Setting up Entra ID authentication in Grafana

requirements before configuring authentication with entra id, make sure you have grafana version 11 2 or newer an entra id app registration for grafana if you have not done this yet, please first docid\ y7nflubtgvhbfahpgvcbe you’ll need the following details from the registration client id tenant id client secret a fully qualified grafana root url , starting with https // (no ip address or localhost ) admin privileges in both grafana and microsoft entra id configure authentication in grafana, go to administration > authentication > azure ad step 1 add client id and client secret copy the client id and client secret from your docid\ y7nflubtgvhbfahpgvcbe and paste them in grafana authentication configuration step 2 add scopes, auth url and token url scopes openid , email , profile auth url https //login microsoftonline com/\<tenant id>/oauth2/v2 0/authorize e g https //login microsoftonline com/12345678 abcd 4321 efgh 9876543210ab/oauth2/v2 0/authorize token url https //login microsoftonline com/\<tenant id>/oauth2/v2 0/token e g https //login microsoftonline com/12345678 abcd 4321 efgh 9876543210ab/oauth2/v2 0/token note replace \<tenant id> with your azure tenant id step 3 enable sign up and auto login allow sign up creates a grafana user when logging in the first time auto login skips the grafana login page and redirects directly to entra ad login configure group mapping you can map entra ad users to grafana roles in two ways when group mapping is enabled, a user in grafana can not be manually configured into a user group, since on each login the user will be linked to the user groups matching in microsoft entra id to manually assign users to groups in grafana, skip this section option 1 map microsoft entra security groups in entra ad, find the security group and copy its object id in grafana, go to administration > authentication > azure ad > user mapping add mapping in the format \<azure group object id> \<grafana org id> \<grafana role> example 488f1647 xxxx xxxx xxxx 7994b4f022f5 1\ viewer 5343xde2 xxxx xxxx xxxx 7994b4f022f5 1\ editor for more info, please review https //grafana com/docs/grafana/latest/setup grafana/configure security/configure authentication/azuread/ option 2 map azure app roles define an app role for each grafana role in entra id admin editor viewer grafana admin to be able to map the grafana admin role, the setting allow assign grafana admin needs to be enabled this setting is located immediately underneath the organization mapping field assign an app role to a security group (to apply to all users in that security group) or to a user to grant the user(s) a role in grafana in grafana, add mapping in organization mapping section in the format \<azure app role value> \<grafana org id> \<grafana role> example grafana viewer 1\ viewer grafana editor 1\ editor grafana admin 1\ admin grafana server admin 1\ grafanaadmin test authentication and group mapping in grafana, first log out as the server admin user next, log in with a user that is part of a mapped security group or app role via entra id case 1 works user logs in successfully and gets the right grafana role 🎉 case 2 error “you don’t have access to any resources” problem authentication works, but no role mapping was applied solution check your group or role mappings case 3 other errors problem authentication fails solution see /#troubleshooting section below troubleshooting docid\ qog3brlwi2hfpdlojgfxm faq can users be part of multiple mappings? all lines that match the user in organization mapping will be applied this means a user can be assigned multiple roles in the same grafana organization (highest role wins), or have a separate role in another grafana organization can users get a default role without mapping? in grafana, the setting role attribute path in file /etc/grafana/grafana ini on the server can be used to set an expression to apply a default role to any user or alternatively, a role can be manually assigned to a user in grafana as long as no group mappings are added, the manually assigned roles will stay put