How to give external tenant users reader-access to azure managed Grafana instance in another tenant?

Question

How to give external tenant users reader-access to azure managed Grafana instance in another tenant?

Mahmoodi, Somayeh (Admin) 80

Hi,

I need help on giving reader-access to external tenant users to azure managed Grafana instance in internal tenant. Do I need to register an app in external tenant? In this case, should I give the Grafana endpoint in another subscription as a link for redirection after authentication? what do I need to do in Grafana instance?

Thank you

RevelinoB 3,685 Reputation points

2025-11-05T19:05:58.36+00:00
Hello Mahmoodi, Somayeh (Admin)

Here's a step-by-step approach to help you achieve this:

1.Adding External Users: You can invite external users as guests in your Microsoft Entra ID. To do so:

In the Azure portal, navigate to Microsoft Entra ID.

Go to Users > New user > Invite external user.

Enter the external user's email address and assign any necessary roles.

2.Assigning Roles: After the external users accept the invite:

Go to your Azure Managed Grafana instance.

Open Access Control (IAM) and assign them the Grafana Viewer or Grafana Reader role.

3.Access URL: Share the Grafana URL (e.g., https://your-instance.grafana.azure.com) with the external users. They will log in using their own credentials.

Regarding the use of a B2C tenant, Azure Managed Grafana requires users to authenticate using Microsoft Entra IDs. Unfortunately, external users cannot log in via B2C without some specific configurations in your environment. Azure Managed Grafana does not support non-Entra ID accounts, meaning that if you're strictly limited to B2C, users won’t be able to access Grafana without an Entra ID account.

Key Considerations:

App Registration: Registering an app in the external tenant is typically unnecessary unless you are creating a custom OAuth flow, which isn't common for this setup.

Cross-tenant Authentication: If you must allow access via B2C, you’ll likely face significant authorization hurdles, and it’s generally not the recommended path for Grafana.

Hope this helps! If you have further questions or need clarification on specific points, feel free to ask!

References:

Add a guest user

Manage access and permissions for users and identities

Configure Azure Managed Grafana authentication and permissions

Known Limitations of Azure Managed Grafana

Monitor your Azure resources

Thank you.
Mahmoodi, Somayeh (Admin) 80 Reputation points

2025-11-06T02:22:43.0933333+00:00

thank you for your reply. For a reason, I need to use B2C tenant instead of B2B.
Siva shunmugam Nadessin 3,025 Reputation points Microsoft External Staff Moderator

2025-11-07T01:06:54.1866667+00:00

Hello Mahmoodi, Somayeh (Admin)

As I recall the cleanest way is to just invite the external users as guest (B2B) users into your tenant through Entra ID → Users → New guest user. Once they accept the invite, you can go to your Azure Managed Grafana instance, open Access control (IAM), and assign them the Grafana Viewer or Grafana Reader role.

They’ll then be able to sign in using their own credentials from their home tenant, and Azure handles the cross-tenant authentication automatically. The Grafana endpoint (for example, https://your-instance.grafana.azure.com) stays the same — no special redirect URI or separate app registration needed.

You only need to register an app in the external tenant if you want a fully separate OAuth flow (which isn’t typical for Azure Managed Grafana).

So in short: → Invite external users as guests → Assign them the Grafana role in IAM → Share the Grafana URL — they’ll log in normally

That should work fine.

If you have any questions please let me know.

Thank you.
Mahmoodi, Somayeh (Admin) 80 Reputation points

2025-12-04T17:13:18.5366667+00:00

thank you for your response. I made some research that I like to share the results. First, Azure Managed Grafana (AMG) can't be multi-tenant. So, if the authentication needs to be done in External tenant, Grafana instance should be created there and our internal users should use their non-company ID's to access the instance, like external users. AMG also can't support custom domain directly. question: Can I use custom domain with AMG as discussed in https://learn.microsoft.com/en-us/entra/external-id/customers/concept-custom-url-domain and having authentication/authorization using Entra External? Second, do I need to register an app for this scenario? Third, do I have to have Azure Front door for reverse proxy? Is there a cheaper option for it? I appreciate any help on this.
Mahmoodi, Somayeh (Admin) 80 Reputation points

2025-12-04T17:19:04.01+00:00

thank you for your response.

Answer accepted by question author

0 additional answers

Your answer

RevelinoB 3,685 Reputation points

2025-11-05T19:05:58.36+00:00

Hello Mahmoodi, Somayeh (Admin)

Here's a step-by-step approach to help you achieve this:

1.Adding External Users: You can invite external users as guests in your Microsoft Entra ID. To do so:

In the Azure portal, navigate to Microsoft Entra ID.

Go to Users > New user > Invite external user.

Enter the external user's email address and assign any necessary roles.

2.Assigning Roles: After the external users accept the invite:

Go to your Azure Managed Grafana instance.

Open Access Control (IAM) and assign them the Grafana Viewer or Grafana Reader role.

3.Access URL: Share the Grafana URL (e.g., https://your-instance.grafana.azure.com) with the external users. They will log in using their own credentials.

Regarding the use of a B2C tenant, Azure Managed Grafana requires users to authenticate using Microsoft Entra IDs. Unfortunately, external users cannot log in via B2C without some specific configurations in your environment. Azure Managed Grafana does not support non-Entra ID accounts, meaning that if you're strictly limited to B2C, users won’t be able to access Grafana without an Entra ID account.

Key Considerations:

App Registration: Registering an app in the external tenant is typically unnecessary unless you are creating a custom OAuth flow, which isn't common for this setup.

Cross-tenant Authentication: If you must allow access via B2C, you’ll likely face significant authorization hurdles, and it’s generally not the recommended path for Grafana.

Hope this helps! If you have further questions or need clarification on specific points, feel free to ask!

References:

Add a guest user

Manage access and permissions for users and identities

Configure Azure Managed Grafana authentication and permissions

Known Limitations of Azure Managed Grafana

Monitor your Azure resources

Thank you.
Mahmoodi, Somayeh (Admin) 80 Reputation points

2025-11-06T02:22:43.0933333+00:00

thank you for your reply. For a reason, I need to use B2C tenant instead of B2B.
Siva shunmugam Nadessin 3,025 Reputation points Microsoft External Staff Moderator

2025-11-07T01:06:54.1866667+00:00

Hello Mahmoodi, Somayeh (Admin)

As I recall the cleanest way is to just invite the external users as guest (B2B) users into your tenant through Entra ID → Users → New guest user. Once they accept the invite, you can go to your Azure Managed Grafana instance, open Access control (IAM), and assign them the Grafana Viewer or Grafana Reader role.

They’ll then be able to sign in using their own credentials from their home tenant, and Azure handles the cross-tenant authentication automatically. The Grafana endpoint (for example, https://your-instance.grafana.azure.com) stays the same — no special redirect URI or separate app registration needed.

You only need to register an app in the external tenant if you want a fully separate OAuth flow (which isn’t typical for Azure Managed Grafana).

So in short: → Invite external users as guests → Assign them the Grafana role in IAM → Share the Grafana URL — they’ll log in normally

That should work fine.

If you have any questions please let me know.

Thank you.
Mahmoodi, Somayeh (Admin) 80 Reputation points

2025-12-04T17:13:18.5366667+00:00

thank you for your response. I made some research that I like to share the results. First, Azure Managed Grafana (AMG) can't be multi-tenant. So, if the authentication needs to be done in External tenant, Grafana instance should be created there and our internal users should use their non-company ID's to access the instance, like external users. AMG also can't support custom domain directly. question: Can I use custom domain with AMG as discussed in https://learn.microsoft.com/en-us/entra/external-id/customers/concept-custom-url-domain and having authentication/authorization using Entra External? Second, do I need to register an app for this scenario? Third, do I have to have Azure Front door for reverse proxy? Is there a cheaper option for it? I appreciate any help on this.
Mahmoodi, Somayeh (Admin) 80 Reputation points

2025-12-04T17:19:04.01+00:00

thank you for your response.

Answer 1

Hello Mahmoodi, Somayeh (Admin),

Kindly check below answers below

Can I use a custom domain with Azure Managed Grafana (AMG) and Entra External ID authentication?

AMG does not natively support custom domains. The official stance is that you cannot directly configure AMG to respond to your own DNS name; it only works with the default *.grafana.azure.com endpoint. Attempts to CNAME map your domain will result in 404 because AMG does not allow host header overrides. [stackoverflow.com]
Custom URL domains for Entra External ID are supported, but they require a reverse proxy like Azure Front Door to route traffic from your custom domain to the Entra sign-in endpoints. This is documented in Microsoft Entra External ID custom URL domain guidance. [learn.microsoft.com]
So, if you want a branded sign-in experience for external users, you can configure a custom URL domain for authentication flows, but AMG itself will still serve dashboards from its default URL unless you implement a reverse proxy layer.

2. Do I need to register an app for this scenario?

Yes.

To enable Entra ID (Azure AD) OAuth for Grafana, you must register an application in the tenant where authentication occurs. This app registration provides the client ID, client secret, and redirect URIs (e.g., https://<grafana-domain>/login/azuread).
If AMG is in an external tenant, the app registration must be created in that external tenant. You’ll also configure roles and permissions in Entra ID for Grafana users.

3. Do I have to use Azure Front Door for reverse proxy? Is there a cheaper option?

Azure Front Door is the recommended solution for custom URL domains and global routing, but it adds cost.
Cheaper alternatives:
- Azure Application Gateway: Works as a reverse proxy and supports SSL termination and path-based routing.
- Self-managed Nginx or IIS reverse proxy on an Azure VM: This is the lowest-cost option if you’re comfortable managing infrastructure. Nginx is commonly used for Grafana reverse proxy setups. [c-sharpcorner.com], [stackoverflow.com]
- Azure AD Application Proxy: If your goal is secure external access without exposing AMG publicly, this can be an option, but it’s more for internal apps.

Trade-off: Front Door gives global performance and integrated WAF/CDN, while Nginx/IIS is cheaper but requires manual SSL and scaling.

Let us know if you have further questions?

Mahmoodi, Somayeh (Admin) 80 Reputation points

2025-12-05T17:29:49.23+00:00

Thank you so much for the support and time.

Share via

How to give external tenant users reader-access to azure managed Grafana instance in another tenant?

0 additional answers

Your answer