This is documentation for the next version of Grafana. For the latest stable release, go to the latest version.
Grafana documentation
Set up
Configure security
Configure SCIM provisioning
Configure SCIM with Azure ADConfigure SCIM with Azure AD
Note
Available in Grafana Enterprise and Grafana Cloud Advanced.
This guide explains how to configure SCIM provisioning with Azure AD to automate user and team management in Grafana.
Note
This feature is behind the
enableSCIMfeature toggle. You can enable feature toggles through configuration file or environment variables.For more information, refer to the feature toggles documentation.
Prerequisites
Before configuring SCIM with Azure AD, ensure you have:
- Grafana Enterprise or Grafana Cloud Advanced
- Admin access to both Grafana and Azure AD
- SAML authentication configured with Azure AD
- SCIM feature enabled in Grafana
Configure SCIM in Grafana
To enable SCIM provisioning in Grafana, create a service account and generate a service account token that will be used to authenticate SCIM requests from Azure AD.
Create a service account
- Navigate to Administration > User Access > Service accounts
- Click Add new service account
- Create a new access token and save it securely
- This token will be used in the Azure AD configuration
Configure SCIM in Azure AD
Configure the enterprise application in Azure AD to enable automated user and team synchronization with Grafana. This involves creating a new application and setting up both authentication and provisioning.
Create the enterprise application
- Open Azure Portal Entra ID (Azure AD)
- Click + Add dropdown
- Click Add Enterprise Application
- Click + Create Your Own Application
- Name the application and select non-gallery
Configure provisioning
- In the application overview, select Provisioning
- Click + New Configuration
- Configure the following settings:
- Tenant URL:
https://{grafana_url}/scim - Secret Token: Enter the service account token from Grafana
- Tenant URL:
- Click Test connection to verify the configuration
- Click Create to save the settings
Configure attribute mappings
Note
Only work email addresses are supported. Azure AD must be configured to use
emails[type eq "work"].valuefor email mapping.
Configure the following required attributes:
| Azure AD Attribute. | Grafana Attribute |
|---|---|
userPrincipalName | userName |
mail | emails[type eq "work"].value |
displayName | displayName |
Enable provisioning
- Set Provisioning Status to On
- Configure the following settings:
- Scope: Select which users and groups to sync
- Create users: Enabled
- Update users: Enabled
- Delete users: Convert to disabled
- Create groups: Enabled
- Update groups: Enabled
- Delete groups: Disabled
Configure group provisioning
To enable group synchronization:
- Navigate to the Groups tab in provisioning
- Enable Group provisioning
- Select the groups to synchronize with Grafana
- Save the changes
Test the integration
After completing the configuration:
- Test the SCIM connector in Azure AD
- Assign a test user to the application
- Verify the user is provisioned in Grafana
- Test group synchronization if configured
Troubleshooting
For common issues and solutions when working with SCIM provisioning, refer to the SCIM troubleshooting guide.
Was this page helpful?
Related resources from Grafana Labs
