Changing Grafana role when using OAuth

There were several PR to disable changing roles for external users:

I am not sure why it’s a thing.

We are using AzureAD as a source for our users. We are not getting role info from it.
With that said our approach was to apply roles individually inside Grafana. And this was working great.


Not sure what was the decision to disable it, with that said it would be great if that can be under some flag in the config to change such behavior.


  • Grafana version: 8.3.3
  • Data source type & version: N\A
  • OS Grafana is installed on: N\A
  • User OS & Browser: N\A

You don’t need to have a roles from your identity provider. You can write role assignment based on any claim. E.g. on email claim:

GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH=contains(['',''], email) && 'Admin' || 'Viewer'

=> users with emails,mail2@mail.coom are admins and others are viewers only.

We have more than 20k users.
So adding them to the config is not an option :wink:

Do you manage roles of 20k users manually? That’s IMHO task exactly for IDP provided roles/groups.