Can Azure Managed Grafana in one Azure tenant query Log Analytics data that resides in a different Azure tenant, and if so, what is the supported configuration?

Question

Can Azure Managed Grafana in one Azure tenant query Log Analytics data that resides in a different Azure tenant, and if so, what is the supported configuration?

Daniel-4204 230

I have not been able to find explicit Microsoft documentation stating whether Azure Managed Grafana supports querying data across multiple Azure tenants.

Based on existing Azure documentation, it appears this should be possible by granting RBAC access in Tenant B to the system-assigned managed identity (object/principal ID) of an Azure Managed Grafana instance running in Tenant A. However, in practice, this does not appear to work when attempting to manually assign the managed identity in the Azure Portal, even after enabling cross-tenant access for service principals and managed identities.

When pasting the managed identity’s object ID from Tenant A into the IAM role assignment picker in Tenant B, the identity cannot be resolved (“No results”), and there is no clear guidance on whether a prerequisite step (such as explicitly materializing the service principal via CLI or Microsoft Graph) is required, or if cross-tenant usage is unsupported by design.

Could you please clarify:

Whether Azure Managed Grafana is supported for cross-tenant data access (e.g., querying Log Analytics workspaces in another tenant), and

If so, what the officially supported configuration and required steps are?

Thank you,

Bharath Y P 8,495 Reputation points Microsoft External Staff Moderator

2026-01-07T18:45:44.06+00:00

Hello Daniel-4204, I just wanted to kindly follow up to check if you had a chance to review my earlier response. I hope the information shared was helpful. Please feel free to reach out if you have any additional questions or need further clarification. Thanks
Bharath Y P 8,495 Reputation points Microsoft External Staff Moderator

2026-01-08T17:04:39.1666667+00:00

Hello Daniel-4204, I just wanted to kindly follow up to check if you had a chance to review my earlier response. I hope the information shared was helpful. Please feel free to reach out if you have any additional questions or need further clarification. Thanks

1 answer

Your answer

Bharath Y P 8,495 Reputation points Microsoft External Staff Moderator

2026-01-07T18:45:44.06+00:00

Hello Daniel-4204, I just wanted to kindly follow up to check if you had a chance to review my earlier response. I hope the information shared was helpful. Please feel free to reach out if you have any additional questions or need further clarification. Thanks
Bharath Y P 8,495 Reputation points Microsoft External Staff Moderator

2026-01-08T17:04:39.1666667+00:00

Hello Daniel-4204, I just wanted to kindly follow up to check if you had a chance to review my earlier response. I hope the information shared was helpful. Please feel free to reach out if you have any additional questions or need further clarification. Thanks

Answer 1

Hello Daniel-4204, We understand that you’re trying to enable Azure Managed Grafana in Tenant A to query data (e.g., Log Analytics) in Tenant B. You attempted to grant RBAC in Tenant B to the system‑assigned managed identity of the Grafana workspace from Tenant A, but the identity can’t be resolved in the IAM role picker even with cross‑tenant access enabled. You want to know whether cross‑tenant access is supported and, if so, the officially supported configuration and steps.

When you enable a System-Assigned Managed Identity in Tenant A, Entra ID creates a Service Principal only in Tenant A. It is not globally discoverable, which is why the Tenant B IAM picker returns “No Results.”

While you can materialize user-assigned managed identities or app registrations in Tenant B via CLI (az ad sp create --id), this is unsupported for system-assigned identities in Azure Managed Grafana. Grafana’s “Managed Identity” authentication path is hardcoded to request tokens only from its home tenant (Tenant A); it cannot request cross-tenant tokens.

You can try below supported configuration for cross-tenant Log Analytics queries in Azure Managed Grafana:

Multi-tenant Service Principal: Create an App Registration in Tenant B, grant it Monitoring Reader, and configure Grafana in Tenant A to authenticate with that app using client ID/secret. https://learn.microsoft.com/en-us/entra/identity-platform/single-and-multi-tenant-apps https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal
Azure Lighthouse: Delegate Tenant B’s subscription/resource group to Tenant A. Grafana’s managed identity in Tenant A can then access Tenant B resources as if they were local. https://learn.microsoft.com/en-us/azure/lighthouse/concepts/cross-tenant-management-experience

Hope this helps. Thanks

We have reached out to you in Private messages for additional details, could you please look into it and share us the details? Thanks

Share via

Can Azure Managed Grafana in one Azure tenant query Log Analytics data that resides in a different Azure tenant, and if so, what is the supported configuration?

1 answer

Your answer