Managed Grafana

Governance policies for Managed Grafana

Domain: azure-management

Patterns

Name	Description
Managed Grafana with private endpoint and Azure Monitor integration	Standard Grafana with private access, managed identity, zone redundancy, and Azure Monitor data sources

Anti-Patterns

Description	Instead
Do not enable API key authentication	Set apiKey to Disabled and use Microsoft Entra ID authentication
Do not configure data sources with stored credentials	Use managed identity with Monitoring Reader role for Azure Monitor data sources

References

Checks (4)

Check	Severity	Description
AZ-GRF-001	Required	Deploy Azure Managed Grafana with managed identity, deterministic outbound IP, and no public access
AZ-GRF-002	Required	Disable API key authentication — use Microsoft Entra ID only
AZ-GRF-003	Recommended	Enable zone redundancy for high availability
AZ-GRF-004	Recommended	Grant Grafana managed identity Monitoring Reader role on all data sources

AZ-GRF-001

Deploy Azure Managed Grafana with managed identity, deterministic outbound IP, and no public access

Severity: Required
Rationale: Grafana dashboards access sensitive metrics; managed identity secures data source connections, deterministic IP enables firewall rules
Agents: terraform-agent, bicep-agent, cloud-architect

Targets

Microsoft.Dashboard/grafana

Companion Resources

Resource	Name	Purpose
Microsoft.Network/privateEndpoints	pe-grafana	Private endpoint for Managed Grafana to secure dashboard access
Microsoft.Network/privateDnsZones	privatelink.grafana.azure.com	Private DNS zone for Managed Grafana private endpoint resolution
Microsoft.Authorization/roleAssignments	Grafana Admin / Editor / Viewer	RBAC role assignments for Grafana dashboard access — use Viewer for read-only, Editor for dashboard creation
Microsoft.Authorization/roleAssignments	Monitoring Reader on data sources	Grant Grafana managed identity Monitoring Reader on Log Analytics and Azure Monitor workspaces

AZ-GRF-002

Disable API key authentication — use Microsoft Entra ID only

Severity: Required
Rationale: API keys bypass Entra ID authentication and cannot be audited per-user
Agents: terraform-agent, bicep-agent, cloud-architect

Targets

Microsoft.Dashboard/grafana

AZ-GRF-003

Enable zone redundancy for high availability

Severity: Recommended
Rationale: Zone redundancy ensures dashboard availability during availability zone failures
Agents: terraform-agent, bicep-agent, cloud-architect

Targets

Microsoft.Dashboard/grafana

AZ-GRF-004

Grant Grafana managed identity Monitoring Reader role on all data sources

Severity: Recommended
Rationale: Managed identity access to Azure Monitor eliminates credential management for data source connections
Agents: terraform-agent, bicep-agent, cloud-architect, monitoring-agent

Targets

Microsoft.Dashboard/grafana

Governance Policies Azure Management Managed Grafana - Azure/az-prototype GitHub Wiki

Managed Grafana

Patterns

Anti-Patterns

References

Checks (4)

AZ-GRF-001

Targets

Companion Resources

AZ-GRF-002

Targets

AZ-GRF-003

Targets

AZ-GRF-004

Targets

⚠️ GitHub.com Fallback ⚠️

Governance Policies Azure Management Managed Grafana - Azure/az-prototype GitHub Wiki

Managed Grafana

Patterns

Anti-Patterns

References

Checks (4)

AZ-GRF-001

Targets

Companion Resources

AZ-GRF-002

Targets

AZ-GRF-003

Targets

AZ-GRF-004

Targets

⚠️ **GitHub.com Fallback** ⚠️

⚠️ GitHub.com Fallback ⚠️