User Sync Fails with Azure AD SSO

  • What Grafana version and what operating system are you using? v10.4.0

  • What are you trying to achieve? Single Sign-on With Azure AD

  • How are you trying to achieve it? Configuring [auth.azuread]

  • What happened? Some users are getting a “User sync failed” error when trying to sign in with Azure AD. Others are able to sign in and sign out without issue though.

  • What did you expect to happen? All users would be able to sign in with Azure AD without issue

  • Can you copy/paste the configuration(s) that you are having problems with?

auth.azuread:
      name: Azure AD
      enabled: true
      allow_sign_up: true
      auto_login: false
      client_id: ${AZURE_CLIENT_ID}
      client_secret: ${AZURE_CLIENT_SECRET}
      scopes: openid email profile offline_access
      auth_url: https://login.microsoftonline.com/${AZURE_TENANT_ID}/oauth2/v2.0/authorize
      token_url: https://login.microsoftonline.com/${AZURE_TENANT_ID}/oauth2/v2.0/token
      allowed_organizations: ${AZURE_TENANT_ID}
      role_attribute_strict: false
      allow_assign_grafana_admin: false
      skip_org_role_sync: false
      use_pkce: false
  • Did you receive any errors in the Grafana UI or in related logs? If so, please tell us exactly what they were. Users who are unable to login receive a “User sync failed” error on the UI. Looking at the logs we saw this error
    level=error msg=“Failed to run post auth hook” client=auth.client.azuread id= error=“[user.sync.internal] unable to create user: user already exists”

  • Did you follow any online instructions? If so, what is the URL? Configure Azure AD OAuth2 authentication | Grafana documentation

We also recently implemented Grafana HA with postgres but I’m not sure how that would affect this.

So we were able to figure out the issue but not a solution. Users who are unable to login and receive a “User Sync failed” error have an org_id of -1 when it should be 1. Looking at Grafana’s docs for setting org_ids, it looks like auto_assign_org defaults to true which should assign users to the default org of 1. We also tried setting login_default_org_id to 1 to see if that’d work but some users are still getting that error.

We also configured [users] with the following

users:
      auto_assign_org: true
      auto_assign_org_id: 1
      login_default_org_id: 1

and some are still being assigned an org_id of -1