Click on Select members.
Select the Subscription containing your Managed Grafana instance.
For Managed identity, select Azure Managed Grafana.
Select one or several Managed Grafana instances.
Click Select to confirm
Select Next, then Review + assign to confirm the assignment of the new permission.