Enhancing authentication security: Inside Microsoft's open source contribution to Grafana

When Microsoft engineers went looking for a modern visualization platform to help track critical signals and make quicker decisions, Grafana emerged as the clear favorite.

But there was just one hitch: the available authentication methods didn’t quite meet their needs.

In this blog post, which is based on a recent GrafanaCON 2025 talk by John Naizer, a software engineer at Microsoft, you’ll learn about the innovative approach Microsoft took to fill that gap and the lessons Nazier learned about participating in the Grafana open source community.

“At the end of the day, you’re not just pushing code, you’re earning trust, one pull request at a time,” Nazier said.

Continue reading to learn more, or watch the video to see Nazier’s full presentation.

Why Microsoft chose Grafana 

“Our organization at Microsoft had a clear need for a modern data visualization solution; one that’s fresh, flexible; one that keeps up with today’s fast pace in the industry,” Naizer said. “This solution would then lay the foundation for what we call our ’executive dashboards’, a one-stop shop where leadership and teams can go and track metrics, spot trends, and make faster, smarter decisions together without getting stuck in the weeds.”

These dashboards would serve three key purposes: tracking metrics, managing incidents, providing real-time updates to their key performance indicators (KPIs). They ultimately went with Grafna for these reasons:

• Open: Being open source gave Microsoft the freedom to build a solution that was scalable, customizable, and designed for their complex needs.
• Extensible: Grafana’s vast ecosystem of plugins and integrations maximized Microsoft’s flexibility to support a wide range of use cases.
• Portable: Being able to containerize and deploy Grafana anywhere was a massive advantage when it came to building a lightweight but effective solution. This portability enabled Microsoft to move fast, tweak as they grew, and avoid being locked into a single setup.
• Deep integration: Crucially, Grafana’s deep integration with native Azure Native data sources like Azure Monitor and Azure Data Explorer allowed Microsoft to plug Grafana directly into their telemetry streams, creating rich dashboards with real-time data.

“Grafana pretty much checked every box we had,” Naizer said. “It’s super cool, flexible, and scalable, while keeping things open and modular and honestly super developer friendly.”

The one hitch

Despite checking all those boxes, they ran into a potential roadblock as they began customizing the authentication for logging into Grafana as a service.

“We were actually pleasantly surprised to find that Grafana offered two choices for us,” Naizer said. “One, an authentication proxy, a DIY solution, putting the power in our hands to customize how we authenticate, and how we log into Grafana. And second, even cooler, an Azure-native authentication method built directly into Grafana.”

However, the latter approach didn’t support their desired authentication method, while the former would have required extra infrastructure and potential long-term maintenance, which would have meant extra engineering effort and deeper knowledge of the Grafana codebase. 

“This was the fork in the road and we could have taken the easy route, throw an authentication proxy in front and call it a day. But where is the fun in that?” Naizer said. “We are software engineers, so we dove directly into Grafana’s code base and built out the solution we wished already existed. One that would not only move us closer to a future proof platform for security, but hopefully make life easier for others, both inside and outside Microsoft.”

Building a ‘highly desired authentication method’

What Microsoft envisioned was an authentication method they internally call “managed identity.” Think of it like a digital fingerprint. Instead of relying on what you have (e.g., passwords, shared secrets, or certificates that expire and require upkeep), managed identity is based on who you are. 

“And just like a fingerprint, you never need to worry about your identity expiring,” Naizer said. “This completely eliminates the need for credential management all together. No more remembering secrets. No more having to rotate certificates. This is incredible.”

Microsoft’s contribution added a new “client authentication” field under Azure authentication configuration within Grafana. This empowers users to choose more than one authentication method when logging in, embodying the idea of what Naizer described as “accessible security.” The best part? This new authentication model, based on the OAuth 2.0 specification, can be adopted by every other native identity provider within the service, allowing any identity provider to create their own implementation and add it as a client authentication option. 

The power of open source

This was Naizer’s first time contributing to an open source project at this scale, and he learned a lot along the way about collaboration, patience, and “how many pull request comments it takes to build something that lasts and actually gets merged into the main branch.”

“Not only are you building a new feature, you’re building new relationships with the maintainers, Grafana’s community—everyone is just about as passionate about Grafana as you are,” he said.

Nazier closed his talk by encouraging others to contribute to Grafana. He also recommended starting small and being persistent.

“Find contributors working on the same pain points that you’re interested in. Reach out, partner up with them, and champion the solution together,” Naizer said. “That’s exactly what we did. My advice: email, email, email. Be persistent. Be bold.”

Grafana Cloud is the easiest way to get started with metrics, logs, traces, dashboards, and more. We have a generous forever-free tier and plans for every use case. Sign up for free now!