Hey, I am finding it difficult to understand what is fact and what is not due to so many community posts, github issues saying different things.
Before I tried to setup azure ad, I followed this table.
Configure authentication | Grafana documentation
It clearly states multiple orginsations are possible, however when I try to set this up using the helmchart.
org_mapping: ["REDACTED:*:GrafanaAdmin"]
or
org_mapping: ["REDACTED3:*:Admin"]
The users only gain access to org1, I have even tried adding orgs individually like:
org_mapping: ["REDACTED:1:GrafanaAdmin, REDACTED:2:GrafanaAdmin"]
but the result is the same.
Does Grafana, auth.azuread support multiple orginsations for a user or am I doing something wrong?
What Grafana version and what operating system are you using?HelmChart, Grafana v11.5.1
What are you trying to achieve?To allow a user to have admin / access to multiple organisations via org_mapping
How are you trying to achieve it?detailed above.
What happened?The user only gains admin access to org id: 1
What did you expect to happen?The user to be able to access all / specified orgs
Can you copy/paste the configuration(s) that you are having problems with?As above.
Did you receive any errors in the Grafana UI or in related logs? If so, please tell us exactly what they were.None
Did you follow any online instructions? If so, what is the URL?Configure Azure AD/Entra ID OAuth authentication | Grafana documentation
acleavesgresham:
Can anyone confirm?
Yes, itâs supported. Could you please verify (by enabling debug logging) that the groups claim contains the item(s) you specify as the âexternal groupâ (GroupId from the first entry (<GroupID>:<OrgIdOrName>:<Role>)) setup in the org_mapping config?
I can look into that, what format should I use to test?
org_mapping: ["REDACTED:*:Admin"]
or
org_mapping: ["REDACTED:1:Admin, REDACTED:2:Admin"]
Currently using both formats results in the user just being granted admin on ordId: 1
You need to define the org mapping entries as a json array: it should be org_mapping: ["REDACTED:1:Admin", "REDACTED:2:Admin"] instead oforg_mapping: ["REDACTED:1:Admin, REDACTED:2:Admin"].
1 Like
acleavesgresham:
org_mapping:
Ok, so using this:
auth.azuread:
enabled: true
allow_sign_up: true
client_id: $__file{/etc/grafana/secrets/ad_client_id}
client_secret: $__file{/etc/grafana/secrets/ad_client_secret}
scopes: "openid email profile"
auth_url: $__file{/etc/grafana/secrets/auth_url}
token_url: $__file{/etc/grafana/secrets/token_url}
allowed_domains: $__file{/etc/grafana/secrets/allowed_domains}
role_attribute_strict: true # Previously False - Testing AD Role Mapping
allow_assign_grafana_admin: true
skip_org_role_sync: false # Previously True
org_mapping: ["REDACTED:1:Admin", "REDACTED:2:Admin", "REDACTED:3:Admin", "REDACTED:4:Admin", "REDACTED:5:Admin", "REDACTED:6:Admin", "REDACTED:7:Admin", "REDACTED:8:Admin", "REDACTED:9:Admin", "REDACTED:10:Admin", "REDACTED:11:Admin", "REDACTED:12:Admin"]
I deleted the user in question, signed in again.
The user only has access to âMainâ which is orgid: 1
Organizations
Main Org. Admin
Synced via AzureAD
I will now try to enable debug and see if I can get any more info
mihalygyongyosi:
groups
I donât see any log under âgroupâ or âloginâ or the username in question, as you can imagine the debug log is very busy. Is there a specific log line I should be searching for?
There should be an entry like this:logger=oauth.azuread t=2025-07-02T14:02:38.945465851Z level=debug msg="AzureAD OAuth: extracted groups" email={email} groups="[{groupid1} {groupid2} ..]"
mihalygyongyosi:
oauth
I donât see any of this when using âdebugâ iâm afraid, I am using the helm chart, and using this to set the log level.
grafana.ini:
server:
root_url: X
session:
cookie_domain: X
log:
mode: console
level: debug
î¶acleaves î° ~ î°î°î°î° ó°© 15:12 î° kubectl -n grafana logs grafana-fb4b7b98-8gg9g | grep oauth
logger=oauth_token.sync userID=11 t=2025-07-02T14:10:49.615429196Z level=debug msg="Singleflight request for OAuth token sync"
logger=infra.lockservice t=2025-07-02T14:10:49.615451529Z level=debug msg="Start LockExecuteAndReleaseWithRetries" actionName=oauth-refresh-token-11
logger=infra.lockservice t=2025-07-02T14:10:49.622073102Z level=debug msg="Start execution" actionName=oauth-refresh-token-11
logger=oauthtoken userID=11 t=2025-07-02T14:10:49.622095384Z level=debug msg="Serverlock request for getting a new access token" key=oauth-refresh-token-11
logger=oauthtoken t=2025-07-02T14:10:49.629343115Z level=debug msg="Neither access nor id token have expired yet"
logger=infra.lockservice t=2025-07-02T14:10:49.629353955Z level=debug msg="Execution finished" actionName=oauth-refresh-token-11 duration=7.285726ms
logger=infra.lockservice t=2025-07-02T14:10:49.644391487Z level=debug msg="LockExecuteAndReleaseWithRetries finished" actionName=oauth-refresh-token-11 duration=28.939106ms
Above is the only logs I see for âoauthâ
Is there a flag I need to set for this to log?
Just to clarify, I am using the same ID on the azure side
["09d3dd11-REDACTED:1:Admin", "09d3dd11-REDACTED:2:Admin".... I am assuming this is ok, All members of this group should be an admin on all orgs.
