Plan your IAM integration strategy on Grafana Labs

Configure authentication

Fri, 03 Apr 2026 19:43:06 +0000

Configure authentication

Grafana provides many ways to authenticate users. Some authentication integrations also enable syncing user permissions and org memberships.

The following table shows all supported authentication methods and the features available for them. Team sync and active sync are only available in Grafana Enterprise.

Authentication method	Multi Org Mapping	Enforce Sync	Role Mapping	Grafana Admin Mapping	Team Sync	Allowed groups	Active Sync	Skip OrgRole mapping	Auto Login	Single Logout	SCIM support
Anonymous access	N/A	N/A	N/A	N/A	N/A	N/A	N/A	N/A	N/A	N/A	N/A
Auth Proxy	no	yes	yes	no	yes	no	N/A	no	N/A	N/A	N/A
Entra ID OAuth	yes	yes	yes	yes	yes	yes	N/A	yes	yes	yes	N/A
Basic auth	yes	N/A	yes	yes	N/A	N/A	N/A	N/A	N/A	N/A	N/A
Passwordless auth	yes	N/A	yes	yes	N/A	N/A	N/A	N/A	N/A	N/A	N/A
Generic OAuth	yes	yes	yes	yes	yes	no	N/A	yes	yes	yes	N/A
GitHub OAuth	yes	yes	yes	yes	yes	yes	N/A	yes	yes	yes	N/A
GitLab OAuth	yes	yes	yes	yes	yes	yes	N/A	yes	yes	yes	N/A
Google OAuth	yes	no	no	no	yes	no	N/A	no	yes	yes	N/A
Grafana.com OAuth	no	no	yes	no	N/A	N/A	N/A	yes	yes	yes	N/A
Okta OAuth	yes	yes	yes	yes	yes	yes	N/A	yes	yes	yes	N/A
SAML (Enterprise only)	yes	yes	yes	yes	yes	yes	N/A	yes	yes	yes	yes
LDAP	yes	yes	yes	yes	yes	yes	yes	no	N/A	N/A	N/A
JWT Proxy	no	yes	yes	yes	no	no	N/A	no	N/A	N/A	N/A

Fields explanation:

Multi Org Mapping: Able to add a user and map roles to multiple organizations

Enforce Sync: If the information provided by the identity provider is empty, does the integration skip setting that user’s field or does it enforce a default.

Role Mapping: Able to map a user’s role in the default org

Grafana Admin Mapping: Able to map a user’s admin role in the default org

Team Sync: Able to sync teams from a predefined group/team in a your IdP

Allowed Groups: Only allow members of certain groups to login

Active Sync: Add users to teams and update their profile without requiring them to log in

Skip OrgRole Sync: Able to modify org role for users and not sync it back to the IdP

Auto Login: Automatically redirects to provider login page if user is not logged in * for OAuth; Only works if it’s the only configured provider

Single Logout: Logging out from Grafana also logs you out of provider session

SCIM support: Support for SCIM provisioning. Supported Identity Providers are Entra ID and Okta.

Configuring multiple identity providers

Grafana allows you to configure more than one authentication provider, however it is not possible to configure the same type of authentication provider twice. For example, you can have SAML (Enterprise only) and Generic OAuth configured, but you can not have two different Generic OAuth configurations.

Note: Grafana does not support multiple identity providers resolving the same user. Make sure no user account overlaps between the different providers.

In scenarios where you have multiple identity providers of the same type, there are a couple of options:

Use different Grafana instances, each configured with a given identity provider.
Check if the identity provider supports account federation. In such cases, you can configure it once and let your identity provider federate the accounts from different providers.
If SAML is supported by the identity provider, you can configure one Generic OAuth and one SAML (Enterprise only).

If users want to use the same email address with multiple identity providers (for example, Grafana.Com OAuth and Google OAuth), you can configure Grafana to use the email address as the unique identifier for the user. To do so, enable the oauth_allow_insecure_email_lookup option, which is disabled by default. Refer to the Enable email lookup section for details.

Note that enabling this option can lower the security of your Grafana instance. If you enable this option, make sure that the Allowed organization, Allowed groups and Allowed domains settings are configured correctly to prevent unauthorized access.

Multi-factor authentication (MFA/2FA)

Grafana and the Grafana Cloud portal currently do not include built-in support for multi-factor authentication (MFA).

We strongly recommend integrating an external identity provider (IdP) that supports MFA, such as Okta, Entra ID, or Google Workspace. By configuring your Grafana instances to use an external IdP, you can leverage MFA to protect your accounts and resources effectively.

The following applies if you’re using Grafana basic authentication, LDAP (without Auth proxy) or OAuth integration.

Grafana uses short-lived tokens to verify authenticated users.

You can set up the following parameters:

token_rotation_interval_minutes: Specifies the rotation interval of the token for active authenticated users.
login_maximum_lifetime_duration: Specifies for how long a user remains authenticated before being prompted to authenticate again.
login_maximum_inactive_lifetime_duration: Specifies for how long inactive authenticated users will remain logged in.
- A user can close a Grafana window and return before now + login_maximum_inactive_lifetime_duration to continue their session.

Force logout

Under certain circumstances you may require your users to re-authenticate before their session naturally expires. While Grafana doesn’t offer Admin session revocation as standard functionality, you have the following workarounds if you need to force the logout of a user:

Delete the user’s token user_auth_token from the database. This requires database access as is not available to Grafana Cloud customers.
Set login_maximum_lifetime_duration to 1 minute, wait for the logout to take effect (usually it’s executed in under 10 minutes), then reset login_maximum_lifetime_duration to its usual value.

Use cases include:

SSO migrations: Force re-auth to pick up new IdP/permissions
Security incidents: Immediate response to credential compromise
Permission changes: Ensure role changes take effect immediately
Employee offboarding: Revoke access without waiting for session expiry

Session handling with SSO

When using SSO (Single Sign-On) authentication methods, Grafana handles sessions differently based on the configuration:

OAuth/OpenID Connect

Without refresh tokens (default):
- Grafana creates a session valid for up to login_maximum_lifetime_duration (default: 30 days).
- During this time, the session remains valid even if the user loses access at the IdP.
With refresh tokens enabled:
- The user receives a JWT refresh token. When the JWT expires and the refresh token is used to obtain a new token, Grafana will revalidate access with the IdP.
- If the user has been removed from required groups or access has been revoked, the refresh will fail and the session will be invalidated.

SAML

After successful SAML authentication, Grafana creates a session with the default session lifetime.
If SAML Single Logout (SLO) is properly configured, the session will be revoked when the user’s access is revoked on the IdP side.
If SAML Single Logout (SLO) is properly configured, the session will be revoked when the user’s access is revoked on the IdP side. For more information on configuring SAML and SLO, refer to the SAML configuration documentation.

Settings

Example:

[auth]

# Login cookie name
login_cookie_name = grafana_session

# The maximum lifetime (duration) an authenticated user can be inactive before being required to login at next visit. Default is 7 days (7d). This setting should be expressed as a duration, e.g. 5m (minutes), 6h (hours), 10d (days), 2w (weeks), 1M (month). The lifetime resets at each successful token rotation (token_rotation_interval_minutes).
login_maximum_inactive_lifetime_duration =

# The maximum lifetime (duration) an authenticated user can be logged in since login time before being required to login. Default is 30 days (30d). This setting should be expressed as a duration, e.g. 5m (minutes), 6h (hours), 10d (days), 2w (weeks), 1M (month).
login_maximum_lifetime_duration =

# How often should auth tokens be rotated for authenticated users when being active. The default is every 10 minutes.
token_rotation_interval_minutes = 10

# The maximum lifetime (seconds) an API key can be used. If it is set all the API keys should have limited lifetime that is lower than this value.
api_key_max_seconds_to_live = -1

# Enforce user lookup based on email instead of the unique ID provided by the IdP.
oauth_allow_insecure_email_lookup = false

Extended authentication settings

Enable email lookup

By default, Grafana identifies users based on the unique ID provided by the identity provider (IdP). In certain cases, however, enabling user lookups by email can be a feasible option, such as when:

The identity provider is a single-tenant setup.
Unique, validated, and non-editable emails are provided by the IdP.
The infrastructure allows email-based identification without compromising security.

Important note: While it is possible to configure Grafana to allow email-based user lookups, we strongly recommend against this approach in most cases due to potential security risks. If you still choose to proceed, the following configuration can be applied to enable email lookup.

[auth]
oauth_allow_insecure_email_lookup = true

You can also enable email lookup using the API:

Note
Available in Grafana Enterprise and Grafana Cloud since Grafana v10.4.

curl --request PUT \
  --url http://{slug}.grafana.com/api/admin/settings \
  --header 'Authorization: Bearer glsa_yourserviceaccounttoken' \
  --header 'Content-Type: application/json' \
  --data '{ "updates": { "auth": { "oauth_allow_insecure_email_lookup": "true" }}}'

Finally, you can also enable it using the UI by going to Administration -> Authentication -> Auth settings.

Set to true to attempt login with specific OAuth provider automatically, skipping the login screen. This setting is ignored if multiple auth providers are configured to use auto login. Defaults to false.

[auth.generic_oauth]
auto_login = true

The disableAutoLogin=true URL parameter allows users to bypass the automatic login feature in scenarios where incorrect configuration changes prevent normal login functionality. This feature is especially helpful when you need to access the login screen to troubleshoot and fix misconfigurations.

How to use

Add disableAutoLogin=true as a query parameter to your Grafana URL.
- Example: grafana.example.net/login?disableAutoLogin=true or grafana.example.net/login?disableAutoLogin
This will redirect you to the standard login screen, bypassing the automatic login mechanism.
Fix any configuration issues and test your login setup.

This feature is available for both for OAuth and SAML. Ensure that after fixing the issue, you remove the parameter or revert the configuration to re-enable the automatic login feature, if desired.

Set the option detailed below to true to hide sign-out menu link. Useful if you use an auth proxy or JWT authentication.

[auth]
disable_signout_menu = true

URL redirect after signing out

URL to redirect the user to after signing out from Grafana. This can for example be used to enable signout from an OAuth provider.

Example for Generic OAuth:

[auth.generic_oauth]
signout_redirect_url =

Remote logout

You can log out from other devices by removing login sessions from the bottom of your profile page. If you are a Grafana admin user, you can also do the same for any user from the Server Admin / Edit User view.

Protected roles

Note
Available in Grafana Enterprise and Grafana Cloud.

By default, after you configure an authorization provider, Grafana will adopt existing users into the new authentication scheme. For example, if you have created a user with basic authentication having the login jsmith@example.com, then set up SAML authentication where jsmith@example.com is an account, the user’s authentication type will be changed to SAML if they perform a SAML sign-in.

You can disable this user adoption for certain roles using the protected_roles property:

[auth.security]
protected_roles = server_admins org_admins

The value of protected_roles should be a list of roles to protect, separated by spaces. Valid roles are viewers, editors, org_admins, server_admins, and all (a superset of the other roles).

Configure SCIM provisioning

Fri, 03 Apr 2026 19:43:06 +0000

Configure SCIM provisioning

System for Cross-domain Identity Management (SCIM) is an open standard that allows automated user provisioning and management. With SCIM, you can automate the provisioning of users and groups from your identity provider to Grafana.

Note
Available in Grafana Enterprise and Grafana Cloud.

Benefits

Note
SCIM provisioning only works with SAML authentication. Other authentication methods aren’t supported.

SCIM offers several advantages for managing users and teams in Grafana:

Automated user provisioning: Automatically create, update, and disable users in Grafana when changes occur in your identity provider
Automated team lifecycle management: Automatically create teams when new groups are added, update team memberships, and delete teams when groups are removed from your identity provider
Reduced administrative overhead: Eliminate manual user management tasks and reduce the risk of human error
Enhanced security: Automatically disable access when users leave your organization

Authentication and access requirements

When you enable SCIM in Grafana, the following requirements and restrictions apply:

Use the same identity provider for user provisioning and for authentication flow: You must use the same identity provider for both authentication and user provisioning.
Security restriction: When using SAML, the login authentication flow requires the SAML assertion exchange between the Identity Provider and Grafana to include the userUID SAML assertion with the user’s unique identifier at the Identity Provider.
- Configure userUID SAML assertion in Entra ID
- Configure userUID SAML assertion in Okta

Align SAML identifier with SCIM `externalId`

When you use SAML with SCIM provisioning, align the SCIM externalId with the SAML user identifier. Use a stable IdP attribute (for example, Entra ID user.objectid) as the SCIM externalId, and send that same value as a SAML claim. Configure Grafana to read this claim with the assertion_attribute_external_uid setting so SAML authentication links to the SCIM-provisioned user and its permissions.

If the SAML identifier and SCIM externalId differ, Grafana may not link the authenticated user to the intended SCIM profile, which can result in incorrect access. Verify your IdP sends a stable, unique identifier and that it matches the SCIM externalId. Refer to your IdP docs and the Grafana SCIM integration guides for Entra ID and Okta for attribute configuration details.

Configure SCIM using the Grafana user interface

You can configure SCIM in Grafana using the Grafana user interface. To do this, navigate to Administration > Authentication > SCIM.

The Grafana SCIM UI provides the following advantages over configuring SCIM in the Grafana configuration file:

It is accessible by Grafana Cloud users
It doesn’t require Grafana to be restarted after a configuration update
Using the authentication settings permission allows us to restrict Grafana’s access scope rather than relying on an overly permissive role such as Admin.

Note
Any configuration changes made through the Grafana user interface (UI) will take precedence over settings specified in the Grafana configuration file or through environment variables. This means that if you modify any configuration settings in the UI, they will override any corresponding settings set via environment variables or defined in the configuration file.

Configure SCIM settings

Sign in to Grafana and navigate to Administration > Authentication > SCIM. Here you can configure the following settings:

Setting	Required	Description	Default
`Enable Group Sync`	No	Enable SCIM group provisioning. When enabled, Grafana will create, update, and delete teams based on SCIM requests from your identity provider. Cannot be enabled if Team Sync is enabled.	`false`
`Reject Non-Provisioned Users`	No	When enabled, prevents non-SCIM provisioned users from signing in. Cloud Portal users can always sign in regardless of this setting.	`false`
`Enable User Sync`	Yes	Enable SCIM user provisioning. When enabled, Grafana will create, update, and deactivate users based on SCIM requests from your identity provider.	`false`

The SCIM UI also displays information that may help you configure SCIM in your identity provider, including stack domain, stack ID, and tenant URL.

Next steps

After configuring SCIM in Grafana, configure your identity provider:

Configure SCIM using the configuration file

The table below describes all SCIM configuration options. Like any other Grafana configuration, you can apply these options as environment variables.

Setting	Required	Description	Default
`user_sync_enabled`	Yes	Enable SCIM user provisioning. When enabled, Grafana will create, update, and deactivate users based on SCIM requests from your identity provider.	`false`
`group_sync_enabled`	No	Enable SCIM group provisioning. When enabled, Grafana will create, update, and delete teams based on SCIM requests from your identity provider. Cannot be enabled if Team Sync is enabled.	`false`
`reject_non_provisioned_users`	No	When enabled, prevents non-SCIM provisioned users from signing in. Cloud Portal users can always sign in regardless of this setting.	`false`

Warning
Team Sync Compatibility:

SCIM group sync (group_sync_enabled = true) and Team Sync cannot be enabled simultaneously

You can use SCIM user sync (user_sync_enabled = true) alongside Team Sync

For more details about migration and compatibility, see SCIM vs Team Sync

Example SCIM configuration

[auth.scim]
user_sync_enabled = true
group_sync_enabled = false
reject_non_provisioned_users = false

Configure SCIM using Terraform

You can also configure SCIM provisioning in Grafana using the Grafana Terraform provider. This approach is particularly useful for infrastructure-as-code deployments and automated provisioning.

Terraform SCIM configuration example

resource "grafana_scim_config" "scim_config" {
  user_sync_enabled            = true
  group_sync_enabled           = false
  reject_non_provisioned_users = false
}

Terraform SCIM configuration options

The Terraform grafana_scim_config resource supports the same configuration options as the manual configuration:

Setting	Required	Description	Default
`user_sync_enabled`	Yes	Enable SCIM user provisioning. When enabled, Grafana will create, update, and deactivate users based on SCIM requests from your identity provider.	`false`
`group_sync_enabled`	No	Enable SCIM group provisioning. When enabled, Grafana will create, update, and delete teams based on SCIM requests from your identity provider. Cannot be enabled if Team Sync is enabled.	`false`
`reject_non_provisioned_users`	No	When enabled, prevents non-SCIM provisioned users from signing in. Cloud Portal users can always sign in regardless of this setting.	`false`

Supported identity providers

The following identity providers are supported:

How it works

The synchronization process works as follows:

Configure SCIM in both your identity provider and Grafana
Your identity provider sends SCIM requests to the Grafana SCIM API endpoint
Grafana processes these requests to create, update, or deactivate users and teams, and synchronize team memberships

Comparison with other sync methods

Grafana offers several methods for synchronizing users, teams, and roles. The following table compares SCIM with other synchronization methods to help you understand the advantages:

Sync Method	Users	Teams	Roles	Automation	Key Benefits	Limitations	On-Prem	Cloud
SCIM	✅	✅	⚠️	Full	Complete user and team lifecycle management with automatic team creation	Requires SAML authentication; uses Role Sync for basic roles	✅	✅
Team Sync	❌	⚠️	❌	Partial	Syncs team memberships to existing teams	Requires manual team creation; no team lifecycle management	✅	✅
Active LDAP Sync	✅	❌	❌	Full	Background synchronization of LDAP users	Limited to LDAP environments	✅	❌
Role Sync	❌	❌	✅	Full	Full automation of basic role assignment	Limited to basic roles only	✅	✅
Org Mapping	❌	❌	⚠️	Full	Full automation of basic role assignment per organization	Limited to basic roles only; on-premises only	⚠️	❌

Key advantages

Comprehensive user and team automation: SCIM provides full automation for user and team provisioning, while role management is handled separately through Role Sync
Dynamic team creation: Teams are created automatically based on identity provider groups
Near real-time synchronization: Changes in the identity provider are reflected based on the provider synchronization schedule
Enterprise-ready: Designed for large organizations with complex user management needs

Next steps

Manage multi-team access in a single Grafana instance

Fri, 03 Apr 2026 19:43:06 +0000

Manage multi-team access in a single Grafana instance

If your organization has multiple teams using Grafana, you can use a single Grafana Enterprise deployment or a single Grafana Cloud stack to manage access across teams using roles and folders. This approach reduces complexity, simplifies identity and access management, and facilitates cross-team collaboration.

Benefits

By using a single Grafana instance to manage access, you can:

Implement a unified SSO, establishing clear permissions.
Reduce setup and maintenance work, avoiding multi-stack complexity.
Centralize plugin configuration and management.
Ensure teams can access the right dashboards and data, avoiding stepping on or overwriting each other’s work.
Enable collaboration across teams. Teams are not isolated in silos and can discover and collaborate with each other’s work.
Optimize resource management. With shared spaces, like an “Everyone” folder, you can publish executive dashboards or cross-team metrics that all groups can benefit from, without duplicating it across stacks.

Example: Three teams, one stack

Consider the following setup of three teams:

Team A builds product features and needs autonomy with their own dashboards and data sources.
Team B handles data engineering and needs autonomy with their own dashboards.
Team C is the observability team and the admins of the Grafana stack.

Follow these suggested steps to structure, configure, and set permissions to access data in your Grafana instance:

Before you begin

For more information on how to install a Grafana instance:

If you’re using self-managed Grafana Enterprise, refer to Configure Grafana.
If you’re using Grafana Cloud, refer to Your Grafana Cloud stack.

Note
For guidance on when to use one stack versus multiple, refer to Stack architecture guidance.

Create teams and configure user access

After you’ve deployed your Grafana instance:

To follow the example in this doc, create three Grafana Teams and add them to the Grafana instance.
Determine the RBAC strategy for your organization. RBAC extends default Grafana roles, provides more granular access rights, and simplifies how to grant, modify, or revoke user access to Grafana resources, such as users and reports.
Assign each user to the relevant team. By default new users are granted the Viewer role.
Assign the Admin role to Team C so that they can manage all resources in the instance.

Design a folder structure to match your access needs

To design a folder setup that helps users quickly understand where to go, what they can access, and what they can manage:

Create an “Everyone” folder for shared items that all teams can manage, and grant teams Admin access to that folder.
For each team, create a folder that they can manage and grant them the fixed:teams:read fixed role. This means they can share items in their team folder with other teams, to encourage collaboration and learning from each other.
For Team C, create an “Admins” folder for sensitive content only Admins can access.
Optionally, create a personal folder for each team member so that they can work on draft content before moving it into their team folder when ready.

Configure data access based on team requirements

Next, focus on how teams interact with data to decide further access needs.

Shared baseline data access

Grant the datasources:explorer fixed role to all teams so they can use the Drilldown apps for easily exploring data sources.

However, you may need to protect data in shared resources. For example, all teams can be forwarding metrics to a shared data source, but not everyone needs to see all of the data. In this case, grant each team query access to the data relevant for them, based on label based access controls (LBAC) per team. This way, you’ll maintain a central observability pipeline but still preserve data separation.

Autonomous team data management

If any of your teams, Team A for example, need to build and manage their own data sources for product-specific use cases, grant the datasources:creator fixed role so they can create and manage their own data sources independently.

Resources at an instance level

Some Grafana resources, such as service accounts, alert contact points, Fleet Management collectors, and other feature resources, are not linked to teams but are managed at the stack level. For these type of resources, assign fixed roles to teams carefully.

For example, users working in Frontend Observability need a writer fixed role so that they can create and manage services.

Scale access management with Terraform and SSO

After you’ve made sure the model is working, you can codify it.

You can add any new users to your Grafana instance with an Identity Provider through SCIM. Use role sync to automatically assign users the correct basic role (Viewer, Editor, or Admin) based on their mapped attributes in the IdP..

You can also use Terraform to provision teams their folders, fixed roles, and shared data source LBAC rules. For example, if you need to add a new team (Team D), you only need to add the new team to Grafana and run the Terraform script, which will automatically set them up to start using Grafana.

Other resources

Read on to learn more about access management:

The Least privilege custom role explainer blog walks through how to design roles that keep things simple and safe, so your users have just the access they need.
See the LBAC for metrics data sources demo to learn how you can give every team a clear view of their own data while still benefiting from a shared pipeline.
The Introducing SCIM post covers how to connect Grafana to your identity provider, making it easy to bring new users on board and keep permissions in sync as your organization grows.

Configure Team Sync

Fri, 03 Apr 2026 19:43:06 +0000

Configure Team Sync

Team sync lets you set up synchronization between your auth providers teams and teams in Grafana. This enables LDAP, OAuth, or SAML users who are members of certain teams or groups to automatically be added or removed as members of certain teams in Grafana.

Note
Available in Grafana Enterprise and Grafana Cloud.

Grafana keeps track of all synchronized users in teams, and you can see which users have been synchronized in the team members list, see LDAP label in screenshot. This mechanism allows Grafana to remove an existing synchronized user from a team when its group membership changes. This mechanism also enables you to manually add a user as member of a team, and it will not be removed when the user signs in. This gives you flexibility to combine LDAP group memberships and Grafana team memberships.

Currently the synchronization only happens when a user logs in, unless LDAP is used with the active background synchronization.

Supported providers

Synchronize a Grafana team with an external group

If you have already grouped some users into a team, then you can synchronize that team with an external group.

In Grafana, navigate to Administration > Users and access > Teams.
Select a team.
Go to the External group sync tab, and click Add group.
Insert the value of the group you want to sync with. This becomes the Grafana GroupID. Examples:
- For LDAP, this is the LDAP distinguished name (DN) of LDAP group you want to synchronize with the team.
- For Auth Proxy, this is the value we receive as part of the custom Groups header.
Click Add group to save.

Group matching is case insensitive.

LDAP specific: wildcard matching

When using LDAP, you can use a wildcard (*) in the common name attribute (CN) to match any group in the corresponding Organizational Unit (OU).

Ex: cn=*,ou=groups,dc=grafana,dc=org can be matched by cn=users,ou=groups,dc=grafana,dc=org

Plan your IAM integration strategy on Grafana Labs

Configure authentication

Configure authentication

Configuring multiple identity providers

Using the same email address to login with different identity providers

Multi-factor authentication (MFA/2FA)

Login and short-lived tokens

Force logout

Session handling with SSO

OAuth/OpenID Connect

SAML

Settings

Extended authentication settings

Enable email lookup

Automatic OAuth login

Avoid automatic login

How to use

Hide sign-out menu

URL redirect after signing out

Remote logout

Protected roles

Configure SCIM provisioning

Configure SCIM provisioning

Benefits

Authentication and access requirements

Align SAML identifier with SCIM externalId

Configure SCIM using the Grafana user interface

Configure SCIM settings

Next steps

Configure SCIM using the configuration file

Example SCIM configuration

Configure SCIM using Terraform

Terraform SCIM configuration example

Terraform SCIM configuration options

Supported identity providers

How it works

Comparison with other sync methods

Key advantages

Next steps

Manage multi-team access in a single Grafana instance

Manage multi-team access in a single Grafana instance

Benefits

Example: Three teams, one stack

Before you begin

Create teams and configure user access

Design a folder structure to match your access needs

Configure data access based on team requirements

Shared baseline data access

Autonomous team data management

Resources at an instance level

Scale access management with Terraform and SSO

Other resources

Configure Team Sync

Configure Team Sync

Supported providers

Synchronize a Grafana team with an external group

LDAP specific: wildcard matching

Align SAML identifier with SCIM `externalId`