Share via

Images hosted in azure blob storage not displaying in AZ Managed Grafana workspace

Javier Huamani 100 Reputation points
2026-04-16T15:13:11.97+00:00

Currently, we host images to use for our Azure Managed Grafana workspaces in azure blob storage. However, since last week we've noticed that all our images appear blank or show a default logo:

User's image

We reviewed the console for insight into this issue and found the root cause is due to the Content Security Policy (CSP), specifically this directive being violated:

img-src 'self' data: *.storyblok.com azure.microsoft.com *.basemaps.cartocdn.com tile.openstreetmap.org services.arcgisonline.com

Since we can't modify the CSP ourselves to add our storage account URI, our images are being blocked. Is it possible to update the CSP to allow blobs from azure storage accounts? Otherwise, what alternative hosting options do we have for images?

Azure Managed Grafana
Azure Managed Grafana

An Azure service used to deploy Grafana dashboards for analytics and monitoring solutions.

Answer accepted by question author

  1. Suchitra Suregaunkar 13,785 Reputation points Microsoft External Staff Moderator
    2026-04-16T15:48:23.0266667+00:00

    Hello Javier Huamani

    Thank you for posting your query on Microsoft Q&A platform.

    The root cause is a Content Security Policy (CSP) violation related to the img-src directive in Azure Managed Grafana. The CSP restricts image sources and does not include the Azure Blob Storage domain (*.blob.core.windows.net), causing the images to be blocked from rendering. This platform-level CSP enforcement limits the domains allowed for image hosting, which the customer cannot modify themselves.

    Backend team provided an explanation of the CSP enforcement and its limitations, confirming that Azure Managed Grafana enforces a strict CSP that excludes the customer's blob storage domain. Alternative approaches such as base64 embedding were discussed but found not scalable.

    As we have created support case to backend team, support initiated engagement with subject matter experts (SMEs) and created an internal incident (ICM) to address the issue further.

    Later the Product Group has rolled out a patch to update the Content Security Policy (CSP), and this change has already been deployed to the South Central US region.

    Thanks,
    Suchitra.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2026-04-16T15:13:34.5433333+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    The Content Security Policy applied to Azure Managed Grafana is controlled by the service and can’t be customized per workspace, so adding an arbitrary Azure Storage account domain to img-src isn’t supported.

    Because the CSP only allows images from the explicitly listed domains ('self' data: *.storyblok.com azure.microsoft.com *.basemaps.cartocdn.com tile.openstreetmap.org services.arcgisonline.com), images served directly from generic Azure Blob Storage endpoints will be blocked, as observed in the browser console.

    Given this limitation, the practical options are:

    1. Host images on a domain that is already permitted by the CSP. For example, if there is an existing, CSP-allowed image host used in the environment (such as a corporate site that proxies or serves the required images) and it falls under one of the allowed domains, use that instead of direct Blob Storage URLs.
    2. Use data URLs (data:) for small, static images (for example, logos) where feasible, since data: is explicitly allowed in the img-src directive.
    3. If organizational policy requires Azure-based hosting, front the images through an approved domain (for example, a web app or CDN endpoint that is on an allowed host) rather than using the raw *.blob.core.windows.net URLs.

    Directly relaxing or extending the Managed Grafana CSP to include arbitrary *.blob.core.windows.net or specific storage account hostnames is not available as a configuration option; any change would require a platform-level update by the service team.

    References:

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.