Skip role sync in Azure AD as secondary login

  • What Grafana version and what operating system are you using? 8.4.5

  • What are you trying to achieve? Double auth (generic: aws cognito and azure ad)

  • How are you trying to achieve it? I’ve added both the configurations to the defaults.ini file.

  • What happened? The azure AD configuration has roles defined but I do not want any sync with those roles. So, i’m using

skip_org_role_sync = true

in azure Ad configuration.

  • What did you expect to happen? I expected it to not sync the roles but when a user logs in using the microsoft login they lose access to all the orgs that they had when they log in from cognito. I do not want the two login options to have any impact on access.

  • Can you copy/paste the configuration(s) that you are having problems with?

name = Azure AD
enabled = true
;allow_sign_up = true
client_id = <id>
client_secret = <secret>
auth_url = <auth_url>
token_url = <token_url>
scopes = openid email profile
skip_org_role_sync = true
;allowed_domains =
;allowed_groups =

Check doc for your version or changelogs after your version. I guess that feature is not available for your Grafana 8.4.5.

You’re right. That configuration is not available in my version of Grafana. What could be workaround to only handle the user access through Grafana and use auth only to login and get email

I would say no workaround is worth it. Update to latest stable version - you will have supported version with features which you need.

It is a big change for me to update the version, please let me know if you have a workaround in mind that could help

You can use Grafana in auth proxy mode = you will outsource auth outside Grafana - some oauth/oidc proxy in front of Grafana.

More moving parts and configurations - more complex setup, but you can still use old Grafana. Good luck.