Setup and administration for Grafana
This article explains how you can use the Cognite Data Source for Grafana to use a Cognite Data Fusion (CDF) project as a data source in Grafana to query, explore and visualize data that's stored in CDF.
You can use OpenID Connect and your existing identity provider (IdP) framework to manage access to CDF data securely. We currently support Microsoft Entra ID (formerly Azure Active Directory), Microsoft's cloud-based identity and access management service.
Follow the steps below to connect to a CDF project with OpenID Connect and use CDF as a data source in Grafana.
To perform the steps below, you need to be an administrator of Microsoft Entra ID and your Grafana instance.
Before you start
Make sure that you have administrator access to your Grafana instance. We support the Enterprise, self-hosted and Cloud Pro editions of Grafana. We also support free cloud instances, but then you need to set up a client credentials grant flow for each instance of the Cognite Data Source.
Step 1: Register Grafana as an application in Microsoft Entra ID
The Cognite Data Source for Grafana uses the credentials you use to sign in to Grafana to connect to CDF. Therefore, you need to set up the Grafana instance to authenticate the user towards the same identity provider (IdP) as your CDF project.
The first step is to configure the Grafana instance to use OAuth2. The example below uses Microsoft Entra ID as the IdP.
-
Make sure that you have already registered the Cognite API and the CDF portal application in Microsoft Entra ID.
-
To enable users to sign in to Grafana with their organizational ID, follow the steps in the Grafana documentation to register Grafana as an application in Microsoft Entra ID and enable Microsoft Entra ID authentication in Grafana.
NOTE - Grafana CloudTo enable OIDC sign-in using Microsoft Entra ID with Grafana Cloud, follow the configuration steps.
Handle the changes to the Grafana configuration file by using the configuration form at Grafana Labs > Security > Advanced Auth.
NOTEUse these permission scopes in the Grafana configuration file:
scopes = openid email profile offline_access https://<your-cluster>.cognitedata.com/user_impersonation https://<your-cluster>.cognitedata.com/IDENTITY
TIPIf you are running Grafana locally, use
http
in the redirect URL. For example:http://localhost:3000/login/azuread
. -
Close the Grafana configuration file after updating it and restart the Grafana service.
-
Sign in to Grafana to use the Microsoft Entra ID Global administrator role. The role lets you verify that the configuration is successful and enables you to grant admin consent.
-
Select Consent on behalf of your organization.