Setting up Entra ID authentication in Grafana

requirements before configuring authentication with entra id, make sure you have an entra id app registration for grafana if you have not done this yet, please first registering an app in entra id docid\ y7nflubtgvhbfahpgvcbe a fully qualified grafana root url , starting with https // (no ip address or localhost ) admin privileges in both grafana and azure entra id configure authentication in grafana, go to administration > authentication > azure ad step 1 add client id and client secret copy the client id and client secret from your registering an app in entra id and paste them in grafana authentication configuration step 2 add scopes, auth url and token url scopes openid , email , profile auth url https //login microsoftonline com/ \<tenant id> /oauth2/v2 0/authorize e g https //login microsoftonline com/12345678 abcd 4321 efgh 9876543210ab/oauth2/v2 0/authorize token url https //login microsoftonline com/\<tenant id>/oauth2/v2 0/token e g https //login microsoftonline com/12345678 abcd 4321 efgh 9876543210ab/oauth2/v2 0/token note replace \<tenant id> with your azure tenant id step 3 enable sign up and auto login allow sign up creates a grafana user when logging in the first time auto login skips the grafana login page and redirects directly to entra ad login configure user mapping you can map entra ad users to grafana roles in two ways option 1 map azure security groups in entra ad, find the security group and copy its object id in grafana, go to administration > authentication > azure ad > user mapping add mapping in the format \<azure group object id> \<grafana org id> \<grafana role> example 488f1647 xxxx xxxx xxxx 7994b4f022f5 1\ viewer 5343xde2 xxxx xxxx xxxx 7994b4f022f5 1\ editor option 2 map azure app roles define an app role for each grafana role in entra id admin editor viewer assign an app role to a security group (to apply to all users in that security group) or to a user to grant the user(s) a role in grafana in grafana, add mapping in organization mapping section in the format \<azure app role value> \<grafana org id> \<grafana role> example grafana viewer 1\ viewer grafana editor 1\ editor grafana admin 1\ admin test authentication and user mapping in grafana, first log out as the server admin user next, log in with a user that is part of a mapped security group or app role via entra id case 1 works user logs in successfully and gets the right grafana role 🎉 case 2 error “you don’t have access to any resources” problem authentication works, but no role mapping was applied solution check your group or role mappings case 3 other errors problem authentication fails solution see setting up entra id authentication in grafana /#troubleshooting section below troubleshooting redirect uri issue in azure app registration, one or both redirect uris are incorrect root url issue in grafana, root url is misconfigured view root url in grafana via home > administration > general > settings , search for root url to change, edit file /etc/grafana/grafana ini on the server approval needed first login may need an azure admin to approve app access duplicate usernames if a local grafana user has the same username as the entra id user, login fails remove or rename the local user too many security groups users with >150 groups they belong to exceed request size use app roles instead of security groups faq can the grafana server admin role be mapped? the grafana server admin role can not be mapped automatically, but can only be manually assigned to the user in grafana via administration > users and access > users can users be part of multiple mappings? all lines that match the user in organization mapping will be applied this means a user can be assigned multiple roles in the same grafana organization (highest role wins), or have a separate role in another grafana organization can users get a default role without mapping? in grafana, the setting role attribute path in file /etc/grafana/grafana ini on the server can be used to set an expression to apply a default role to any user or alternatively, a role can be manually assigned to a user in grafana as long as no group mappings are added, the manually assigned roles will stay put