New users being assigned incorrect role (AAD OAuth)

Hello,

I’m trying to make it so that all new users to my site are Editors, and no one is assigned the viewer role. I’m using Azure AD authentication. The problem is that many new users are being assigned the viewer role, despite my attempts to remove it.

I followed the regular steps to set up AAD OAuth2 here: https://grafana.com/docs/grafana/latest/auth/azuread/. In my grafana.ini, I have auto_assign_org_role = Editor, and have not created any additional orgs or changed the settings for the default org. Still, users are assigned Viewer instead of Editor.

I removed the Viewer role from the manifest (described in the steps in the link above), which I thought would prevent that from being accessible at all. Still, they are assigned Viewer. When I check the user assignments in Azure, they are assigned “Default Access”, but that seems to resolve to Viewer role on the Grafana site.

Has anyone had this issue? Am I missing a config setting somewhere?

I haven’t tried this, but looking at the docs, it seems that this might only work if auto_assign_org is also set to true.

If this continues to behave in ways that do not match the documentation, please file a bug report in grafana/grafana.

Thanks for the reply.

I can try setting the config explicitly to true, but the documentation says it should be true by default: https://grafana.com/docs/grafana/latest/administration/configuration/#auto_assign_org, and I haven’t changed it.

Let me try regardless, and I will file a bug if that doesn’t work.

Thanks!