This chapter covers Azure Managed Grafana, a fully managed service for creating, scaling, and securing Grafana dashboards for monitoring and observability. For the AZ-305 exam, understanding Managed Grafana is essential because it is a key component of an enterprise monitoring and logging strategy under the Identity Governance domain (objective 1.3). Approximately 5-10% of exam questions touch on monitoring and observability services, including Managed Grafana, Azure Monitor, and Log Analytics. This chapter will equip you with the knowledge needed to architect monitoring solutions that provide centralized dashboards, secure access, and integration with Azure data sources.
Jump to a section
Imagine a large corporate campus with multiple security cameras, environmental sensors, and access logs spread across different buildings. Each building has its own monitoring system with a separate screen showing only its data. To get a complete view, security personnel must walk from one building to another, checking each screen individually. Now, the company builds a central operations room with a single large display. Each building's monitoring system is configured to stream its data to this central room via a standardized protocol. The central room has a unified dashboard that can show any combination of data from any building, with alerting rules that trigger when, say, the total energy consumption across all buildings exceeds a threshold. The central room also stores the historical data from all buildings in a single archive, allowing security staff to query past events across the entire campus. This central operations room is exactly what Azure Managed Grafana does: it pulls metrics and logs from various Azure services (like Azure Monitor, Application Insights, and Log Analytics workspaces) into a single, customizable dashboard. It handles authentication, scaling, and data storage, so you don't have to manage the underlying infrastructure. Just as the operations room gives a unified view and alerting across all buildings, Managed Grafana provides a unified observability platform for your entire Azure environment.
What is Azure Managed Grafana?
Azure Managed Grafana is a fully managed, high-performance, and scalable implementation of Grafana, provided as a Platform-as-a-Service (PaaS) offering in Azure. It allows you to visualize and analyze operational data from multiple sources, including Azure Monitor, Azure Data Explorer, Prometheus, and more, in a unified dashboard. As a managed service, Azure handles the infrastructure, updates, scaling, and high availability, so you don't need to deploy, configure, or maintain Grafana servers yourself.
Why it exists
Traditional self-managed Grafana deployments require provisioning VMs, configuring storage, setting up authentication, managing SSL certificates, and ensuring high availability. This overhead detracts from the core value of Grafana: creating dashboards and alerts. Azure Managed Grafana eliminates this operational burden by providing a native Azure integration, built-in authentication with Azure Active Directory (Azure AD), automatic scaling, and a consumption-based pricing model. It also integrates seamlessly with other Azure monitoring services, making it a natural choice for Azure-centric environments.
How it works internally
Azure Managed Grafana is built on top of the open-source Grafana project but with Azure-specific enhancements. When you create a Managed Grafana instance, Azure provisions a dedicated Grafana server in a Microsoft-managed tenant. The service exposes a public HTTPS endpoint (e.g., https://mygrafana.grafana.azure.com) that you can access via a web browser or API. Authentication is handled by Azure AD by default, using OAuth 2.0. You configure data sources by providing connection details – for example, for Azure Monitor, you specify a Log Analytics workspace ID and key, or use Managed Identity for secure access. Grafana then queries these data sources using their respective APIs (e.g., Azure Monitor REST API, Prometheus HTTP API) and renders dashboards using its built-in visualization engine.
Data flow: User requests a dashboard → Grafana server authenticates the user via Azure AD → Grafana queries configured data sources using stored credentials → Data sources return time-series data or logs → Grafana processes and visualizes the data in charts, tables, etc. → Dashboard is served to the user.
Key components, values, defaults, and timers
Instance SKUs: Two tiers – Essential (free, limited to 3 users, 10 dashboards, 14-day data retention) and Standard (paid, unlimited users, 30-day data retention, up to 50 dashboards by default but can be increased).
Data sources: Supports Azure Monitor, Azure Data Explorer, Prometheus, InfluxDB, Elasticsearch, and many others. For Azure Monitor, you can use either a Log Analytics workspace (for logs) or an Application Insights resource (for application metrics).
Authentication: Azure AD is the default identity provider. You can also enable API keys for programmatic access. Supported authentication methods include OAuth token exchange and managed identity for data sources.
Alerting: Grafana alerting is built-in. You can define alert rules that evaluate queries and trigger notifications via channels like email, webhooks, Slack, PagerDuty, etc. The default evaluation interval is 10 seconds, but you can configure it per rule.
Data retention: For the Standard tier, query results are cached for up to 30 days. The actual data retention depends on the underlying data source (e.g., Log Analytics has its own retention policy).
Scaling: The service automatically scales based on load. For high query concurrency, you can increase the number of query nodes (up to 10 for Standard tier).
Limits: Maximum dashboard size is 10 MB (JSON). Maximum number of panels per dashboard is 50 (default).
Configuration and verification commands
To create a Managed Grafana instance using Azure CLI:
az grafana create --name mygrafana --resource-group myResourceGroup --location eastus --sku StandardTo list instances:
az grafana list --resource-group myResourceGroupTo configure a data source (e.g., Azure Monitor) via CLI:
az grafana data-source create --name mygrafana --definition '{"name":"Azure Monitor","type":"grafana-azure-monitor-datasource","access":"proxy","url":"https://management.azure.com","jsonData":{"azureAuthType":"msi","subscriptionId":"<sub-id>"},"secureJsonData":{"tenantId":"<tenant-id>"}}'To verify connectivity, navigate to the Grafana UI, go to Configuration > Data Sources, and click "Test" on the data source. A green checkmark indicates success.
How it interacts with related technologies
Azure Managed Grafana is often used alongside Azure Monitor and Log Analytics. Azure Monitor collects metrics and logs from Azure resources and stores them in Log Analytics workspaces. Managed Grafana queries these workspaces to build dashboards. It also integrates with Azure AD for identity and access management, Azure Key Vault for storing secrets (e.g., API keys), and Azure Alerts for triggering notifications. For containerized environments, it can consume Prometheus metrics from Azure Monitor for Containers or from a self-hosted Prometheus server. Additionally, Managed Grafana can be used with Azure Data Explorer for high-performance log analytics, and with Azure Application Insights for application performance monitoring.
Create a Managed Grafana instance
In the Azure portal, navigate to Azure Managed Grafana and click Create. Provide a name, select a subscription, resource group, location, and SKU (Essential or Standard). For Standard, you can configure additional settings like zone redundancy and network access. Once created, the instance gets a public endpoint URL. This step provisions the Grafana server in a Microsoft-managed tenant. The provisioning takes about 2-3 minutes. You can also use Azure CLI or ARM templates for automation.
Configure authentication and authorization
By default, Azure AD is used for authentication. You can assign Grafana roles (Admin, Editor, Viewer) to Azure AD users or groups. Navigate to the Grafana instance in the portal, select Access management, and add role assignments. Grafana Admin has full access, Editor can create/modify dashboards, Viewer can only view. You can also enable API keys for service-to-service access. The authentication flow uses OAuth 2.0 authorization code grant. Users are redirected to Azure AD login, and upon successful authentication, they receive an access token that Grafana validates.
Add data sources
In the Grafana UI, go to Configuration > Data Sources and click Add data source. Select the type (e.g., Azure Monitor). For Azure Monitor, you can use Managed Identity (recommended) or a service principal. If using Managed Identity, enable it on the Grafana instance (via portal) and grant the managed identity permissions (e.g., Monitoring Reader) on the target resources. For Log Analytics, you need to specify the workspace ID and either a key or use managed identity. Test the connection to ensure it works. Each data source has specific configuration fields; for Azure Monitor, you need to set the Azure Cloud environment and subscription ID.
Create and configure dashboards
In the Grafana UI, click Create > Dashboard. Add panels by clicking Add Query. Select the data source, then write a query using the query editor (e.g., KQL for Azure Monitor). For example, to show CPU usage over time, use: `Perf | where CounterName == "% Processor Time" | render timechart`. Configure visualization type (graph, table, etc.), axes, legends, and thresholds. You can also import pre-built dashboards from the Grafana community. Save the dashboard. Dashboards are stored in the Grafana database (managed by Azure).
Set up alerting
Alerting is configured per panel. Click the Alert icon on a panel, then create an alert rule. Define a condition: e.g., `avg() of query > 90 for 5m`. Set the evaluation interval (default 10s). Choose notification channels: email, webhook, Slack, etc. For email, you need to configure SMTP settings in Grafana (under Alerting > Notification channels). Alerts are evaluated by the Grafana backend. When triggered, notifications are sent. You can also use Azure Monitor alerts instead, but Grafana alerts are more flexible.
Manage access and scaling
Monitor the Grafana instance's health via Azure Monitor metrics (e.g., request count, error rate). For scaling, in the Standard tier, you can adjust the number of query nodes under Settings > Scaling. Increase nodes if query latency increases. For network security, you can restrict access to the Grafana endpoint via IP firewall rules or private link. To delete the instance, use the portal or CLI. Data sources and dashboards are not automatically backed up; export dashboards as JSON files for backup.
Enterprise Scenario 1: Multi-Service Monitoring Dashboard
A large e-commerce company uses Azure for its web application, including App Services, SQL Database, and Azure Redis Cache. The operations team needs a single pane of glass to monitor performance metrics across all services. They deploy Azure Managed Grafana (Standard tier) and configure data sources: Azure Monitor for App Service metrics, Log Analytics for SQL Database logs, and a Prometheus endpoint for Redis cache metrics (via a sidecar exporter). They create a dashboard with panels showing request latency, database throughput, and cache hit ratio. Alert rules notify the on-call engineer via PagerDuty when latency exceeds 500ms for 5 minutes. The managed service eliminates the need to maintain a Grafana server, and Azure AD integration allows the team to use existing corporate credentials. A misconfiguration could occur if the managed identity lacks permissions on the target resources, causing data source queries to fail. The solution scales well up to thousands of requests per second, but if query concurrency spikes, they may need to increase the number of query nodes.
Enterprise Scenario 2: Centralized Logs for Compliance
A financial institution must retain and analyze logs from multiple Azure subscriptions for auditing purposes. They use Log Analytics workspaces in each subscription to collect logs. With Azure Managed Grafana, they create a single dashboard that queries across all workspaces using cross-workspace queries (e.g., union workspace("workspace1").Logs, workspace("workspace2").Logs). They set up alerting for suspicious patterns (e.g., multiple failed logins). The Grafana instance is configured with a private endpoint to keep traffic within the Azure backbone. They also enable API keys for automated report generation. A common issue is that cross-workspace queries can be slow if the workspaces are in different regions; they mitigate this by using Log Analytics clusters or by caching query results. The service's 30-day retention for cached data is sufficient for their reporting needs; raw log retention is handled by Log Analytics (up to 730 days).
Enterprise Scenario 3: IoT Monitoring
A manufacturing company uses Azure IoT Hub to collect telemetry from thousands of sensors. They want to visualize sensor data in near real-time. They deploy Azure Managed Grafana and connect it to Azure Data Explorer (ADX) which ingests IoT Hub data. Grafana queries ADX using its native connector. They create dashboards showing temperature, pressure, and vibration metrics across factory zones. Alert rules trigger when a sensor exceeds thresholds. The managed service handles the high query load (millions of data points per second) by scaling automatically. A misconfiguration to watch: if the ADX database schema changes, Grafana queries may fail; they use parameterized queries to adapt. The Essential tier would be insufficient due to user and dashboard limits; they choose Standard.
What AZ-305 Tests on Azure Managed Grafana
AZ-305 objective 1.3 (Identity Governance) includes designing a monitoring and logging strategy. Questions may ask you to recommend a solution for centralized visualization of metrics and logs from multiple Azure services. Managed Grafana is often the correct answer when the requirement is for customizable dashboards, multi-source data aggregation, and role-based access control using Azure AD. The exam may also test the difference between Managed Grafana and Azure Workbooks (Workbooks are more static and code-based).
Common Wrong Answers and Why
Choosing Azure Monitor alone: Candidates think Azure Monitor provides dashboards, but its built-in dashboards are limited. Managed Grafana is needed for advanced visualization.
Selecting Power BI: Power BI is for business analytics, not real-time operational monitoring. Grafana is optimized for time-series data.
Recommending self-managed Grafana on VMs: The exam favors managed services to reduce operational overhead. Managed Grafana is PaaS, so it's the preferred choice.
Ignoring authentication integration: Some answers suggest using Grafana's built-in authentication (local users), but the exam expects Azure AD integration for enterprise scenarios.
Specific Numbers and Terms on the Exam
SKU tiers: Essential (free, 3 users, 10 dashboards, 14-day retention) vs Standard (paid, unlimited users, 30-day retention).
Data sources: Azure Monitor, Azure Data Explorer, Prometheus, InfluxDB.
Authentication: Azure AD (OAuth 2.0) is the default; API keys for programmatic access.
Alerting: Evaluation interval default 10 seconds.
Limits: Maximum dashboard size 10 MB, default 50 panels per dashboard.
Scaling: Up to 10 query nodes in Standard tier.
Edge Cases and Exceptions
Private Link: If the exam question mentions private connectivity, Managed Grafana supports Azure Private Link, but it must be enabled during creation (not after).
Zone redundancy: Only available in Standard tier and in selected regions.
Data source permissions: Using managed identity requires granting the managed identity appropriate roles on the data source (e.g., Monitoring Reader).
Cross-tenant scenarios: Managed Grafana can query data sources in other tenants if you configure service principal authentication.
How to Eliminate Wrong Answers
If the requirement is "custom dashboards" and "multiple data sources," eliminate Azure Monitor (insufficient customization) and Power BI (not for monitoring).
If the requirement is "managed service" and "no infrastructure management," eliminate self-managed Grafana.
If the requirement is "Azure AD integration," eliminate any answer that suggests local authentication.
If the requirement is "high availability" and "zone redundancy," check if the SKU is Standard (Essential does not support zone redundancy).
Azure Managed Grafana is a PaaS implementation of Grafana, eliminating the need to manage servers.
Two SKUs: Essential (free, limited) and Standard (paid, unlimited users and dashboards, 30-day retention).
Default authentication is Azure AD OAuth 2.0; API keys available for programmatic access.
Supports multiple data sources: Azure Monitor, Azure Data Explorer, Prometheus, InfluxDB, etc.
Built-in alerting with default evaluation interval of 10 seconds.
Maximum dashboard size: 10 MB; default 50 panels per dashboard.
Scaling: up to 10 query nodes in Standard tier.
Private Link and zone redundancy supported only in Standard tier.
Dashboards are not automatically backed up; export as JSON.
Managed identity is the recommended authentication method for Azure data sources.
These come up on the exam all the time. Here's how to tell them apart.
Azure Managed Grafana
Fully managed PaaS, no infrastructure management.
Supports multiple data sources including third-party.
Rich visualization options with many panel types.
Built-in alerting engine with flexible notification channels.
Role-based access control via Azure AD.
Azure Workbooks
Part of Azure Monitor, integrated into Azure portal.
Primarily uses Log Analytics queries and ARM templates.
Limited visualization types (mostly tables and charts).
No built-in alerting; relies on Azure Monitor alerts.
Access controlled via Azure RBAC on the workbook resource.
Mistake
Azure Managed Grafana is just Grafana hosted on a VM.
Correct
It is a fully managed PaaS service where Microsoft handles infrastructure, scaling, updates, and high availability. You do not have access to the underlying OS or VM.
Mistake
Managed Grafana can only connect to Azure Monitor.
Correct
It supports many data sources including Azure Data Explorer, Prometheus, InfluxDB, Elasticsearch, and any data source with a Grafana plugin.
Mistake
The Free (Essential) tier is suitable for production use.
Correct
Essential tier is limited to 3 users, 10 dashboards, and 14-day data retention, making it unsuitable for most production scenarios. Standard tier is recommended.
Mistake
Managed Grafana dashboards are automatically backed up.
Correct
Azure does not automatically backup dashboards. You must export dashboards as JSON files or use infrastructure-as-code to manage them.
Mistake
Alerting in Managed Grafana requires Azure Monitor alerts.
Correct
Managed Grafana has its own built-in alerting engine that can trigger notifications via email, webhooks, Slack, etc., independent of Azure Monitor alerts.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
The recommended method is using a managed identity. You enable system-assigned managed identity on the Managed Grafana instance, then grant that identity the 'Monitoring Reader' role on the Azure Monitor resources (e.g., Log Analytics workspace). Grafana will use the managed identity to obtain an access token for the Azure Monitor REST API. Alternatively, you can use a service principal with client secret or certificate, but managed identity is more secure and easier to manage.
Yes, you can monitor on-premises resources by using Azure Arc, which enables Azure Monitor to collect data from on-premises servers. Alternatively, you can install a self-hosted Prometheus server on-premises and configure it as a data source in Managed Grafana. The Grafana instance itself is in Azure, but it can query any data source that is reachable over the internet or via a VPN/ExpressRoute.
Grafana Alerting is built into Grafana and evaluates queries against data sources directly. It can send notifications via email, webhook, Slack, etc. Azure Monitor Alerts are a separate Azure service that evaluate metric or log queries and can trigger actions like runbooks or webhooks. Grafana alerts are more flexible because they can use any data source, while Azure Monitor alerts are limited to Azure data sources. However, Azure Monitor alerts can integrate with Azure Actions Groups for more complex workflows.
First, export your dashboards as JSON files from the old Grafana instance. Second, create a new Azure Managed Grafana instance. Third, import the dashboards via the Grafana UI or API. Fourth, reconfigure data sources using Azure AD authentication (managed identity or service principal). Note that alert rules are not exported with dashboards; you need to recreate them manually. Also, any custom plugins may not be available in the managed service; only approved plugins are supported.
You can restrict access to the Grafana endpoint using IP firewall rules (allow only specific IP ranges). For private connectivity, you can enable Azure Private Link, which assigns a private IP address to the Grafana instance within your virtual network. This is only available in the Standard tier. You can also use service endpoints, but Private Link is recommended for production.
Yes, Azure Data Explorer (ADX) is a supported data source. You need to configure the ADX cluster endpoint and authentication. You can use managed identity or a service principal. Grafana's ADX plugin allows you to write KQL queries and visualize results. This is common for scenarios requiring high-performance log analytics.
The Essential tier has a hard limit of 10 dashboards. If you try to create an 11th dashboard, you will receive an error. You must upgrade to the Standard tier to increase the limit. Similarly, the user limit of 3 means only 3 Azure AD users can be assigned the Grafana Viewer role; additional users will be denied access.
You've just covered Azure Managed Grafana for Monitoring — now see how well it sticks with free AZ-305 practice questions. Full explanations included, no account needed.
Done with this chapter?