Menu

This is documentation for the next version of Grafana. For the latest stable release, go to the latest version.

Documentationbreadcrumb arrow Grafana documentationbreadcrumb arrow Set upbreadcrumb arrow Configure securitybreadcrumb arrow Configure SCIM provisioningbreadcrumb arrow Configure SCIM with Azure AD
Grafana Cloud Enterprise RSS

Configure SCIM with Azure AD

Note

Available in Grafana Enterprise and Grafana Cloud Pro and Advanced.

This guide explains how to configure SCIM provisioning with Azure AD to automate user and team management in Grafana.

Note

This feature is behind the enableSCIM feature toggle. You can enable feature toggles through configuration file or environment variables.

For more information, refer to the feature toggles documentation.

Note

Important SAML and SCIM Configuration: When using SAML for authentication alongside SCIM provisioning with Azure AD, it is crucial to correctly align user identifiers. For detailed information on why this is critical for security and how to configure it, refer to the main SCIM provisioning documentation.

Refer to the SAML authentication with Azure AD documentation for specific instructions on how to configure SAML claims and Grafana SAML settings for your Azure AD SCIM setup.

Prerequisites

Before configuring SCIM with Azure AD, ensure you have:

  • Grafana Enterprise or Grafana Cloud Advanced
  • Admin access to both Grafana and Azure AD
  • SCIM feature enabled in Grafana

Configure SCIM in Grafana

To enable SCIM provisioning in Grafana, create a service account and generate a service account token that will be used to authenticate SCIM requests from Azure AD.

Create a service account

  1. Navigate to Administration > Users and access > Service accounts
  2. Click Add service account
  3. Create a new service account with Admin role
  4. Create a new token for the newly created service account and save it securely
    • This token will be used in the Azure AD configuration

Configure SCIM in Azure AD

Configure the enterprise application in Azure AD to enable automated user and team synchronization with Grafana. This involves creating a new application and setting up both authentication and provisioning.

Create the enterprise application

  1. Open Azure Portal Entra ID (Azure AD)
  2. Click + Add dropdown
  3. Click Add Enterprise Application
  4. Click + Create Your Own Application
  5. Name the application and select non-gallery

Configure provisioning

  1. In the application overview, select Provisioning
  2. Click + New Configuration
  3. Configure the following settings:
  • Tenant URL:
    • For Grafana Cloud instances:
      https://{stack-name}.grafana.net/apis/scim.grafana.app/v0alpha1/namespaces/stacks-{stack-id}
      Replace {stack-name} and {stack-id} with your Grafana Cloud stack name and ID.
    • For self-hosted instances:
      https://{your-grafana-domain}/apis/scim.grafana.app/v0alpha1/namespaces/default
      Replace {your-grafana-domain} with your Grafana instance’s domain (e.g., grafana.yourcompany.com).
  • Secret Token: Enter the service account token from Grafana
  1. Click Test connection to verify the configuration
  2. Click Create to save the settings

Configure attribute mappings

After setting the Tenant URL and Secret Token, navigate to the Mappings section within the same Provisioning settings in your Azure AD enterprise application and then click Provision Microsoft Entra ID Users. This is where you will define how Azure AD attributes correspond to the SCIM attributes for Grafana, including the mandatory externalId.

Note

  • Only work email addresses are supported. Azure AD must be configured to use emails[type eq "work"].value for email mapping.
  • The externalId attribute in Grafana is mandatory. Azure AD uses this to uniquely identify users and groups. You must map an attribute from Azure AD to the externalId attribute in Grafana. This Azure AD attribute must be a stable and a unique identifier for each individual user (for example, the objectId attribute in Azure AD is commonly used for this purpose).

Configure the following required attributes:

Azure AD AttributeGrafana Attribute
userPrincipalNameuserName
mailemails[type eq "work"].value
displayNamedisplayName
objectIdexternalId

Enable provisioning

Click Start provisioning from the top action bar in the Overview page from your Azure AD enterprise application.

Configure group provisioning

To enable group synchronization:

  1. Navigate to the Groups tab in provisioning
  2. Enable Group provisioning
  3. Select the groups to synchronize with Grafana
  4. Save the changes

Test the integration

After completing the configuration:

  1. Test the SCIM connector in Azure AD
  2. Assign a test user to the application
  3. Verify the user is provisioned in Grafana
  4. Test group synchronization if configured