Copy dashboards from Dashboards with Grafana to Azure Managed Grafana
Azure Monitor Dashboards with Grafana provides an in‑portal Grafana experience optimized for Azure Monitor and managed Prometheus data. For many teams, that simplicity is exactly what they need. As observability practices mature, teams often need more than visualization: broader data source support, stronger security controls, and advanced workflows like Azure Managed Grafana MCP. Until now, moving dashboards from Dashboards with Grafana into Azure Managed Grafana often meant recreating them by hand or exporting JSON, extra friction when teams want to move faster. The new Copy to Managed Grafana experience removes that friction. Why a copy experience was needed Dashboards with Grafana and Azure Managed Grafana serve complementary roles. Dashboards with Grafana focuses on: Fast, zero‑setup visualization Tight integration with Azure Monitor and Prometheus An embedded experience directly inside the Azure portal Azure Managed Grafana extends that foundation with: Full Grafana workflows, including alerts, reporting, and automation Support for additional data sources and plugins Enterprise‑grade security features such as private endpoints and managed identity Cross‑team reuse through folders, APIs, and Role Based Access Controls Historically, teams that outgrew Dashboards with Grafana didn’t have a simple, in‑product way to bring their dashboards forward, so continuing in a more advanced Grafana environment required extra manual steps. The goal is simple: copy dashboards to Azure Managed Grafana as needs grow—while continuing to use Dashboards with Grafana for day‑to‑day work. Introducing “Copy to Managed Grafana” Customers can now copy dashboards from Dashboards with Grafana into Azure Managed Grafana directly from the Azure portal—without changing the original dashboard. This feature is: In‑context – start from your dashboard in Dashboards with Grafana Seamless – no exports or re‑creation Non‑disruptive – keep using the source dashboard while you adopt Managed Grafana The flow is straightforward: Select “Copy to Managed Grafana” from your dashboard in Dashboards with Grafana. This feature doesn’t work on built-in dashboards, so you would have to save a copy of built-in Dashboards before you can copy those. Choose an existing Azure Managed Grafana workspace or create a new one Complete the copy and continue working in a full Grafana environment, making data connections where needed Because it appears where teams already build dashboards, the option is easy to find when it becomes relevant. Advanced capabilities, like additional data sources, alerts, and folder organization, are configured after copying, so teams can adopt them when they’re ready. This keeps the transition predictable and avoids surprises. Dashboards with Grafana is the fastest way to visualize Azure Monitor data with Grafana. When teams need more control, scale, or extensibility, Azure Managed Grafana is the natural next step, without forcing you to stop using Dashboards with Grafana. Together, they form a single observability journey: Start quickly with Dashboards with Grafana Copy dashboards into Azure Managed Grafana when you need more capabilities Enjoy end to end observability within the Azure ecosystem as requirements evolve You don’t have to trade speed today for flexibility later. Learn more by reading the doc: Copy an Azure Monitor dashboard to Azure Managed Grafana - Azure Monitor | Microsoft LearnIntroducing Azure Managed Grafana MCP: The Managed Telemetry Gateway for AI Agents
AI agents are rapidly becoming a core part of how teams build, operate, and improve cloud systems, from coding assistants to autonomous remediation workflows. To deliver on that promise in the enterprise, agents need a secure, governed way to access real production telemetry. Azure Managed Grafana MCP lets AI agents securely query the same production telemetry you already connect to Azure Managed Grafana, like Azure Monitor metrics and logs, Application Insights, and Kusto, using your existing Azure RBAC and managed identities. How do you securely connect AI agents to real production telemetry, without standing up yet another piece of infrastructure? Today, enabling an agent to query systems like Azure Monitor, Application Insights, or Kusto often requires deploying and operating a self‑hosted MCP server, wiring up identity and networking, and maintaining additional runtime infrastructure. That friction slows adoption and expands the security surface area. Azure Managed Grafana MCP removes that entire layer. With this release, every Azure Managed Grafana instance now includes a fully managed, remote MCP server that is ready by default. What is Azure Managed Grafana MCP? Azure Managed Grafana MCP is a built‑in, managed MCP endpoint that allows AI agents to securely query enterprise telemetry and operational data through Azure Managed Grafana. Instead of deploying your own MCP server, customers can simply: Point their agent to the Azure Managed Grafana MCP endpoint Grant the agent a managed identity Start querying production data immediately No containers. No extra infrastructure. No duplicated auth systems. Azure Managed Grafana MCP is very easy to configure with your existing AMG instance Because most Azure Managed Grafana customers already connect data sources like Azure Monitor metrics, logs, Kusto, and Application Insights to Azure Managed Grafana, the MCP server can expose that telemetry to AI agents instantly, using the same RBAC and access controls teams already trust. Why we built this As we’ve talked with customers experimenting with Foundry and coding agents, a consistent theme has emerged: agents are only as useful as the data they can reason over. Requiring teams to stand up and operate a separate MCP layer introduces real cost: Additional infrastructure to deploy and maintain Custom identity and token handling Expanded attack surface Slower experimentation and adoption This Azure Managed Grafana MCP takes a different approach. Rather than asking customers to build new infrastructure for agents, we leverage infrastructure they already run and trust: Azure Managed Grafana. This shifts Grafana from being just a visualization layer to something more strategic: A secure telemetry access plane An analytical engine for agent reasoning A bridge between operational data and autonomous action Core value propositions Zero infrastructure overhead Azure Managed Grafana MCP is fully managed and enabled by default: No self‑hosted MCP servers No additional networking configuration Agents connect directly to Azure Managed Grafana and start querying data. Secure by design Security is not bolted on, it’s inherited: Uses existing Azure RBAC Supports managed identities Respects current Azure Managed Grafana access controls There’s no need to duplicate authentication or authorization logic, and the security posture remains consistent with existing observability access patterns. Immediate enterprise scenarios By exposing production telemetry through MCP, teams can unlock high‑value agent workflows immediately: Root cause analysis using Application Insights Automated operational summaries Real‑time diagnostics Cross‑resource telemetry correlation Structured data access via Kusto Chatting with an agent using Azure Managed Grafana MCP These are scenarios customers already run manually today and this MCP server makes them accessible to agents. Closing the loop: from insight to action One of the most powerful aspects of Azure Managed Grafana MCP is what happens when agents have access to both code context and live telemetry. For example: An agent queries Application Insights for production errors Identifies recurring exception patterns Locates the source code emitting those errors Generates a fix and submits a pull request This closes the loop between observability and remediation, something that’s been largely manual until now. Designing for agents, not just dashboards Humans and agents consume data very differently. Humans: Navigate dashboards sequentially Are limited by cognitive bandwidth Correlate issues manually Agents: Process large datasets in parallel Perform iterative drill‑downs without fatigue Detect statistically significant patterns quickly Azure Managed Grafana MCP is designed with this in mind. Instead of only exposing raw data, it enables agent‑optimized tools, like aggregated failure views across dozens of Application Insights instances, so agents can reason efficiently at scale. To make it easier for our customers, it is now available as a native tool within Microsoft Foundry, so you can easily connect it to your Foundry Agents. Azure Managed Grafana MCP as a native Foundry tool Looking ahead Azure Managed Grafana MCP is the foundation for a broader vision: Observability‑driven autonomous agents Secure enterprise telemetry reasoning AI systems that detect, diagnose, and act Over time, this transforms Azure Managed Grafana from dashboard software into a strategic AI integration layer for Azure. This isn’t just a visualization feature. It’s an infrastructure shift. Check out the doc for more information: Configure an Azure Managed Grafana remote MCP server | Microsoft LearnIntroducing Azure Managed Grafana 12
In this release, Azure Managed Grafana makes it easier to tighten access with current-user Entra authentication, speed up Azure Monitor logs exploration, and level up Prometheus and database monitoring experiences. What’s new in Azure Managed Grafana 12 Use current-user Entra authentication for supported Azure data sources to query with the signed-in user’s permissions. Analyze Azure Monitor logs faster with a new query builder and improved visualization and Explore experiences. Explore Prometheus metrics with improved drill-down, prefix and suffix filters, group-by label support, plus OpenTelemetry and native histogram support. Use updated, pre-built database monitoring dashboards for Azure PostgreSQL, Azure SQL, and SQL Managed Instance (SQL MI). Advanced authentication: query with current user’s Entra credentials Current-user Entra authentication is now available in Azure data sources. That means Grafana admins can configure supported data sources to re-use the logged-in user’s credentials when issuing queries. In practice, the signed-in user’s permissions define what data stores they can access, helping teams apply least-privilege access to each user while keeping the option to use Managed Identities and Service Principals in other data sources where that fits best. Supported data sources include: Azure Monitor Azure Data Explorer Azure Monitor Managed Service for Prometheus Faster log analysis: Click-to-build queries and smoother Explore If you live in Azure Monitor logs, this update is for you. Improvements to log visualization in the Logs visualization panel and Grafana Explore make it easier to filter and extract meaningful insights from Azure Monitor logs. There’s also a new Azure Monitor logs query builder, so you can create and refine queries with a few clicks instead of writing Kusto Query Language (KQL) by hand. Performance is significantly faster too. Grafana Explore can now query and render up to 30K log records at a time, so you get much faster load times, faster searches, and more responsive navigation through large log volumes. Prometheus query enhancements: drill down without the query gymnastics Users new to Prometheus get a smoother path to explore metrics and analyze time series. Metrics drill-down now includes sidebar filters for prefix/suffix so you can quickly narrow metrics by naming conventions, and group-by label support to build more context-rich groupings. This is a true queryless exploration of Azure Managed Prometheus metrics when you’re troubleshooting or just identifying what’s been collected. This release also adds OpenTelemetry & native histogram support, including an OTel mode to automate label-join complexities when querying OTLP metrics. New database monitoring dashboards Azure Managed Grafana now includes new versions of pre-built dashboards for monitoring Azure Database for PostgreSQL and Azure SQL Databases (Preview). For teams building on Azure-native databases, these updated dashboards can help you get to a useful baseline faster, so you spend less time wiring panels and more time acting on what the data is telling you. Getting started To try Grafana 12, you can create a new Azure Managed Grafana instance with Grafana 12 selected, or upgrade an existing instance from the Azure portal. From there, consider enabling current-user Entra authentication for supported Azure data sources, test the new Azure Monitor logs query builder in Explore for day-to-day investigations, and take the updated database dashboards for a spin if you run Azure PostgreSQL, Azure SQL, or SQL MI. Check out the doc for more information: Upgrade Azure Managed Grafana to Grafana 12 - Azure Managed Grafana.Generally Available - Azure Monitor Private Link Scope (AMPLS) Scale Limits Increased by 10x!
Introduction We are excited to announce the General Availability (GA) of Azure Monitor Private Link Scope (AMPLS) scale limit increase, delivering 10x scalability improvements compared to previous limits. This enhancement empowers customers to securely connect more Azure Monitor resources via Private Link, ensuring network isolation, compliance, and Zero Trust alignment for large-scale environments. What is Azure Monitor Private Link Scope (AMPLS)? Azure Monitor Private Link Scope (AMPLS) is a feature that allows you to securely connect Azure Monitor resources to your virtual network using private endpoints. This ensures that your monitoring data is accessed only through authorized private networks, preventing data exfiltration and keeping all traffic inside the Azure backbone network. AMPLS – Scale Limits Increased by 10x in Public Cloud & Sovereign Cloud (Fairfax/Mooncake) - Regions In a groundbreaking development, we are excited to share that the scale limits for Azure Monitor Private Link Scope (AMPLS) have been significantly increased by tenfold (10x) in Public & Sovereign Cloud regions as part of the General Availability! This substantial enhancement empowers our customers to manage their resources more efficiently and securely with private links using AMPLS, ensuring that workload logs are routed via the Microsoft backbone network. What’s New? 10x Scale Increase Connect up to 3,000 Log Analytics workspaces per AMPLS (previously 300) Connect up to 10,000 Application Insights components per AMPLS (previously 1,000) 20x Resource Connectivity Each Azure Monitor resource can now connect to 100 AMPLS resources (previously 5) Enhanced UX/UI Redesigned AMPLS interface supports loading 13,000+ resources with pagination for smooth navigation Private Endpoint Support Each AMPLS object can connect to 10 private endpoints, ensuring secure telemetry flows Why It Matters Top Azure Strategic 500 customers, including major Telecom service providers and Banking & Financial Services organizations, have noted that previous AMPLS limits did not adequately support their increasing requirements. The demand for private links has grown 3–5 times over existing capacity, affecting both network isolation and integration of essential workloads. This General Availability release resolves these issues, providing centralized monitoring at scale while maintaining robust security and performance. Customer Stories Our solution now enables customers to scale their Azure Monitor resources significantly, ensuring seamless network configurations and enhanced performance. Customer B - Case Study: Leading Banking & Financial Services Customer Challenge: The Banking Customer faced complexity in delivering personalized insights due to intricate workflows and content systems. They needed a solution that could scale securely while maintaining compliance and performance for business-critical applications. Solution: The Banking Customer has implemented Microsoft Private Links Services (AMPLS) to enhance the security and performance of financial models for smart finance assistants, leading to greater efficiency and improved client engagement. To ensure secure telemetry flow and compliance, the banking customer implemented Azure Monitor with Private Link Scope (AMPLS) and leveraged the AMPLS Scale Limit Increase feature. Business Impact: Strengthened security posture aligned with Zero Trust principles Improved operational efficiency for monitoring and reporting Delivered a future-ready architecture that scales with evolving compliance and performance demands Customer B - Case Study: Leading Telecom Service Provider - Scaling Secure Monitoring with AMPLS Architecture: A Leading Telecom Service Provider employs a highly micro-segmented design where each DevOps team operates in its own workspace to maximize security and isolation. Challenge: While this design strengthens security, it introduces complexity for large-scale monitoring and reporting due to physical and logical limitations on Azure Monitor Private Link Scope (AMPLS). Previous scale limits made it difficult to centralize telemetry without compromising isolation. Solution: The AMPLS Scale Limit Increase feature enabled the Telecom Service Provider to expand Azure Monitor resources significantly. Monitoring traffic now routes through Microsoft’s backbone network, reducing data exfiltration risks and supporting Zero Trust principles. Impact & Benefits Scalability: Supports up to 3,000 Log Analytics workspaces and 10,000 Application Insights components per AMPLS (10× increase). Efficiency: Each Azure Monitor resource can now connect to 100 AMPLS resources (20× increase). Security: Private connectivity via Microsoft backbone mitigates data exfiltration risks. Operational Excellence: Simplifies configuration for 13K+ Azure Monitor resources, reducing overhead for DevOps teams. Customer Benefits & Results Our solution significantly enhances customers’ ability to manage Azure Monitor resources securely and at scale using Azure Monitor Private Link Scope (AMPLS). Key Benefits Massive Scale Increase 3,000 Log Analytics workspaces (previously 300) 10,000 Application Insights components (previously 1,000) Each AMPLS object can now connect to: Azure Monitor resources can now connect with up to 100 AMPLS resources (20× increase). Broader Resource Support - Supported resource types include: Data Collection Endpoints (DCE) Log Analytics Workspaces (LA WS) Application Insights components (AI) Improved UX/UI Redesigned AMPLS interface supports loading 13,000+ Azure Monitor resources with pagination for smooth navigation. Private Endpoint Connectivity Each AMPLS object can connect to 10 private endpoints, ensuring secure telemetry flows. Resources: Explore the new capabilities of Azure Monitor Private Link Scope (AMPLS) and see how it can transform your network isolation and resource management. Visit our Azure Monitor Private Link Scope (AMPLS) documentation page for more details and start leveraging these enhancements today! For detailed information on configuring Azure Monitor private link scope and azure monitor resources, please refer to the following link: Use Azure Private Link to connect networks to Azure Monitor - Azure Monitor | Microsoft Learn Design your Azure Private Link setup - Azure Monitor | Microsoft Learn Configure your private link - Azure Monitor | Microsoft Learn
Advancing Full-Stack Observability with Azure Monitor at Ignite 2025
New AI-powered innovations in the observability space First, we’re excited to usher in the era of agentic cloud operations with Azure Copilot agents. At Ignite 2025, we are announcing the preview of the Azure Copilot observability agent to help you enhance full-stack troubleshooting. Formerly “Azure Monitor investigate”, the observability agent streamlines troubleshooting across application services and resources such as AKS and VMs with advanced root cause analysis in alerts, the portal, and Azure Copilot (gated preview). By automatically correlating telemetry across resources and surfacing actionable findings, it empowers teams to resolve issues faster, gain deeper visibility, and collaborate effectively. Learn more here about the observability agent and learn about additional agents in Azure Copilot here. Additionally, with the new Azure Copilot, we are streamlining agentic experiences across Azure. From operations center in the Azure portal, you can get a single view to navigate, operate and optimize your environments and invoke agents in your workflows. You also get suggested top actions within the observability blade of operations center to prioritize, diagnose and resolve issues with support from the observability agent. Learn more here. In the era of AI, more and more apps are now AI apps. That’s why we’re enhancing our observability capabilities for GenAI and agents: Azure Monitor brings agent-level visibility and control into a single experience in partnership with Observability in Foundry Control Plane through a new agent details view (public preview) showcasing success metrics, quality indicators, safety checks, and cost insights in one place. Simplified tracing also transforms every agent run into a reasonable, plan-and-act narrative for faster understanding. On top of these features, the new smart trace search enables faster detection of anomalies—such as policy violations, unexpected cost spikes, or model regressions—so teams can troubleshoot and optimize with confidence. These new agentic experiences build upon a solid observability foundation provided by Azure Monitor. Learn more here. We’re making several additional improvements in Azure Monitor: Simplified Onboarding & More Centralized Visibility Streamlined onboarding: Azure Monitor now offers streamlined onboarding for VMs, containers, and applications with sensible defaults and abstraction layers. This means ITOps teams can enable monitoring across environments in minutes, not hours. Previously, configuring DCRs and linking Log Analytics workspaces was a multi-step process; now, you can apply predefined templates and scale monitoring across hundreds of VMs faster than before. Centralized dashboards: A new monitor overview page in operations center consolidates top suggested actions and Azure Copilot-driven workflows for rapid investigation. Paired with the new monitoring coverage page (public preview) in Azure Monitor, ITOps can quickly identify gaps based on Azure Advisor recommendations, enable VM Insights and Container Insights at scale, and act on monitoring recommendations—all from a single pane of glass. Learn more here. Richer visualizations: Azure Monitor dashboards with Grafana are now in GA, delivering rich visualizations and data transformation capabilities on Prometheus metrics, Azure resource metrics, and more. Learn more here. Cloud to edge visibility: With expanded support for Arc-enabled Kubernetes with OpenShift and Azure Red Hat OpenShift in Container Insights and Managed Prometheus, Azure Monitor offers an even more complete set of services for monitoring the health and performance of different layers of Kubernetes infrastructure and the applications that depend on it. Learn more here. Advanced Logs, Metrics, and Alert Management Logs & metrics innovations: Azure Monitor now supports the log filtering and transformation (GA), as well as the emission of logs to additional destinations (public preview) such as Azure Data Explorer and Fabric—unlocking real-time analytics and more seamless data control. Learn more here. More granular access for managing logs: Granular RBAC for Log Analytics workspaces ensures compliance and least privilege principles across teams, now in general availability. Learn more here. Dynamic thresholds for log search alerts (public preview): Now you can apply the advanced machine learning methods of dynamic threshold calculations to enhance monitoring with log search alerts. Learn more here. Query-based metric alerts (public preview): Get rich and flexible query-based alerting on Prometheus, VM Guest OS, and custom OTel metrics to reduce complexity and unblock advanced alerting scenarios. Learn more here. OpenTelemetry Ecosystem Expansion Azure Monitor doubles down on our commitment to OpenTelemetry with expanded support for monitoring applications deployed to Azure Kubernetes Service (AKS) by using OTLP for instrumentation and data collection. New capabilities include: Auto-instrumentation with the Azure Monitor OpenTelemetry distro for Java and NodeJS apps on AKS (public preview): this reduces friction for teams adopting OTel standards and ensures consistent telemetry across diverse compute environments. Auto-configuration for apps on AKS in any language already instrumented with the open-source OpenTelemetry SDK to emit telemetry to Azure Monitor. Learn more here. Additionally, we are making it easier to gain richer and more consistent visibility across Azure VMs and Arc Servers with OpenTelemetry visualizations, offering standardized system metrics, per-process insights, and extensibility to popular workloads on a more cost-efficient and performant solution. Learn more here. Next Steps These innovations redefine observability from cloud to edge—simplifying onboarding, accelerating troubleshooting, and embracing open standards. For ITOps and DevOps teams, this means fewer blind spots, faster MTTR, and improved operational resilience. Whether you’re joining us at Microsoft Ignite 2025 in-person or online, there are plenty of ways to connect with the Azure Monitor team and learn more: Attend breakout session BRK149 for a deep dive into Azure Monitor’s observability capabilities and best practices for optimizing cloud resources. Attend breakout session BRK145 to learn more about how agentic AI can help you streamline cloud operations and management. Attend breakout session BRK190 to learn about how Azure Monitor and Microsoft Foundry deliver an end-to-end observability experience for your AI apps and agents. Join theater demo THR735 to see a live demo on monitoring AI agents in production. Connect with Microsoft experts at the Azure Copilot, Operations, and Management expert meet-up booth to get your questions answered.
Troubleshoot with OTLP signals in Azure Monitor (Limited Public Preview)
As organizations increasingly rely on distributed cloud-native applications, the need for comprehensive standards-based observability has never been greater. OpenTelemetry (OTel) has emerged as the industry standard for collecting and transmitting telemetry data, enabling unified monitoring across diverse platforms and services. Microsoft is among the top contributors to OpenTelemetry. Azure Monitor is expanding its support for the OTel standard with this preview, empowering developers and operations teams to seamlessly capture, analyze, and act on critical signals from their applications and infrastructure. With this limited preview (sign-up here), regardless of where your applications are running, you can channel the OpenTelemetry Protocol (OTLP) logs, metrics and traces to Azure Monitor directly. On Azure compute platforms, we have simpler collection orchestration that also unifies application and infrastructure telemetry collection with the Azure Monitor collection offerings for VM/VMSS or AKS. On Azure VMs/VMSS (or any Azure Arc supported compute), you can use the Azure Monitor Agent (AMA) that you are already using to collect infrastructure logs. On AKS, the Azure Monitor add-ons that orchestrate Container Insights and managed Prometheus, will also auto configure the collection of OTLP signals from your applications (or auto-instrument with Azure Monitor OTel Distro for supported languages). On these platforms or anywhere else, you can choose to use OpenTelemetry Collector, and channel the OTLP signals from your OTel SDK instrumented application directly to Azure Monitor cloud ingestion endpoints. OTLP metrics will be stored in Azure Monitor Workspace, a Prometheus metrics store. Logs and traces will be stored in Azure Monitor Log Analytics Workspace in an OTel semantic conventions-based schema. Application Insights experiences will light up, enabling all distributed tracing and troubleshooting experiences powered by Azure Monitor, as well as out of the box Dashboards with Grafana from the community. With this preview, we are also extending the support for auto-instrumentation of applications on AKS to .NET and Python applications and introducing OTLP metrics collection from all auto-instrumented applications (Java/Node/.NET/Python). Sign-up for the preview here: https://aka.ms/azuremonitorotelpreview.Announcing resource-scope query for Azure Monitor Workspaces
We’re excited to announce the public preview of resource-scope query for Azure Monitor Workspaces (AMWs)—a major step forward in simplifying observability, improving access control, and aligning with Azure-native experiences. This new capability builds on the successful implementation of resource-scope query in Log Analytics Workspaces (LAWs), which transformed how users access logs by aligning them with Azure resource scopes. We’re now bringing the same power and flexibility to metrics in AMWs. What is resource-scope query? Resource-scope query has been a frequently requested capability that allows users to query metrics scoped to a specific resource, resource group, or subscription—rather than needing to know which AMW the metrics are stored in. This means: Simpler querying: users can scope to the context of one or more resources directly, without knowledge of where metrics are stored. Granular Azure RBAC control: if the AMW is configured in resource-centric access mode, user permissions are checked against the resources they are querying for, rather than access to the workspace itself - just like how LAW works today. This supports security best practices for least privileged access requirements. Why use resource-centric query? Traditional AMW querying required users to: Know the exact AMW storing their metrics. Have access to the AMW. Navigate away from the resource context to query metrics. This created friction for DevOps teams and on-call engineers who do not necessarily know which AMW to query when responding to an alert. With resource-centric querying: Users can query metrics directly from the resource’s Metrics blade. Least privilege access is respected—users only need access to the resource(s) they are querying about. Central teams can maintain control of AMWs while empowering app teams to self-monitor. How does it work? All metrics ingested via Azure Monitor Agent are automatically stamped with dimensions like Microsoft.resourceid, Microsoft.subscriptionid, and Microsoft.resourcegroupname to enable this experience. The addition of these dimensions does not have any cost implications to end users. Resource-centric queries use a new endpoint: https://query.<region>.prometheus.monitor.azure.com We will re-route queries as needed from any region, but we recommend choosing the one nearest to your AMWs for the best performance. Users can query via: Azure Portal PromQL Editor Grafana dashboards (with data source configuration) Query-based metric alerts Azure Monitor solutions like Container Insights and App Insights (when using OTel metrics with AMW as data source) Prometheus HTTP APIs When querying programmatically, users pass an HTTP header: x-ms-azure-scoping: <ARM Resource ID> Scoping supports a single: Individual resource Resource group Subscription At this time, scoping is only support at a single-resource level, but comma-separated multi-resource scoping will be added by the end of 2025. Who Can Benefit? Application Teams: Query metrics for their own resources without needing AMW access. Central Monitoring Teams: Maintain control of AMWs while enabling secure, scoped access for app teams. DevOps Engineers: Respond to alerts and troubleshoot specific resources without needing to locate the AMW(s) storing the metrics they need. Grafana Users: Configure dashboards scoped to subscriptions or resource groups with dynamic variables without needing to identify the AMW(s) storing their metrics. When Is This Available? Microsoft. dimension stamping* is already complete and ongoing for all AMWs. Public Preview of the resource-centric query endpoint begins October 10th, 2025. Starting on that date, all newly created AMWs will default to resource-context access mode. What is the AMW “access control mode”? The access control mode is a setting on each workspace that defines how permissions are determined for the workspace. Require workspace permissions. This control mode does NOT allow granular resource-level Azure RBAC. To access the workspace, the user must be granted permissions to the workspace. When a user scopes their query to a workspace, workspace permissions apply. When a user scopes their query to a resource, both workspace permissions AND resource permissions are verified. This setting is the default for all workspaces created before October 2025. Use resource or workspace permissions. This control mode allows granular Azure RBAC. Users can be granted access to only data associated with resources they can view by assigning Azure read permission. When a user scopes their query to a workspace, workspace permissions apply. When a user scopes their query to a resource, only resource permissions are verified, and workspace permissions are ignored. This setting is the default for all workspaces created after October 2025. Read about how to change the control mode for your workspaces here. Final Thoughts Resource-centric query brings AMWs in line with Azure-native experiences, enabling secure, scalable, and intuitive observability. Whether you’re managing thousands of VMs, deploying AKS clusters, or building custom apps with OpenTelemetry, this feature empowers you to monitor in the context of your workloads or resources rather than needing to first query the AMW(s) and then filter down on what you’re looking for. To get started, simply navigate to your resource’s Metrics blade after October 10 th , 2025 or configure your Grafana data source to use the new query endpoint.
Azure Monitor managed service for Prometheus now includes native Grafana dashboards
We are excited to announce that Azure Monitor managed service for Prometheus now includes native Grafana dashboards within the Azure portal at no additional cost. This integration marks a major milestone in our mission to simplify observability reducing the administrative overhead and complexity compared to deploying and maintaining your own Grafana instances. The use of open-source observability tools continues to grow for cloud-native scenarios such as application and infrastructure monitoring using Prometheus metrics and OpenTelemetry logs and traces. For these scenarios, DevOps and SRE teams need streamlined and cost-effective access to industry-standard tooling like Prometheus metrics and Grafana dashboards within their cloud-hosted environments. For many teams, this usually means deploying and managing separate monitoring stacks with some versions self-hosted or partner-managed Prometheus and Grafana. However, Azure Monitor's latest integrations with Grafana provides this capability out-of-the-box by enabling you to view Prometheus metrics and Azure other observability data in Grafana dashboards fully integrated into the Azure portal. Azure Monitor dashboards with Grafana delivers powerful visualization and data transformation capabilities on Prometheus metrics, Azure resource metrics, logs, and traces stored in Azure Monitor. Pre-built dashboards are included for several key scenarios like Azure Kubernetes Service, Azure Container Apps, Container Insights, and Application Insights. Why Grafana in Azure portal? Grafana dashboards are widely adopted visualization tool used with Prometheus metrics and cloud-native observability tools. Embedding it natively in Azure Portal offers: Unified Azure experience: No additional RBAC or network configuration required, users Azure login credentials and Azure RBAC are used to access dashboards and data. View Grafana dashboards alongside all your other Azure resources and Azure Monitor views in the same portal. No management overhead or compute costs: Dashboards with Grafana use a fully SaaS model built into Azure Monitor, where you do not have to administer the Grafana server or the compute on which it runs. Access to community dashboards: Open-source and Grafana community dashboards using Prometheus or Azure Monitor data sources can be imported with no modifications. These capabilities mean faster troubleshooting, deeper insights, and a more consistent observability platform for Azure-centric workloads. Figure 1: Dashboards with Grafana landing page in the context of Azure Monitor Workspace in the Azure portal Getting Started To get started, enable Managed Prometheus for your AKS cluster and then navigate to the Azure Monitor workspace or AKS cluster in the Azure portal and select Monitoring > Dashboards with Grafana (preview). From this page you can view, edit, create and import Grafana dashboards. Simply click on one of the pre-built dashboards to get started. You may use these dashboards as they have been provided or edit and add panels, update visualizations and create variables to create your own custom dashboards. With this approach, no Grafana servers or additional Azure resources need to be provisioned or maintained. Teams can quickly leverage and customize Grafana dashboards within the Azure portal, reducing their deployment and management time while still gaining the benefits of dashboards and visualizations to improve monitoring and troubleshooting times. Figure 2: Kubernetes Compute Resources dashboard being viewed in the context of Azure Monitor Workspace in the Azure portal When to upgrade to Azure Managed Grafana? Dashboards with Grafana in the Azure portal cover most common Prometheus scenarios but, Azure Managed Grafana remains the right choice for several advanced use cases, including: Extended data source support for non-Azure data sources e.g. open-source and third-party data stores Private networking and advanced authentication options Multi-cloud, hybrid and on-premises data source connectivity. See When to use Azure Managed Grafana for more details. Get started with Azure Monitor dashboards with Grafana today.General Availability of Azure Monitor Network Security Perimeter Features
We’re excited to announce that Azure Monitor Network Security Perimeter features are now generally available! This update is an important step forward for Azure Monitor’s security, providing comprehensive network isolation for your monitoring data. In this post, we’ll explain what Network Security Perimeter is, why it matters, and how it benefits Azure Monitor users. Network Security Perimeter is purpose-built to strengthen network security and monitoring, enabling customers to establish a more secure and isolated environment. As enterprise interest grows, it’s clear that this feature will play a key role in elevating the protection of Azure PaaS resources against evolving security threats. What is Network Security Perimeter and Why Does It Matter? Network Security Perimeter is a network isolation feature for Azure PaaS services that creates a trusted boundary around your resources. Azure Monitor’s key components (like Log Analytics workspaces and Application Insights) run outside of customer virtual networks; Network security perimeter allows these services to communicate only within an explicit perimeter and blocks any unauthorized public access. In essence, the security perimeter acts as a virtual firewall at the Azure service level – by default it restricts public network access to resources inside the perimeter, and only permits traffic that meets your defined rules. This prevents unwanted network connections and helps prevent data exfiltration (sensitive monitoring data stays within your control). For Azure Monitor customers, Network Security Perimeter is a game-changer. It addresses a common ask from enterprises for “zero trust” network security on Azure’s monitoring platform. Previously, while you could use Private Link to secure traffic from your VNets to Azure Monitor, Azure Monitor’s own service endpoints were still accessible over the public internet. The security perimeter closes that gap by enforcing network controls on Azure’s side. This means you can lock down your Log Analytics workspace or Application Insights to only accept data from specific sources (e.g. certain IP ranges, or other resources in your perimeter) and only send data out to authorized destinations. If anything or anyone outside those rules attempts to access your monitoring resources, Network Security Perimeter will deny it and log the attempt for auditing. In short, Network Security Perimeter brings a new level of security to Azure Monitor: it allows organizations to create a logical network boundary around their monitoring resources, much like a private enclave. This is crucial for customers in regulated industries (finance, government, healthcare) who need to ensure their cloud services adhere to strict network isolation policies. By using the security perimeter, Azure Monitor can be safely deployed in environments that demand no public exposure and thorough auditing of network access. It’s an important step in strengthening Azure Monitor’s security posture and aligning with enterprise zero-trust networking principles. Key Benefits of Network Security Perimeter in Azure Monitor With Network Security Perimeter now generally available, Azure Monitor users gain several powerful capabilities: 🔒 Enhanced Security & Data Protection: Azure PaaS resources in a perimeter can communicate freely with each other, but external access is blocked by default. You define explicit inbound/outbound rules for any allowed public traffic, ensuring no unauthorized network access to your Log Analytics workspaces, Application Insights components, or other perimeter resources. This greatly reduces the risk of data exfiltration and unauthorized access to monitoring data. ⚖️ Granular Access Control: Network Security Perimeter supports fine-grained rules to tailor access. You can allow inbound access by specific IP address ranges or Azure subscription IDs, and allow outbound calls to specific Fully Qualified Domain Names (FQDNs). For example, you might permit only your corporate IP range to send telemetry to a workspace, or allow a workspace to send data out only to contoso-api.azurewebsites.net. This level of control ensures that only trusted sources and destinations are used. 📜 Comprehensive Logging & Auditing: Every allowed or denied connection governed by Network Security Perimeter can be logged. Azure Monitor’s Network Security Perimeter integration provides unified access logs for all resources in the perimeter. These logs give you visibility into exactly what connections were attempted, from where, and whether they were permitted or blocked. This is invaluable for auditing and compliance – for instance, proving that no external IPs accessed your workspace, or detecting unexpected outbound calls. The logs can be sent to a Log Analytics workspace or storage for retention and analysis. 🔧 Seamless Integration with Azure Monitor Services: Network Security Perimeter is natively integrated across Azure Monitor’s services and workflows. Log Analytics workspaces and Application Insights components support Network Security Perimeter out-of-the-box, meaning ingestion, queries, and alerts all enforce perimeter rules behind the scenes. Azure Monitor Alerts (scheduled query rules) and Action Groups also work with Network Security Perimeter , so that alert notifications or automation actions respect the perimeter (for example, an alert sending to an Event Hub will check Network Security Perimeter rules). This end-to-end integration ensures that securing your monitoring environment with Network Security Perimeter doesn’t break any functionality – everything continues to work, but within your defined security boundary. 🤝 Consistent, Centralized Management: Network Security Perimeter introduces a uniform way to manage network access for multiple resources. You can group resources from different services (and even different subscriptions) into one perimeter and manage network rules in one place. This “single pane of glass” approach simplifies operations: network admins can define a perimeter once and apply it to all relevant Azure Monitor components (and other supported services). It’s a more scalable and consistent method than maintaining disparate firewall settings on each service. Network Security Perimeter uses Azure’s standard API and portal experience, so setting up a perimeter and rules is straightforward. 🌐 No-Compromise Isolation (with Private Link): Network Security Perimeter complements existing network security options. If you’re already using Azure Private Link to keep traffic off the internet, Network Security Perimeter adds another layer of protection. Private Link secures traffic between your VNet and Azure Monitor; Network Security Perimeter secures Azure Monitor’s service endpoints themselves. Used together, you achieve defense-in-depth: e.g., a workspace can be accessible only via private endpoint and only accept data from certain sources due to Network Security Perimeter . This layered approach helps meet even the most stringent security requirements. In conclusion, Network Security Perimeter for Azure Monitor provides strong network isolation, flexible control, and visibility – all integrated into the Azure platform. It helps organizations confidently use Azure Monitor in scenarios where they need to lock down network access and simplify compliance. For detailed information on configuring Azure Monitor with a Network Security Perimeter, please refer to the following link: Configure Azure Monitor with Network Security Perimeter.
