Azure Bot Documentation

[Melanie Wendelberger]

Thisdocument is a walk-through for setting up a virtual MX appliance (vMX) in the Azure Marketplace. After completing the steps outlined in this document, you will have a virtual MX appliance running in the Azure Cloud that serves as an Auto VPN termination point for your physical MX devices.

Note: Some Azure regions such as South Africa West require Azure support to enable the ability to deploy the Standard F4s_v2 VM instance type required by the Meraki vMX. The process for requesting access to these regions is documented by Microsoft in the Azure region access request process. Meraki vMX is only supported on instance types mentioned in this KB, other instance types are not supported.

vMXs in NAT mode will not advertise subnets that are available on the public/private cloud, so spoke MXs will have to send all their traffic (full tunnel) to the vMX, which will then NAT the traffic and send it across its WAN interface into the public/private cloud environment.

During the setup of your vMX instance, or over the course of working within Azure, you may encounter additional terminology which is not defined in this document. To find out more about these terms, and for additional details on the terms listed above, please see the Microsoft Azure glossary.

This section walks you through configuring the necessary requirements within Azure and adding a vMX instance to your Azure virtual network. For more details on setting up an Azure virtual network and other components, please refer to Microsoft Azure Documentation.

Deploy a virtual appliance into a different subnet than the resources that route through the virtual appliance are deployed in. Deploying the virtual appliance to the same subnet, then applying a route table to the subnet that routes traffic through the virtual appliance, can result in routing loops, where traffic never leaves the subnet.

Note: Basic SKU public IP addresses in Azure will be deprecated on 30 September 2025. After this date, it will be necessary to set up a security policy to forward traffic in the standard SKU instead. For more information, please refer to this note from Azure: Upgrade to Standard SKU public IP addresses in Azure

On the site-to-site VPN page, add each subnet in your resource group that should be accessible to remote Auto VPN peers to the list of "Local Network(s)." For more information on configuring Auto VPN, please refer to the site-to-site VPN settings documentation.

If the managed application (vMX) was successfully deployed to the Meraki Dashboard, then the managed application must be Deleted on the Meraki Dashboard in order for the resource group to be deleted on Azure. Refer to -us/az...tions/overview for more information.

If the managed application (vMX) failed to deploy to the Meraki Dashboard and the Azure activity log is showing errors similar to the one below, then a support ticket will need to be logged with Microsoft to check for any hidden resources and/or delete the entire tenant.

Azure activity log: Failed to delete managed application 'instance_name'. Error: Deletion of resource group 'resource_group_name' failed as resources with idenfifiers 'identifier_name' could not be deleted. The provisioning state of the resource group will be rolled back. The tracking id is 'tracking_id'. Please check your audit logs for more details.

The Azure AD authentication allows you to use a Microsoft Entra ID (formerly known as Azure Active Directory) tenant as an identity provider for Grafana. You can use Entra ID application roles to assign users and groups to Grafana roles from the Azure Portal.

If the application role received by Grafana is GrafanaAdmin, Grafana grants the user server administrator privileges.

This is useful if you want to grant server administrator privileges to a subset of users.

Grafana also assigns the user the Admin role of the default organization.

The setting allow_assign_grafana_admin under [auth.azuread] must be set to true for this to work.

If the setting is set to false, the user is assigned the role of Admin of the default organization, but not server administrator privileges.

As a Grafana Admin, you can configure your Azure AD OAuth2 client from within Grafana using the Grafana UI. To do this, navigate to the Administration > Authentication > Azure AD page and fill in the form. If you have a current configuration in the Grafana configuration file, the form will be pre-populated with those values. Otherwise the form will contain default values.

If you need to reset changes you made in the UI back to the default values, click Reset. After you have reset the changes, Grafana will apply the configuration from the Grafana configuration file (if there is any configuration) or the default values.

When a user logs in using an OAuth provider, Grafana verifies that the access token has not expired. When an access token expires, Grafana uses the provided refresh token (if any exists) to obtain a new access token.

Refresh token fetching and access token expiration check is enabled by default for the AzureAD provider since Grafana v10.1.0. If you would like to disable access token expiration check then set the use_refresh_token configuration value to false.

Note: The accessTokenExpirationCheck feature toggle has been removed in Grafana v10.3.0 and the use_refresh_token configuration value will be used instead for configuring refresh token fetching and access token expiration check.

To limit access to authenticated users who are members of one or more tenants, set allowed_organizationsto a comma- or space-separated list of tenant IDs. You can find tenant IDs on the Azure portal under Microsoft Entra ID -> Overview.

If no application role is found, the user is assigned the role specified bythe auto_assign_org_role option.You can disable this default role assignment by setting role_attribute_strict = true.It denies user access if no role or an invalid role is returned.

If Azure AD authentication is not intended to sync user roles and organization membership and prevent the sync of org roles from Entra ID, set skip_org_role_sync to true. This is useful if you want to manage the organization roles for your users from within Grafana or that your organization roles are synced from another provider.See Configure Grafana for more details.

Grafana ships with built-in support for Azure Monitor, the Azure service to maximize the availability and performance of applications and services in the Azure Cloud.This topic explains configuring and querying specific to the Azure Monitor data source.

If you host Grafana in Azure, such as in App Service or Azure Virtual Machines, you can configure the Azure Monitor data source to use Managed Identity for secure authentication without entering credentials into Grafana.For details, refer to Configuring using Managed Identity.

You can configure the Azure Monitor data source to use Workload Identity for secure authentication without entering credentials into Grafana if you host Grafana in a Kubernetes environment, such as AKS, and require access to Azure resources.For details, refer to Configuring using Workload Identity.

You can use managed identity to configure Azure Monitor in Grafana if you host Grafana in Azure (such as an App Service or with Azure Virtual Machines) and have managed identity enabled on your VM.This lets you securely authenticate data sources without manually configuring credentials via Azure AD App Registrations.For details on Azure managed identities, refer to the Azure documentation.

You can set the managed_identity_client_id field in the [azure] section of the Grafana server configuration to allow a user-assigned managed identity to be used instead of the default system-assigned identity.

You can use workload identity to configure Azure Monitor in Grafana if you host Grafana in a Kubernetes environment, such as AKS, in conjunction with managed identities.This lets you securely authenticate data sources without manually configuring credentials via Azure AD App Registrations.For details on workload identity, refer to the Azure workload identity documentation.

There are additional configuration variables that can control the authentication method.workload_identity_tenant_id represents the Azure AD tenant that contains the managed identity, workload_identity_client_id represents the client ID of the managed identity if it differs from the default client ID, workload_identity_token_file represents the path to the token file. Refer to the documentation for more information on what values these variables should use, if any.

Once all permissions have been added, the Azure authentication section in Grafana must be updated. The scopes section must be updated to include the .default scope to ensure that a token with access to all APIs declared on the App Registration is requested by Grafana. Once updated the scopes value should equal: .default openid email profile.

Set the user_identity_enabled flag in the [azure] section of the Grafana server configuration.By default this will also enable fallback service credentials.If you want to disable service credentials at the instance level set user_identity_fallback_credentials_enabled to false.

In the Azure Monitor data source configuration, set Authentication to Current User.If fallback service credentials are enabled at the instance level, an additional configuration section is visible that you can use to enable or disable using service credentials for this data source.Azure Monitor screenshot showing Current User authentication

Instead of hard-coding details such as server, application, and sensor names in metric queries, you can use variables.Grafana lists these variables in dropdown select boxes at the top of the dashboard to help you change the data displayed in your dashboard.Grafana refers to such variables as template variables.

3a8082e126