Documentationbreadcrumb arrow Grafana Cloudbreadcrumb arrow Security and account managementbreadcrumb arrow Authentication and authorizationbreadcrumb arrow Multi-factor authentication (MFA)
Grafana Cloud

Set up multi-factor authentication for Grafana Cloud

Multi-factor authentication (MFA) adds a second layer of security to your Grafana Cloud account. When MFA is enabled, signing in requires both your password and a time-based one-time password (TOTP) from an authenticator app.

Grafana Cloud MFA uses the TOTP standard, which generates a new six-digit code every 30 seconds. It’s compatible with any standard TOTP authenticator app.

Note

MFA is currently rolling out to Grafana Cloud organizations. If MFA is not yet available for your organization, the MFA option does not appear in the left sidebar.

Before you begin

Make sure that:

  • You have a password-based Grafana Cloud account. If you sign in exclusively through a social login provider (Google, GitHub, etc.), you must first set a password in your account settings before you can enable MFA.
  • MFA is available for your organization. Contact your organization administrator or Grafana support if you need MFA enabled.

Key points

The following applies:

  • Password required: MFA requires a password-based account. Social-login-only users must set a password first.
  • Social login disabled: After MFA is enabled, social login is disabled. To use social login again, first disable MFA.
  • One method at a time: Only one TOTP authenticator can be active per account. Grafana Cloud doesn’t support multiple authenticator apps or hardware security keys.
  • Email notifications: You receive email alerts when MFA is enabled, disabled, or when a recovery code is used.
  • Admin MFA removal: If a user is locked out and has exhausted all recovery options, a Grafana staff administrator can disable MFA on the user’s behalf. The user receives an email notification when this occurs.

Set up MFA

To set up MFA:

  1. Sign in to Grafana Cloud.
  2. In the left sidebar, click MFA under User Settings.

The setup wizard guides you through linking an authenticator app and saving your recovery codes.

  1. Open your authenticator app and scan the QR code. If you can’t scan, enter the secret key shown below the QR code manually.
  2. Enter the six-digit code from your authenticator app in the Verification code field.
  3. Click Verify and enable MFA.

Save your recovery codes

After your authenticator is linked, you are shown eight single-use recovery codes.

  1. Click Download to save the codes as a text file, or click Print to print them. Store them in a safe location, such as a password manager.
  2. Select the I have saved my recovery codes checkbox.
  3. Click Done to complete setup.

After setup, you receive an email confirming that MFA is enabled on your account. Your MFA settings page shows:

  • Status: Whether MFA is enabled.
  • Method: The authenticator type in use (TOTP authenticator app).
  • Recovery codes remaining: How many of your eight recovery codes are still unused.
  • Last used: When MFA was last used for verification.

Sign in with MFA

To sign in when MFA is enabled:

  1. Enter your email and password.
  2. On the MFA verification page, open your authenticator app and enter the current six-digit code.
  3. Click Verify to complete sign-in.

Codes refresh every 30 seconds. If a code doesn’t work, wait for the next one.

After successfully verifying with MFA, you are not prompted again for 10 days. If you sign out and back in, you need to verify again.

Caution

When MFA is enabled on your account, social login (such as Google or GitHub) is disabled. Sign in with your password and TOTP code. To use social login again, first disable MFA.

Recovery options

If you lose access to your authenticator app, you have two recovery methods available.

Use a recovery code

During MFA setup, you received eight single-use recovery codes. To use one:

  1. On the MFA verification page, click Use a recovery code instead.
  2. Enter one of your saved recovery codes.
  3. Click Verify.

Each recovery code can be used only once. You receive an email notification when a recovery code is used, including how many codes remain.

Use email recovery

If you have also lost your recovery codes, you can receive a one-time recovery code via email. Use your recovery codes when possible.

To request an email recovery code:

  1. On the MFA verification page, click Lost your authenticator and recovery codes?.
  2. Click Send recovery code.
  3. Check your registered email for the recovery code.
  4. Enter the code on the recovery page.
  5. Click Verify to complete sign-in.

The email recovery code expires after 15 minutes. You can request up to three recovery emails per hour.

Note

Email recovery is unavailable for 24 hours after a password change.

Regenerate recovery codes

You can generate a new set of recovery codes:

  1. Sign in to Grafana Cloud.
  2. In the left sidebar, click MFA under User Settings.
  3. Click Regenerate Recovery Codes.
  4. Enter your password and click Regenerate.

Regenerating invalidates your old codes and issues eight new ones. Download or print the new codes and store them securely.

Organization-level MFA settings

Organization administrators can enforce MFA policies for all members of their organization through the Cloud Portal or the API.

Require MFA for all members

To require all organization members to set up MFA using the Cloud Portal:

  1. Sign in to Grafana Cloud.
  2. Navigate to Org Settings.
  3. Select the Enforce MFA checkbox.
  4. Click Update.

Alternatively, use the API:

Bash 
curl -X POST https://grafana.com/api/orgs/<ORG_SLUG>/settings \
  -H "Authorization: Bearer <TOKEN>" \
  -H "Content-Type: application/json" \
  -d '{"mfaRequired": true}'

Replace the following:

  • <ORG_SLUG>: Your organization slug.
  • <TOKEN>: A Grafana Cloud API token with permission to update organization settings.

When MFA is enforced:

  • Members who have not yet set up MFA are redirected to the MFA setup wizard at their next sign-in. They cannot access the portal until setup is complete.
  • Members who already have MFA enabled are unaffected.
  • Members who sign in exclusively through social login (no password set) are currently exempt, since MFA requires a password.

View current MFA settings

To view the current MFA settings for your organization in the Cloud Portal:

  1. Sign in to Grafana Cloud.
  2. Navigate to Org Settings.

The Enforce MFA checkbox reflects the current setting.

Alternatively, use the API:

Bash 
curl https://grafana.com/api/orgs/<ORG_SLUG>/settings \
  -H "Authorization: Bearer <TOKEN>"

The response shows the current settings:

JSON 
{
  "mfaRequired": true
}

Disable MFA

To disable MFA:

  1. Sign in to Grafana Cloud.
  2. In the left sidebar, click MFA under User Settings.
  3. Click Disable MFA.
  4. Enter your password and click Disable MFA to confirm.

MFA is removed from your account. Your TOTP secret and recovery codes are deleted. You receive an email confirming MFA has been disabled. Social login is re-enabled for your account.