Microsoft Entra ID SSO for Grafana

Microsoft Entra ID SSO for Grafana

This guide shows how to configure Grafana to use Microsoft Entra ID for single sign-on.

Why use Entra ID with Grafana

Benefits:

• centralized authentication
• optional automatic user provisioning
• support for role mapping
• better auditability
• easier offboarding and access governance

Prerequisites

• Grafana is already deployed and reachable via HTTPS
• administrator access to Grafana
• permission to create an app registration in Microsoft Entra ID
• a public DNS name for Grafana

Step 1: Create the app registration

Recommended settings:

• Platform: Web
• Redirect URIs:
  • https://<grafana-domain>/login/azuread
  • https://<grafana-domain>/

Record the Tenant ID, Client ID and Client Secret.

Step 2: Add required delegated permissions

For basic sign-in, the standard OpenID Connect scopes are sufficient:

• openid
• profile
• email

Step 3: Configure Grafana

In Grafana go to Administration > Authentication > Microsoft Entra ID and configure:

• Client ID
• Client secret
• Auth URL: https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize
• Token URL: https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token
• Scopes: openid email profile
• Allow sign up: according to your onboarding model
• Auto login: optional

Step 4: Optional role mapping

For enterprise use, map Entra roles or groups to Grafana roles:

• Viewer
• Editor
• Admin

App roles are usually easier to govern than broad open signup.

Best practices

• use HTTPS only
• prefer app-role-based authorization for cleaner governance
• document who owns the app registration
• monitor secret expiration
• restrict tenant access where supported

Summary

Grafana with Microsoft Entra ID is a strong enterprise SSO pattern when you combine a clean web app registration, correct redirect URIs, controlled provisioning and role mapping.