Share via

Azure Monitor Dashboards by Grafana – Required Permissions for Access via CSP / Azure Lighthouse

Jeroen Monnens 20 Reputation points
2026-04-27T08:07:59.1133333+00:00

We are using Azure Monitor dashboards by Grafana (the built‑in Azure experience, not Azure Managed Grafana) and are running into access issues when trying to open these dashboards using a CSP account via Azure Lighthouse.

Scenario

  • Dashboards are created in customer subscriptions
  • Access is delegated to our CSP tenant through Azure Lighthouse and we have Read permission on the entire subscription.
  • We can see the Azure Monitor dashboards by Grafana resource in the Azure portal
  • However, when opening the dashboard, access is denied or the dashboard does not load properly

Questions

  1. Which Azure RBAC roles are required to view Azure Monitor dashboards by Grafana?
  2. Is Azure Monitor dashboards by Grafana fully supported through Azure Lighthouse, or are there known limitations for CSP / delegated access scenarios?
  3. Does viewing these dashboards require direct tenant access, as opposed to delegated access?

Any clarification, documentation references, or confirmation of current limitations would be greatly appreciated.

Azure Monitor
Azure Monitor

An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Suchitra Suregaunkar 13,785 Reputation points Microsoft External Staff Moderator
    2026-04-27T17:18:18.0633333+00:00

    Hello @Jeroen Monnens

    Thanks for the detailed scenario.

    Azure Monitor dashboards by Grafana are Azure resources, but opening the dashboard also requires permissions to the data sources used inside the dashboard (metrics, logs, Prometheus). Having Reader access to the subscription only allows you to see the dashboard resource, not to query the monitoring data.

    This applies equally to direct tenant users and Azure Lighthouse (delegated) users.

    Required permissions to view Azure Monitor dashboards by Grafana:

    In addition to Reader on the subscription or resource group where the dashboard is saved, the delegated (CSP/Lighthouse) user must have read access to the monitoring data sources used by the dashboard:

    1. If the dashboard uses Azure Monitor Workspace / Managed Prometheus:

    You must have:

    • Monitoring Reader role on the Azure Monitor Workspace

    Reference: https://learn.microsoft.com/azure/azure-monitor/visualize/visualize-grafana#prerequisites

    1. If the dashboard uses Log Analytics (Logs panels):

    You must have:

    1. If the dashboard uses Application Insights:

    You must have: Read permissions (for example, Monitoring Reader) on the Application Insights resource

    Dashboards are secured using Azure RBAC and rely on user permissions to the underlying data: https://learn.microsoft.com/azure/azure-monitor/visualize/visualize-grafana-overview

    • Azure Monitor dashboards by Grafana ARE supported via Azure Lighthouse
    • There is no Microsoft documentation stating that Lighthouse or CSP access is unsupported
    • Access issues occur only when the delegated identity lacks RBAC on the monitoring data sources

    Microsoft confirms that dashboards:

    • Are stored as Azure resources
    • Use the signed‑in user’s Azure RBAC permissions to query data

    Reference: https://learn.microsoft.com/azure/azure-monitor/visualize/visualize-grafana-overview

    Direct tenant access is not required, as long as the delegated (Lighthouse) identity has the correct RBAC roles on the monitoring resources listed above.

    Please ensure the CSP / Lighthouse delegation includes both:

    1. Reader on the scope where the dashboard resource exists
    2. Appropriate Monitoring Reader / Log Analytics Reader roles on all data sources used by the dashboard

    Once these are in place, the dashboard will load correctly via Azure Lighthouse.

    Thanks,

    Suchitra.

    1 person found this answer helpful.
  2. Q&A Assist
    2026-04-27T08:08:26.49+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more
    1. Required Azure RBAC roles to view Azure Monitor dashboards by Grafana

    From the available permissions for the Microsoft.Dashboard resource provider, viewing and operating Grafana dashboards relies on the following actions:

    • Microsoft.Dashboard/dashboards/read – read dashboard resources
    • Microsoft.Dashboard/dashboards/dashboardDefinitions/read – read dashboard definitions
    • Microsoft.Dashboard/grafana/read – read Grafana resources
    • The Grafana data‑plane roles are exposed as DataActions:
      • Microsoft.Dashboard/grafana/ActAsGrafanaViewer/action
      • Microsoft.Dashboard/grafana/ActAsGrafanaLimitedViewer/action
      • (Editors/Admins use ActAsGrafanaEditor / ActAsGrafanaAdmin)

    A role used to view dashboards must include at least:

    • The read actions for Microsoft.Dashboard/dashboards/* and Microsoft.Dashboard/grafana/read, and
    • One of the Grafana viewer DataActions (ActAsGrafanaViewer or ActAsGrafanaLimitedViewer).

    These actions can be granted via a custom role or any built‑in role that includes them. The Azure Managed Grafana Workspace Contributor role is focused on managing Grafana resources (write/delete, private endpoints, etc.) and does not by itself provide the Grafana Viewer data‑plane permissions.

    1. Support and limitations with Azure Lighthouse / CSP

    The documentation for Azure Monitor dashboards with Grafana highlights product‑level limitations (no alerts, reports, library panels, snapshots, playlists, app plugins) but does not list Azure Lighthouse or CSP‑specific support or limitations. The supported capabilities focus on:

    • Using Azure Monitor, Azure Resource Graph, and Azure Data Explorer as data sources
    • The feature set differences vs. Azure Managed Grafana

    No explicit statement is provided in the referenced documentation about Azure Lighthouse or CSP delegated access being fully supported or unsupported for Azure Monitor dashboards by Grafana.

    1. Direct tenant access vs. delegated access

    The documentation describes:

    • Control of access through Azure RBAC actions on Microsoft.Dashboard/* (management plane) and Grafana DataActions (ActAsGrafana*) for workspace roles (Admin/Editor/Viewer/Limited Viewer)
    • How Azure Managed Grafana uses identities and RBAC to access Azure Monitor data

    However, there is no explicit statement in the provided material that viewing Azure Monitor dashboards by Grafana requires direct tenant access instead of delegated access, nor is there a documented requirement that would exclude delegated (Lighthouse) access.

    Based on the available information, the key requirement is that the assigned role (whether via direct or delegated access) must include the correct Microsoft.Dashboard actions and Grafana DataActions; any additional Lighthouse‑specific behavior or CSP limitations are not documented in the provided context.

    References:

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.