Documentationbreadcrumb arrow Grafana Cloudbreadcrumb arrow Security and account managementbreadcrumb arrow Authentication and authorization
Grafana Cloud

Configure authentication and authorization

You can configure various methods to allow users to access your Grafana Cloud instance. Read on to understand the different options available.

To authorize service requests to Grafana Cloud resources that do not involve users use Grafana Cloud Access Policies or service accounts. Refer to Authorize services to learn more.

Understand the Grafana Cloud authentication layers

Grafana Cloud has two authentication layers that work together by default, but you can separate them in larger organizations.

Default model: Cloud Portal as the identity provider

By default, the Cloud Portal (grafana.com) acts as the identity provider for your stacks:

  • Users authenticate to grafana.com
  • They automatically have access to all stacks in your organization
  • Their Cloud Portal role (Admin, Editor, Viewer) is inherited by every stack
  • Works well for: Small teams (<20 users) with simple access needs

Cloud Portal authentication options:

  • Username/password (basic auth)
  • Social login (Google, GitHub, Microsoft, Amazon)
  • SAML SSO (Private Preview)

Layered model: Separate Cloud Portal and Stack authentication

For larger organizations, you can separate these authentication layers:

  • Cloud Portal: Small group of platform admins manage billing, stacks, cloud settings
  • Stack-level: Engineers authenticate directly to stacks (your-org.grafana.net), never access grafana.com

In this model, Cloud Portal access does not automatically grant stack access. You must explicitly add users to each stack.

Works well for: Larger teams (50+ users), enterprises with governance requirements

Stack authentication options: Stack-level authentication supports multiple authentication methods including SAML, OAuth, OIDC, LDAP, and SCIM provisioning.

Feature availability by layer

FeatureCloud PortalStack LevelNotes
Basic authUsername/password
Social loginGoogle, GitHub, Microsoft, Amazon
SAML SSO✅ (Private Preview)Separate configs for each layer
SCIM provisioningStack-level only (Okta, Entra ID)
OAuth/OIDCCustom OAuth providers via IdP
LDAPActive Directory integration
RBAC✅ (Cloud org roles)✅ (Stack roles)Different permission models
Access PoliciesCloud-level API access control
Service accountsStack-level only

Basic user authentication

Grafana Cloud uses OAuth 2.0 with Grafana.com as the default authentication provider. Additional authentication and authorization methods, such as LDAP, SAML, and OAuth, can also be configured for your Grafana Cloud instance.

For detailed guidance, refer to the Grafana documentation on authentication.

Multi-factor authentication

You can add an extra layer of security to your Grafana Cloud account by enabling multi-factor authentication (MFA). When MFA is enabled, signing in requires both your password and a time-based one-time password (TOTP) from an authenticator app. Refer to Set up multi-factor authentication for further details.

Configure user roles

You can configure user roles either through the Cloud Portal or directly within your Grafana instance:

  • Using the Grafana Cloud Portal: Roles configured in the Grafana Cloud Portal will automatically propagate to your Grafana instances (default model). To learn more about the specific capabilities assigned to each role, see User account roles and permissions.
  • Directly in your Grafana instance: Configure roles within a specific Grafana instance using role-based access control.

Authorize services

Both service accounts and Cloud Access Policies provide machine-to-machine authentication, but they serve different purposes and access different APIs.

  • Use service accounts to automate Grafana UI tasks (creating dashboards, managing users, configuring data sources).
  • Use Cloud Access Policies to send or querying telemetry data (metrics, logs, traces), or managing stacks via Cloud API.
AspectService AccountsCloud Access Policies
PurposeManage Grafana resources (dashboards, users, alerts)Read/write telemetry data (metrics, logs, traces) and manage cloud resources
API AccessGrafana HTTP API (/api/dashboards, /api/users, etc.)Cloud API + data APIs (Mimir, Loki, Tempo)
ScopeStack-level (single organization)Cloud-level (can be org-wide or single stack)
Permissions ModelRBAC roles (Viewer, Editor, Admin)Fine-grained scopes (metrics:read, logs:write)
Common Use CasesDashboard provisioning, Terraform, user management, scheduled reportsGrafana Agent setup, querying logs/metrics, stack management via Cloud API
Cannot AccessMimir/Loki/Tempo data APIsGrafana HTTP API (dashboards, users, etc.)

For more information, refer to: