| title | How to modify access permissions to Azure Monitor | ||
|---|---|---|---|
| description | Learn how to grant and manage permissions for your Azure Managed Grafana workspace to access monitoring data in Azure. | ||
| author | maud-lv | ||
| ms.author | malev | ||
| ms.service | azure-managed-grafana | ||
| ms.topic | how-to | ||
| ms.date | 09/30/2025 | ||
| ms.custom |
|
By default, when a Grafana workspace is created, it comes with a Monitoring Reader role granted on all Azure Monitor data and Log Analytics resources within the subscription.
This means that the new Grafana workspace can access and search all monitoring data in the subscription. It can view the Azure Monitor metrics and logs from all resources, and any logs stored in Log Analytics workspaces in the subscription.
In this article, learn how to manually grant permission for Azure Managed Grafana to access Azure resources using a managed identity.
- An Azure account with an active subscription. Create an account for free.
- An Azure Managed Grafana workspace. If you don't have one yet, create an Azure Managed Grafana workspace.
- An Azure resource with monitoring data and write permissions, such as User Access Administrator or Owner
Sign in to the Azure portal at https://portal.azure.com/ with your Azure account.
To edit permissions for a specific resource, follow these steps.
-
Open a resource that contains the monitoring data you want to retrieve. In this example, we're configuring an Application Insights resource.
-
Select Access Control (IAM).
-
Under Grant access to this resource, select Add role assignment.
:::image type="content" source="./media/permissions/permissions-iam.png" alt-text="Screenshot of the Azure platform to add role assignment in App Insights.":::
-
The portal lists all the roles you can give to your Azure Managed Grafana resource. Select a role. For instance, Monitoring Reader, and select Next. :::image type="content" source="./media/permissions/permissions-role.png" alt-text="Screenshot of the Azure platform and choose Monitor Reader.":::
-
For Assign access to, select Managed identity.
-
Click on Select members.
:::image type="content" source="media/permissions/permissions-members.png" alt-text="Screenshot of the Azure platform selecting members.":::
-
Select the Subscription containing your Azure Managed Grafana workspace.
-
For Managed identity, select Azure Managed Grafana.
-
Select one or several Azure Managed Grafana workspaces.
-
Click Select to confirm
:::image type="content" source="media/permissions/permissions-managed-identities.png" alt-text="Screenshot of the Azure platform selecting the workspace.":::
-
Select Next, then Review + assign to confirm the assignment of the new permission.
For more information about how to use Azure Managed Grafana with Azure Monitor, go to Monitor your Azure services in Grafana.
Assign a role assignment using the az role assignment create command.
In the code below, replace the following placeholders:
<assignee>: If its --assignee parameter then enter the assignee's object ID or user sign-in name or service principal name. If its --assignee-object-id parameter then enter object IDs for users or groups or service principals or managed identities. For managed identities use the principal ID. For service principals, use the object ID and not the app ID. For more information, refer az role assignment create command.<roleNameOrId>: Enter the role's name or ID. For Monitoring Reader, enterMonitoring Readeror43d0d8ad-25c7-4714-9337-8ba259a9fe05.<scope>: Enter the full ID of the resource Azure Managed Grafana needs access to.
az role assignment create --assignee "<assignee>" \
--role "<roleNameOrId>" \
--scope "<scope>"
or
az role assignment create --assignee-object-id "<assignee>" --assignee-principal-type "<ForeignGroup / Group / ServicePrincipal / User>" \
--role "<roleNameOrId>" \
--scope "<scope>"
Example: assigning permission for an Azure Managed Grafana workspace to access an Application Insights resource using a managed identity.
az role assignment create --assignee-object-id "aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb" --assignee-principal-type "ServicePrincipal" \
--role "Monitoring Reader" \
--scope "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourcegroups/my-rg/providers/microsoft.insights/components/myappinsights/"
For more information about assigning Azure roles using the Azure CLI, refer to the Role based access control documentation.