This is documentation for the next version of Grafana documentation. For the latest stable release, go to the latest version.

Data sources

Microsoft SQL Server

Configure

Grafana Cloud Enterprise Open source

Configure the Microsoft SQL Server data source

This document provides instructions for configuring the Microsoft SQL Server data source and explains available configuration options. For general information on adding and managing data sources, refer to Grafana data sources and Data source management.

Before you begin

Grafana comes with a built-in MSSQL data source plugin, eliminating the need to install a plugin.
You must have the Organization administrator role to configure the MSSQL data source. Organization administrators can also configure the data source via YAML with the Grafana provisioning system.
Familiarize yourself with your MSSQL security configuration and gather any necessary security certificates and client keys.
Verify that data from MSSQL is being written to your Grafana instance.

Add the MSSQL data source

To add the MSSQL data source, complete the following steps:

Click Connections in the left-side menu.
Click Add new connection
Type Microsoft SQL Server in the search bar.
Select Microsoft SQL Server under data source.
Click Add new data source in the upper right.

Grafana takes you to the Settings tab, where you will set up your Microsoft SQL Server configuration.

Configure the data source in the UI

Following are configuration options for the Microsoft SQL Server data source.

Warning
Kerberos is not supported in Grafana Cloud.

Setting	Description
Name	The data source name. Sets the name you use to refer to the data source in panels and queries. Examples: `MSSQL-1`, `MSSQL_Sales1`.
Default	Toggle to select as the default name in dashboard panels. When you go to a dashboard panel, this will be the default selected data source.

Connection:

Setting	Description
Host	Sets the IP address or hostname (and optional port) of your MSSQL instance. The default port is `0`, which uses the driver’s default. You can include additional connection properties (e.g., `ApplicationIntent`) by separating them with semicolons (`;`).
Database	Sets the name of the MSSQL database to connect to.

TLS/SSL Auth:

Encrypt - Determines whether or to which extent a secure SSL TCP/IP connection will be negotiated with the server.

Encrypt Setting	Description
Disable	Data sent between the client and server is not encrypted.
False	The default setting. Only the login packet is encrypted; all other data is sent unencrypted.
True	All data sent between the client and server is encrypted.

Note
If you’re using an older version of Microsoft SQL Server like 2008 and 2008R2, you may need to disable encryption to be able to connect.

Authentication:

Authentication Type	Description	Credentials / Fields
SQL Server Authentication	Default method to connect to MSSQL. Use a SQL Server or Windows login in `DOMAIN\User` format.	- Username: SQL Server username - Password: SQL Server password
Windows Authentication (Integrated Security)	Uses the logged-in Windows user’s credentials via single sign-on. Available only when SQL Server allows Windows Authentication.	No input required; uses the logged-in Windows user’s credentials
Windows AD (Username/Password)	Authenticates a domain user with their Active Directory username and password.	- Username: `user@example.com` - Password: Active Directory password
Windows AD (Keytab)	Authenticates a domain user using a keytab file.	- Username: `user@example.com` - Keytab file path: Path to your keytab file
Windows AD (Credential Cache)	Uses a Kerberos credential cache already loaded in memory (e.g., from a prior `kinit` command). No file needed.	- Credential cache path: Path to in-memory credential (e.g., `/tmp/krb5cc_1000`)
Windows AD (Credential Cache File)	Authenticates a domain user using a credential cache file (`.ccache`).	- Username: `user@example.com` - Credential cache file path: e.g., `/home/grot/cache.json`
Azure Entra ID (formerly Azure AD) Authentication	Authenticates the data source using Azure authentication methods.	Details on the supported authentication methods and how to configure them can be found in the Azure authentication section.

Additional settings:

Additional settings are optional settings you configure for more control over your data source. This includes connection limits, connection timeout, group-by time interval, and Secure Socks Proxy.

Connection limits:

Setting	Description
Max open	The maximum number of open connections to the database. If set to `0`, there is no limit. If `max open` is greater than `0` and less than `max idle`, `max idle` is adjusted to match.
Auto max idle	When enabled, automatically sets `max idle` to match `max open`. If `max open` isn’t set, it defaults to `100`.
Max idle	The maximum number of idle connections in the pool. If `max open` is set and is lower than `max idle`, then `max idle` is reduced to match. If set to `0`, no idle connections are retained.
Max lifetime	The maximum time (in seconds) a connection can be reused before being closed and replaced. If set to `0`, connections are reused indefinitely.

Connection details:

Setting	Description
Min time interval	Specifies the lower bound for the auto-generated `GROUP BY` time interval. Grafana recommends matching this value to your data’s write frequency—for example, `1m` if data is written every minute. Refer to Min time interval for details.
Connection timeout	Specifies the maximum number of seconds to wait when attempting to connect to the database before timing out. A value of `0` (the default) disables the timeout.

Windows ADS Advanced Settings

Setting	Description	Default
UDP Preference Limit	Defines the maximum packet size (in bytes) that Kerberos libraries will attempt to send over UDP before retrying with TCP. A value of `1` forces all communication to use TCP.	`1` (always use TCP)
DNS Lookup KDC	Controls whether DNS `SRV` records are used to locate Key Distribution Centers (KDCs) and other servers for the realm.	`true`
krb5 config file path	Specifies the path to the Kerberos configuration file used by the MIT krb5 package.	`/etc/krb5.conf`

Private data source connect - Only for Grafana Cloud users.

Private data source connect, or PDC, allows you to establish a private, secured connection between a Grafana Cloud instance, or stack, and data sources secured within a private network. Click the drop-down to locate the URL for PDC. For more information regarding Grafana PDC refer to Private data source connect (PDC) and Configure Grafana private data source connect (PDC) for instructions on setting up a PDC connection.

Click Manage private data source connect to open your PDC connection page and view your configuration details.

After configuring your MSSQL data source options, click Save & test at the bottom to test the connection. You should see a confirmation dialog box that says:

Database Connection OK

Azure Entra ID (formerly Azure AD) Authentication

The following Azure authentication methods are supported:

Current User authentication
App Registration
Managed Identity
Azure Entra Password

The Azure SQL Server that you are connecting to should support Azure Entra authentication to support adding the App Registration as a user in the database. For configuration details, refer to the Azure SQL documentation.

Current User authentication

This is the recommended authentication mechanism when working with SQL Server instances that are hosted in Azure. It allows users to be authenticated to and query the database using their own credentials rather than long-lived credentials.

This authentication method requires your Grafana instance to be configured with Azure Entra ID (formerly Active Directory) authentication for login. With Azure Entra ID login, this method can be used to forward the currently logged in user’s credentials to the data source. The users credentials will then be used when requesting data from the data source. For details on how to configure your Grafana instance using Azure Entra refer to the documentation.

Note
Additional configuration is required to ensure that the App Registration used to login a user via Azure provides an access token with the permissions required by the data source.
The App Registration must be configured to issue both Access Tokens and ID Tokens.
In the Azure Portal, open the App Registration that requires configuration.
Select Authentication in the side menu.
Under Implicit grant and hybrid flows check both the Access tokens and ID tokens boxes.
Save the changes to ensure the App Registration is updated.
The App Registration must also be configured with additional API Permissions to provide authenticated users with access to the APIs utilised by the data source.
In the Azure Portal, open the App Registration that requires configuration.
Select API Permissions in the side menu.
Ensure the openid, profile, email, and offline_access permissions are present under the Microsoft Graph section. If not, they must be added.
Select Add a permission and choose the following permissions. They must be added individually. Refer to the Azure documentation for more information.
Select APIs my organization uses > Search for Azure SQL and select it > Delegated permissions > user_impersonation > Add permissions
After all permissions have been added, the Azure authentication section in Grafana must be updated. The scopes section must be updated to include the .default scope to ensure that a token with access to all APIs declared on the App Registration is requested by Grafana. After updated the scopes value should equal: .default openid email profile.

This method of authentication doesn’t inherently support all backend functionality as a user’s credentials won’t be in scope. Affected functionality includes alerting, reporting, and recorded queries. Also, note that query and resource caching is disabled by default for data sources using current user authentication.

To enable current user authentication for Grafana:

Set the user_identity_enabled flag in the [azure] section of the Grafana server configuration.
ini
```
[azure]
user_identity_enabled = true
```
In the SQL Server data source configuration, set Authentication to Azure AD Authentication and the Azure Authentication type to Current User.

App Registration

You must create an app registration and service principal in Azure Entra to authenticate the data source. For configuration details, refer to the Azure documentation for service principals.

After the app registration has been created, make note of the tenant ID, client ID, and client secret. Take the following steps to add the app registration as a SQL user:

Connect to your Azure SQL database as a user with administrative permissions (the user used here must have the ability to read your Azure Entra directory e.g. by possessing the Directory Readers role).
Run CREATE USER [$IDENTITY_NAME] FROM EXTERNAL PROVIDER;, substituting IDENTITY_NAME with the app registration name.
Grant the created user the appropriate level of permissions for your use-case. It is recommended that users configured for data sources only have reader permissions.

After the appropriate permissions have been granted, configure the SQL Server data source to use the app registration:

In the SQL Server data source configuration, set Authentication to Azure AD Authentication and the Azure Authentication type to App Registration.
Set the Azure Cloud value to the correct value. If you are using the Azure public cloud this will be Azure.
Set the Directory (tenant) ID, Application (client) ID, and Client Secret values to those for your app registration.

Managed Identity

Note
Managed Identity is available only in Azure Managed Grafana or Grafana OSS/Enterprise when deployed in Azure. It is not available in Grafana Cloud.

You can use managed identity to configure SQL Server in Grafana if you host Grafana in Azure (such as an App Service or with Azure Virtual Machines) and have managed identity enabled on your VM. This lets you securely authenticate data sources without manually configuring credentials via Azure AD App Registrations. For details on Azure managed identities, refer to the Azure documentation.

To enable managed identity for Grafana:

Set the managed_identity_enabled flag in the [azure] section of the Grafana server configuration.
ini
```
[azure]
managed_identity_enabled = true
```
In the SQL Server data source configuration, set Authentication to Azure AD Authentication and the Azure Authentication type to Managed Identity.
This hides the directory ID, application ID, and client secret fields, and the data source uses managed identity to authenticate to SQL Server.
You can set the managed_identity_client_id field in the [azure] section of the Grafana server configuration to allow a user-assigned managed identity to be used instead of the default system-assigned identity.

Ensure that the managed identity used is added to your Azure SQL instance as a user.

Azure Entra Password

Warning
Azure Entra Password is not a recommended authentication mechanism as it requires configuration using a single users password. Consider an alternative authentication method such as current user authentication or app registration.

You can connect to an Azure SQL database using the username and password of a user that has permissions in the desired database. This also requires an app registration to be configured with access to the database.

To enable Azure Entra password for Grafana:

Set the azure_entra_password_credentials_enabled flag in the [azure] section of the Grafana server configuration.
ini
```
[azure]
azure_entra_password_credentials_enabled = true
```
In the SQL Server data source configuration, set Authentication to Azure AD Authentication and the Azure Authentication type to Azure Entra Password.
Set the User ID value to the username of the user in the Azure SQL database.
Set the Application Client ID to the client ID of the app registration that has been added to the Azure SQL database
Set the Password value to the password of the user in the Azure SQL database.

Min time interval

The Min time interval setting defines a lower limit for the $__interval and [$__interval_ms][add-template-variables-interval_ms] variables.

This value must be formatted as a number followed by a valid time identifier:

Identifier	Description
`y`	year
`M`	month
`w`	week
`d`	day
`h`	hour
`m`	minute
`s`	second
`ms`	millisecond

Grafana recommends setting this value to match your Microsoft SQL Server write frequency. For example, use 1m if Microsoft SQL Server writes data every minute.

You can also override this setting in a dashboard panel under its data source options.

Database user permissions

When adding a data source, ensure the database user you specify has only SELECT permissions on the relevant database and tables. Grafana does not validate the safety of queries, which means they can include potentially harmful SQL statements, such as USE otherdb; or DROP TABLE user;, which could get executed. To minimize this risk, Grafana strongly recommends creating a dedicated MySQL user with restricted permissions.

CREATE USER grafanareader WITH PASSWORD 'password'
GRANT SELECT ON dbo.YourTable3 TO grafanareader

Also, ensure that the user doesn’t have any unwanted privileges from the public role.

Diagnose connection issues

If you use older versions of Microsoft SQL Server, such as 2008 and 2008R2, you might need to disable encryption before you can connect the data source.

Grafana recommends that you use the latest available service pack for optimal compatibility.

Provision the data source

You can define and configure the data source in YAML files as part of the Grafana provisioning system. For more information about provisioning, and for available configuration options, refer to Provision Grafana.

Provisioning example

apiVersion: 1

datasources:
  - name: MSSQL
    type: mssql
    url: localhost:1433
    user: grafana
    jsonData:
      database: grafana
      maxOpenConns: 100
      maxIdleConns: 100
      maxIdleConnsAuto: true
      connMaxLifetime: 14400
      connectionTimeout: 0
      encrypt: 'false'
    secureJsonData:
      password: 'Password!'