I am using Grafana v11.2.2 (c47b921ef4) on windows server 2019
I have connected the Grafana Instance to Authenticate user with my Azure AD. The users can login those with an assigned role within Azure AD get the correct role in Grafana. The issue i have is anyone within the tenant can login and be defaulted to the viewer role.
I have configured the Allowed AD Groups within the configuration of Grafana and set the strict role option to true and the group role sync to true.
Users are able to login irrelevant of the security groups
I expected the user to be denied access
The following config is set
[auth.azuread]
name = Microsoft
icon = microsoft
enabled = true
allow_sign_up = false
auto_login = false
client_id =
client_secret =
scopes = openid email profile User.Read
auth_url = {Standard Azure Auth URL}
token_url = {Standard Azure Token URL}
signout_redirect_url = {Standard redirect URL}
allowed_domains = {TenantID}
allowed_groups = 9eea197f-207c-48d9-8e4d-6cdcb6cf9ce0 a74c68df-45b9-469b-a353-281246bfdf39 ae3b7cf0-adea-4d9f-a7fc-d67b724be252 22c19863-1cb5-4218-aa83-d18f32351bd5
;allowed_organizations =
role_attribute_strict = true
;org_mapping =
allow_assign_grafana_admin = false
use_pkce = true
prevent synchronizing users organization roles
skip_org_role_sync = false
use_refresh_token = true
No errors reported in the Grafana instance
I followed the below instructions
(Configure Azure AD OAuth2 authentication | Grafana documentation)