Auto_assign_org and auto_assign_org_id randomly does not work for SSO with Azure AD

Grafana Configuration
1

  • What Grafana version and what operating system are you using?
    v10.4.0 running in a container on an Ubuntu server on AKS

  • What are you trying to achieve?
    Assign all users to an org_id of 1 when signing in with Azure AD

  • How are you trying to achieve it?
    Configuring grafana.ini to auto assign users an org_id=1

  • What happened?
    Some users (not all) are assigned an org_id = -1 despite setting org_id configs in our grafana.ini. This seems to be random between users as when we wipe Grafana and reinstall it, the -1 org_id will be assigned to different users than before.

  • What did you expect to happen?
    All users would be assigned an org_id = 1 and can sign in with Azure AD without issue.

  • Can you copy/paste the configuration(s) that you are having problems with?
    Yes, here’s our grafana.ini configuration

[analytics]
check_for_updates = true
[auth.azuread]
allow_assign_grafana_admin = false
allow_sign_up = true
allowed_organizations = ${AZURE_TENANT_ID}
auth_url = https://login.microsoftonline.com/${AZURE_TENANT_ID}/oauth2/v2.0/authorize
auto_login = false
client_id = ${AZURE_CLIENT_ID}
client_secret = ${AZURE_CLIENT_SECRET}
enabled = true
name = Azure AD
role_attribute_strict = false
scopes = openid email profile offline_access
skip_org_role_sync = false
token_url = https://login.microsoftonline.com/${AZURE_TENANT_ID}/oauth2/v2.0/token
use_pkce = false
[azure]
managed_identity_client_id = ${AZURE_CLIENT_ID}
managed_identity_enabled = true
workload_identity_client_id = ${AZURE_CLIENT_ID}
workload_identity_enabled = true
[database]
host = ${DB_HOST}
name = grafana
password = ${PGPASSWORD}
type = postgres
user = grafana
[grafana_net]
url = https://grafana.net
[live]
ha_engine = redis
ha_engine_address = ${HA_HOST}
[log]
mode = console
[paths]
data = /var/lib/grafana/
logs = /var/log/grafana
plugins = /var/lib/grafana/plugins
provisioning = /etc/grafana/provisioning
[server]
domain = ${DOMAIN_URL}
root_url = ${DOMAIN_URL}
[smtp]
enabled = true
from_address = ${DO_NOT_REPLY_EMAIL}
host = ${EMAIL_HOST}
skip_verify = true
[unified_alerting]
ha_redis_address = ${HA_HOST}
[users]
auto_assign_org = true
auto_assign_org_id = 1
login_default_org_id = 1
viewers_can_edit = true

  • Did you receive any errors in the Grafana UI or in related logs? If so, please tell us exactly what they were.
    Yes, the users who can’t sign in receive a “User Sync failed” error on the UI and checking the logs we see level=error msg=“Failed to run post auth hook” client=auth.client.azuread id= error=“[user.sync.internal] unable to create user: user already exists”

  • Did you follow any online instructions? If so, what is the URL?
    Yes we followed the configure Grafana docs

2

Does it happen when you:

  • start Grafana from the scratch (blank DB)?
  • start newer version, 10.4.3?
3

It happens when we start from scratch. We’re deploying Grafana via helm and ArgoCD to an AKS cluster. We first experienced this issue before we made the [users] changes to grafana.ini. Once we realized it was happening, that’s when we tried forcefully tried setting the org_id = 1 in grafana.ini. We completely wiped all the resources (grafana, DBs, secrets, everything) from the cluster and let Argo redeploy and build it all again from scratch and it would be different users that saw the error after the application was rebuilt.