[DOC] Add doc for critical path highlighting (#113194 )

(cherry picked from commit 33b4d43248)
[release-12.2.2] PublicDashboards: Dont call API on dashboard page if public dashboards is disabled (#113282 )
2025-10-31 15:16:27 +00:00 · 2025-10-31 11:30:38 +00:00 · 2025-10-30 14:27:04 -03:00 · 2025-10-30 10:45:45 +01:00 · 2025-10-29 15:27:23 +00:00 · 2025-10-29 13:52:31 +00:00
117 changed files with 1173 additions and 426 deletions
@@ -25,4 +25,5 @@ jobs:
      patch_ref: "${{ github.base_ref }}" # this is the target branch name, Ex: "main"
      patch_repo: "grafana/grafana-security-patches"
      patch_prefix: "${{ github.event.pull_request.number }}"
+      sender: "${{ github.event.pull_request.user.login }}"
    secrets: inherit # zizmor: ignore[secrets-inherit]
@@ -9,6 +9,7 @@ labels:
 menuTitle: Announcement banner
 title: Create and configure announcement banner
 description: How to create an announcement banner to show important updates and information at the top of every Grafana page.
+weight: 5500
 ---

 # Create an announcement banner
@@ -8,7 +8,7 @@ labels:
    - enterprise
    - oss
 title: Back up Grafana
-weight: 80
+weight: 100
 menuTitle: Back up Grafana
 ---

@@ -1,45 +1,43 @@
 ---
 aliases:
  - ../cli/ # /docs/grafana/latest/cli/
-description: Guide to using grafana server cli
+description: Guide to using the Grafana server CLI
 keywords:
  - grafana
  - cli
  - grafana cli
  - command line interface
+  - admin
 labels:
  products:
    - enterprise
    - oss
 title: Grafana server CLI
-weight: 1100
+menuTitle: Admin with Grafana server CLI
+weight: 4000
 ---

-# Grafana server CLI
+# Administer Grafana with the Grafana server CLI

-Grafana server CLI is a small executable that's bundled with Grafana server.
-You can run it on the same machine Grafana server is running on.
-Grafana server CLI has `plugins` and `admin` commands, as well as global options.
+You can administer your Grafana instance with the Grafana server CLI, a small executable bundled with Grafana server.

-To list all commands and options:
+The Grafana server CLI has `plugins` and `admin` commands, as well as global options. To list them, run:

 ```
 grafana cli -h
 ```

-## Run Grafana server CLI
+For more details read on.

-To run Grafana server CLI, add the path to the Grafana binaries in your `PATH` environment variable.
-Alternately, if your current directory is the `bin` directory, run `./grafana cli`.
-Otherwise, you can specify full path to the binary.
-For example, on Linux `/usr/share/grafana/bin/grafana` and on Windows `C:\Program Files\GrafanaLabs\grafana\bin\grafana.exe`, and run it with `grafana cli`.
+## Run the Grafana server CLI

-{{< admonition type="note" >}}
-Some commands, such as installing or removing plugins, require `sudo` on Linux.
-If you're on Windows, run Windows PowerShell as Administrator.
-{{< /admonition >}}
+You can run the Grafana server CLI on the same machine Grafana server is running on.

-## Grafana CLI command syntax
+To run the CLI you have the following options:
+
+- Add the path to the Grafana binaries in your `PATH` environment variable.
+- If your current directory is the `bin` directory, run `./grafana cli`.
+- Otherwise, you can specify full path to the binary. For example, `/usr/share/grafana/bin/grafana` on Linux and `C:\Program Files\GrafanaLabs\grafana\bin\grafana.exe` on Windows.

 The general syntax for commands in Grafana server CLI is:

@@ -47,6 +45,11 @@ The general syntax for commands in Grafana server CLI is:
 grafana cli [global options] command [command options] [arguments...]
 ```

+{{< admonition type="note" >}}
+Some commands, such as installing or removing plugins, require `sudo` on Linux.
+If you're on Windows, run Windows PowerShell as Administrator.
+{{< /admonition >}}
+
 ## Global options

 Grafana server CLI allows you to temporarily override certain Grafana default settings. Except for `--help` and `--version`, most global options are only used by developers.
@@ -7,7 +7,7 @@ labels:
    - enterprise
    - oss
 title: Correlations
-weight: 900
+weight: 6000
 ---

 # Correlations
@@ -12,7 +12,7 @@ labels:
    - enterprise
    - cloud
 title: Data source management
-weight: 100
+weight: 500
 ---

 # Data source management
@@ -18,7 +18,7 @@ labels:
    - enterprise
    - oss
 title: Grafana Enterprise license
-weight: 500
+weight: 5500
 ---

 # Grafana Enterprise license
@@ -1,7 +1,7 @@
 ---
 title: Grafana Advisor
 description: Learn more about Grafana Advisor, the app to monitor the health of your Grafana instance
-weight: 300
+weight: 700
 labels:
  products:
    - oss
@@ -9,6 +9,7 @@ keywords:
  - Grafana OSS
 menuTitle: Migrate from Grafana OSS/Enterprise to Grafana Cloud
 title: Migrate from Grafana OSS/Enterprise to Grafana Cloud
+weight: 7000
 ---

 # Migrate from Grafana OSS/Enterprise to Grafana Cloud
@@ -54,7 +54,7 @@ Ensure you have the following:

 ## Upgrade Grafana OSS/Enterprise to the latest version

-Grafana Cloud stacks generally run the latest version of Grafana. In order to avoid issues during migration, upgrade Grafana by following our guides [here](https://grafana.com/docs/grafana/latest/upgrade-guide/).
+Grafana Cloud stacks generally run the latest version of Grafana. In order to avoid issues during migration, upgrade Grafana by following our guides [here](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/upgrade-guide/).

 ## Migrate Grafana resources

@@ -275,28 +275,28 @@ Grizzly does not currently support Reports and Playlists as a resource, so you c

 ### Migrate single sign-on configuration

-Grafana Cloud stacks support all of the same authentication and authorization options as Grafana OSS/Enterprise, except for [anonymous authentication](https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/anonymous-auth/) and use of the [Auth proxy](https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/auth-proxy/). However, single sign-on settings cannot be exported and imported like dashboards, alerts, and other resources.
+Grafana Cloud stacks support all of the same authentication and authorization options as Grafana OSS/Enterprise, except for [anonymous authentication](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-access/configure-authentication/anonymous-auth/) and use of the [Auth proxy](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-access/configure-authentication/auth-proxy/). However, single sign-on settings cannot be exported and imported like dashboards, alerts, and other resources.

-To set up SAML authentication from scratch using Grafana’s UI or API, follow [these instructions](https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/saml-ui/) to Configure SAML authentication in Grafana.
+To set up SAML authentication from scratch using Grafana’s UI or API, follow [these instructions](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-access/configure-authentication/saml/saml-ui/) to Configure SAML authentication in Grafana.

 LDAP and OIDC/OAuth2 can only be configured in Grafana Cloud by the Grafana Labs support team. Follow [these instructions](https://grafana.com/docs/grafana-cloud/account-management/authentication-and-permissions/) to request SSO configuration from the support team.

 ### Migrate custom Grafana configuration

-You may have customized the [configuration](https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/) of your Grafana OSS/Enterprise instance, for example with feature toggles, custom auth, or embedding options. Since Grafana configuration is stored in environment variables or the filesystem where Grafana runs, Grafana Cloud users do not have access to it. However, you can open a support ticket to ask a Grafana Labs support engineer for customizations.
+You may have customized the [configuration](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-grafana/) of your Grafana OSS/Enterprise instance, for example with feature toggles, custom auth, or embedding options. Since Grafana configuration is stored in environment variables or the filesystem where Grafana runs, Grafana Cloud users do not have access to it. However, you can open a support ticket to ask a Grafana Labs support engineer for customizations.

 The following customizations are available via support:

- Enabling [feature toggles](http://www.grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/feature-toggles).
- [Single sign-on and team sync using SAML, LDAP, or OAuth](http://www.grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication).
- Enable [embedding Grafana dashboards in other applications](https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#allow_embedding) for Grafana Cloud contracted customers.
- [Audit logging](https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/audit-grafana/) ([Usage insights logs and dashboards](https://grafana.com/docs/grafana-cloud/account-management/usage-insights/) are available in select Grafana Cloud paid accounts).
+- Enabling [feature toggles](http://www.grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-grafana/feature-toggles).
+- [Single sign-on and team sync using SAML, LDAP, or OAuth](http://www.grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-access/configure-authentication).
+- Enable [embedding Grafana dashboards in other applications](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-grafana/#allow_embedding) for Grafana Cloud contracted customers.
+- [Audit logging](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-security/audit-grafana/) ([Usage insights logs and dashboards](https://grafana.com/docs/grafana-cloud/account-management/usage-insights/) are available in select Grafana Cloud paid accounts).

 Note that the following custom configurations are not supported in Grafana Cloud:

- [Anonymous user access](https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/anonymous-auth/).
- [Auth proxy](https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/auth-proxy/).
- [Third-party database encryption](https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-database-encryption/) and the [Hashicorp Vault](https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-database-encryption/encrypt-secrets-using-hashicorp-key-vault/) integration.
+- [Anonymous user access](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-access/configure-authentication/anonymous-auth/).
+- [Auth proxy](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-access/configure-authentication/auth-proxy/).
+- [Third-party database encryption](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-security/configure-database-encryption/) and the [Hashicorp Vault](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-security/configure-database-encryption/encrypt-secrets-using-hashicorp-key-vault/) integration.
 - Running self-signed plugins, like custom-built data sources or visualizations. For more information on plugin signing, refer to our [developer documentation](https://grafana.com/developers/plugin-tools/publish-a-plugin/sign-a-plugin).

 If you have a custom configuration in Grafana OSS/Enterprise that is not listed here, reach out to our support team to find out whether they can help you set it up.
@@ -14,7 +14,7 @@ labels:
    - oss
 menuTitle: Manage organizations
 title: Manage organizations
-weight: 200
+weight: 3500
 ---

 # Manage organizations
@@ -11,7 +11,7 @@ labels:
    - enterprise
    - oss
 title: Organization preferences
-weight: 500
+weight: 3600
 ---

 # Organization preferences
@@ -20,7 +20,7 @@ Plugins enhance your Grafana experience with new ways to connect to and visualiz

 Read on for an overview on how to get started with plugins:

- Plugins are available in the [plugin catalog](#plugin-catalog). They can be built by Grafana Labs, commercial partners, our community, or you can [build a plugin yourself](/developers/plugin-tools).
+- Plugins are available in the [plugin catalog](#access-the-plugin-catalog). They can be built by Grafana Labs, commercial partners, our community, or you can [build a plugin yourself](/developers/plugin-tools).
 - There are three [types of plugins](#types-of-plugins): panel, data source, and app plugins.
 - Learn [how to install](#install-a-plugin), [update](#update-a-plugin) and [verify](#verify-your-plugins) your plugins.

@@ -40,11 +40,11 @@ Grafana supports three types of plugins:

 Read more in [Types of plugins](plugin-types).

-## Plugin catalog
+## Access the Plugin catalog

-The Grafana plugin catalog allows you to browse and manage plugins from within Grafana. Only Grafana server administrators and Organization administrators can access and use the plugin catalog. For more information about Grafana roles and permissions, refer to [Roles and permissions](../roles-and-permissions/).
+You can install and manage plugins from within Grafana. You need to have a Grafana Server administrator or Organization administrator role to access and use the plugin catalog. For more information about Grafana roles and permissions, refer to [Roles and permissions](../roles-and-permissions/).

-The following access rules apply depending on the user role:
+For app plugins, the following access rules apply:

 - If you are an **Org Admin**, you can configure app plugins, but you can't install, uninstall, or update them.
 - If you are a **Server Admin**, you can't configure app plugins, but you can install, uninstall, or update them.
@@ -58,6 +58,8 @@ To browse for available plugins:
 1. Use the search box to filter based on name, keywords, organization and other metadata.
 1. Click the **Data sources**, **Panels**, or **Applications** buttons to filter by plugin type.

+If you're not logged in, you can also access the list of available plugins in the [Plugin catalog](https://grafana.com/grafana/plugins/).
+
 ## Manage your plugins

 We strongly recommend running the latest plugin version. Use [Grafana Advisor](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/administration/grafana-advisor) to check the status of your data sources and plugins.
@@ -11,7 +11,8 @@ labels:
    - enterprise
    - oss
 title: Provision Grafana
-weight: 600
+menuTitle: Provision Grafana
+weight: 4100
 ---

 # Provision Grafana
@@ -604,14 +605,6 @@ Grafana encrypts secure settings in the database.
 | `singleEmail` |                |
 | `addresses`   |                |

-#### Alert notification `hipchat`
-
-| Name     | Secure setting |
-| -------- | -------------- |
-| `url`    |                |
-| `apikey` |                |
-| `roomid` |                |
-
 #### Alert notification `opsgenie`

 | Name               | Secure setting |
@@ -11,11 +11,12 @@ labels:
  products:
    - cloud
    - enterprise
-title: Recorded queries
-weight: 300
+title: Recorded queries (deprecated)
+menuTitle: Recorded queries (deprecated)
+weight: 9000
 ---

-# DEPRECATED Recorded queries
+# Recorded queries (deprecated)

 {{< admonition type="warning" >}}
 Recorded queries are deprecated. Please use the new [Grafana-managed recording rules](/docs/grafana/latest/alerting/alerting-rules/create-recording-rules/create-grafana-managed-recording-rules) instead.
@@ -12,7 +12,7 @@ labels:
    - oss
    - cloud
 title: Roles and permissions
-weight: 300
+weight: 3100
 ---

 # Roles and permissions
@@ -185,7 +185,7 @@ Assign fixed roles when the basic roles do not meet your permission requirements
 - [Explore](/docs/grafana/<GRAFANA_VERSION>/explore/)
 - [Feature Toggles](/docs/grafana/<GRAFANA_VERSION>/administration/feature-toggles/)
 - [Folders](ref:dashboards-create-a-dashboard-folder)
- [LDAP](/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-security/configure-authentication/ldap/)
+- [LDAP](/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-access/configure-authentication/ldap/)
 - [Library panels](ref:dashboards-manage-library-panels)
 - [Licenses](/docs/grafana/<GRAFANA_VERSION>/administration/stats-and-license/)
 - [Organizations](/docs/grafana/<GRAFANA_VERSION>/administration/organization-management/)
@@ -82,7 +82,7 @@ For example:

 1. Map SAML, LDAP, or Oauth roles to Grafana basic roles (viewer, editor, or admin).

-2. Use the Grafana Enterprise team sync feature to synchronize teams from your SAML, LDAP, or Oauth provider to Grafana. For more information about team sync, refer to [Team sync](/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-security/configure-team-sync/).
+2. Use the Grafana Enterprise team sync feature to synchronize teams from your SAML, LDAP, or OAuth provider to Grafana. For more information about team sync, refer to [Team sync](/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-access/configure-team-sync/).

 3. Within Grafana, assign RBAC permissions to users and teams.

@@ -123,7 +123,7 @@ If you have a use case that you'd like to share, feel free to contribute to this

 1. In Grafana, create a team with the name `Internal employees`.
 1. Assign the `fixed:datasources:explorer` role to the `Internal employees` team.
-1. Add internal employees to the `Internal employees` team, or map them from a SAML, LDAP, or Oauth team using [Team Sync](/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-security/configure-team-sync/).
+1. Add internal employees to the `Internal employees` team, or map them from a SAML, LDAP, or OAuth team using [Team Sync](/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-access/configure-team-sync/).
 1. Assign the viewer role to both internal employees and contractors.

 ### Limit viewer, editor, or admin permissions
@@ -15,6 +15,7 @@ labels:
    - oss
 menutitle: Search
 title: Search
+weight: 8000
 ---

 # Grafana search
@@ -15,7 +15,7 @@ labels:
    - cloud
 menuTitle: Service accounts
 title: Service accounts
-weight: 800
+weight: 4200
 refs:
  service-accounts:
    - pattern: /docs/grafana/
@@ -16,7 +16,8 @@ labels:
    - cloud
    - enterprise
 title: View server statistics and license
-weight: 400
+menutitle: Server stats and license
+weight: 5000
 ---

 # View server statistics and license
@@ -15,11 +15,11 @@ keywords:
  - microservices
  - architecture
 menuTitle: Grafana Teams
-title: Grafana Teams
-weight: 100
+title: Manage teams with Grafana Teams
+weight: 2000
 ---

-# Grafana Teams
+# Manage teams with Grafana Teams

 Grafana Teams makes it easy to organize and administer groups of users in your enterprise. Teams allows you to grant permissions to a group of users instead of granting permissions to individual users one at a time.

@@ -32,7 +32,7 @@ Before you begin creating and working with Grafana Teams:
    Recommended for `isolated` teams.
  - Viewer role - by default can view all resources. Recommended for `collaborative` teams.
 - Ensure team sync is turned on if you plan to manage team members through team sync.
-Refer to [Configure Team Sync](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-security/configure-team-sync/) for a list of providers and instructions on how to turn on team sync for each provider.
+Refer to [Configure Team Sync](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-access/configure-team-sync/) for a list of providers and instructions on how to turn on team sync for each provider.
 <!-- - Turn on nested folders.  __This is a new feature, add when it goes live.__ -->

 {{< admonition type="note" >}}
@@ -5,8 +5,8 @@ labels:
  products:
    - enterprise
    - oss
-title: User management
-weight: 200
+title: Manage users
+weight: 3000
 ---

 # User management
@@ -65,6 +65,10 @@ The copied rules are converted to Grafana-managed rules, preserving their behavi

  The rule query offset is taken from the `query_offset` value in the rule group configuration. If empty, it defaults to the [`rule_query_offset` configuration setting](ref:configure-grafana-rule_query_offset), which is `1m` by default.

+- **Rule query conversion**
+
+  For alert rules, adds `prometheus_math` and `threshold` expressions to preserve Prometheus no data behavior, ensuring the alert stays in **Normal** state when `query` returns no data.
+
 - **Missing series evaluations to resolve**

  The [Missing series evaluations to resolve](ref:missing_series_evaluations_to_resolve) setting is set to `1` to replicate Prometheus’s alert eviction behavior.
@@ -241,17 +241,20 @@ The Alert object represents an alert included in the notification group, as prov

 ## Custom Payload

+The `Custom Payload` option allows you to completely customize the webhook payload using [templates](ref:notification-templates). This gives you full control over the structure and content of the webhook request.
+
+For detailed information about how to create and manage notification templates, refer to [notification templates](ref:notification-templates).
+
 {{< admonition type="note" >}}

-Custom Payload is not yet [generally available](https://grafana.com/docs/release-life-cycle/#general-availability) in Grafana Cloud.
+- When using Custom Payload, the [`Title` and `Message` fields](#optional-notification-settings) are ignored as the entire payload structure is determined by your template.
+- Custom Payload is not yet [generally available](https://grafana.com/docs/release-life-cycle/#general-availability) in Grafana Cloud.

 {{< /admonition >}}

-The `Custom Payload` option allows you to completely customize the webhook payload using templates. This gives you full control over the structure and content of the webhook request.
-
 | Option            | Description                                                                                               |
 | ----------------- | --------------------------------------------------------------------------------------------------------- |
-| Payload Template  | Template string that defines the structure of the webhook payload.                                        |
+| Payload Template  | [Notification template](ref:notification-templates) that defines the structure of the webhook payload.    |
 | Payload Variables | Key-value pairs that define additional variables available in the template under `.Vars.<variable_name>`. |

 Example of a custom payload template that includes variables:
@@ -265,10 +268,6 @@ Example of a custom payload template that includes variables:
 }
 ```

-{{< admonition type="note" >}}
-When using Custom Payload, the Title and Message fields are ignored as the entire payload structure is determined by your template.
-{{< /admonition >}}
-
 ### JSON Template Functions

 When creating custom payloads, several template functions are available to help generate valid JSON structures. These include functions for creating dictionaries (`coll.Dict`), arrays (`coll.Slice`, `coll.Append`), and converting between JSON strings and objects (`data.ToJSON`, `data.JSON`).
@@ -62,6 +62,8 @@ To add an existing notification template to your contact point, complete the fol

 1. Click **Save contact point**.

+You can create custom notification templates using the **Enter custom message** tab. For reusable and consistent notifications, a best practice is to custom notification templates as described in the following section.
+
 ## Create a notification template and notification template group

 Create notification templates to customize notification messages and reuse them in contact points.
@@ -159,7 +159,9 @@ Once the first notification has been sent for a new group of alerts, the group i

 When the group interval timer elapses, the system resets the group interval timer and sends a notification only if there were group changes. This process repeats until there are no more alerts.

-It's important to note that an alert instance exits the group after being resolved and notified of its state change. When no alerts remain, the group is deleted, and then the group wait timer handles the first notification for the next incoming alert once again.
+It's important to note that an alert instance exits the group after being resolved and notified of its state change.
+
+When the group interval timer elapses and no alerts remain, the group is deleted. The [group wait timer](#group-wait) will then start again the next time a new alert arrives.

 ### Repeat interval

@@ -193,7 +193,7 @@ We strongly recommend not doing this in case you are using Azure AD as an identi
 #### Learn more

 - [CVE-2023-3128 Advisory](https://grafana.com/security/security-advisories/cve-2023-3128//)
- [Enable email lookup](../../setup-grafana/configure-security/configure-authentication/)
+- [Enable email lookup](../../setup-grafana/configure-access/configure-authentication/)

 ### The "Alias" field in the CloudWatch data source is removed

@@ -57,7 +57,7 @@ In Grafana v11, support for the deprecated AngularJS framework is turned off by

 #### Migration/mitigation

-To avoid disruption, ensure all plugins are up to date and migrate from any remaining AngularJS plugins to a React-based alternative. If a plugin relies on AngularJS, a warning icon and message will be displayed in the [plugins catalog](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/administration/plugin-management/#plugin-catalog) in Grafana and any dashboard panel where it's used. Additionally, a warning banner will appear in any impacted dashboards. A list of all impacted dashboards can also be generated using the [`detect-angular-dashboards`](https://github.com/grafana/detect-angular-dashboards) tool.
+To avoid disruption, ensure all plugins are up to date and migrate from any remaining AngularJS plugins to a React-based alternative. If a plugin relies on AngularJS, a warning icon and message will be displayed in the [plugins catalog](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/administration/plugin-management/#access-the-plugin-catalog) in Grafana and any dashboard panel where it's used. Additionally, a warning banner will appear in any impacted dashboards. A list of all impacted dashboards can also be generated using the [`detect-angular-dashboards`](https://github.com/grafana/detect-angular-dashboards) tool.

 Our [documentation](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/developers/angular_deprecation/angular-plugins/) lists all known public plugins and provides migration advice when possible.

@@ -81,7 +81,7 @@ Turn off anonymous access, and consider using public dashboards to allow view-on

 #### Learn more

-[Anonymous access documentation](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-security/configure-authentication/grafana/#anonymous-authentication)
+[Anonymous access documentation](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-access/configure-authentication/grafana/#anonymous-authentication)

 ### Legacy alerting is entirely removed

@@ -158,19 +158,10 @@ Query expressions are different for each data source. For more information, refe

 1. [Enter general options](#enter-general-options).
 1. Under the **Query options** section of the page, select a target data source in the **Data source** drop-down list.
-
   You can also click **Open advanced data source picker** to see more options, including adding a data source (Admins only).
   For more information about data sources, refer to [Add a data source](ref:add-a-data-source).

-1. In the **Query type** drop-down list, select one of the following options:
-   - **Label names**
-   - **Label values**
-   - **Metrics**
-   - **Query result**
-   - **Series query**
-   - **Classic query**
-
-1. In the **Query** field, enter a query.
+1. In the **Query type** drop-down list, select an option and fill in the query fields accordingly.
   - The query field varies according to your data source. Some data sources have custom query editors.
   - Each data source defines how the variable values are extracted. The typical implementation uses every string value returned from the data source response as a variable value. Make sure to double-check the documentation for the data source.
   - Some data sources let you provide custom "display names" for the values. For instance, the PostgreSQL, MySQL, and Microsoft SQL Server plugins handle this by looking for fields named `__text` and `__value` in the result. Other data sources may look for `text` and `value` or use a different approach. Always remember to double-check the documentation for the data source.
@@ -182,9 +173,15 @@ Query expressions are different for each data source. For more information, refe
   - **On dashboard load** - Queries the data source every time the dashboard loads. This slows down dashboard loading, because the variable query needs to be completed before dashboard can be initialized.
   - **On time range change** - Queries the data source every time the dashboard loads and when the dashboard time range changes. Use this option if your variable options query contains a time range filter or is dependent on the dashboard time range.

+1. (Optional) In the **Static options** section of the page, toggle on the **Use static options** switch to add custom options in addition to the query results:
+   - Make entries in the **Value** and **Display text** fields.
+   - Click **+ Add new option** to add another static option.
+   - Repeat these steps as many times as needed.
+
 1. (Optional) Configure the settings in the [Selection Options](#configure-variable-selection-options) section:
   - **Multi-value** - Enables multiple values to be selected at the same time.
-   - **Include All option** - Enables an option to include all variables.
+   - **Allow custom values** - Enables users to add custom values to the list.
+   - **Include All option** - Enables an option to include all variables. Enter a value in the **Custom all value** field to set your own "all" option.

 1. In the **Preview of values** section, Grafana displays a list of the current variable values. Review them to ensure they match what you expect.
 1. Click **Save dashboard**.
@@ -71,9 +71,8 @@ After you add and configure a data source, you can use it as an input for many o

 This documentation describes how to manage data sources in general,
 and how to configure or query the built-in data sources.
-For other data sources, refer to the list of [datasource plugins](/grafana/plugins/).

-To develop a custom plugin, refer to [Create a data source plugin](#create-a-data-source-plugin).
+For other available plugins, refer to the list of [documented plugins](https://grafana.com/docs/plugins/) or browse the [Plugin catalog](/grafana/plugins/). To develop a custom plugin, refer to [Create a data source plugin](#create-a-data-source-plugin).

 ## Manage data sources

@@ -41,9 +41,9 @@ refs:
      destination: /docs/grafana/<GRAFANA_VERSION>/explore/
  configure-grafana-azure-auth:
    - pattern: /docs/grafana/
-      destination: /docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-security/configure-authentication/azuread/
+      destination: /docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-access/configure-authentication/azuread/
    - pattern: /docs/grafana-cloud/
-      destination: /docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-security/configure-authentication/azuread/
+      destination: /docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-access/configure-authentication/azuread/
  build-dashboards:
    - pattern: /docs/grafana/
      destination: /docs/grafana/<GRAFANA_VERSION>/dashboards/build-dashboards/
@@ -61,9 +61,9 @@ refs:
      destination: /docs/grafana/<GRAFANA_VERSION>/administration/data-source-management/
  configure-grafana-azure-auth-scopes:
    - pattern: /docs/grafana/
-      destination: /docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-security/configure-authentication/azuread/#enable-azure-ad-oauth-in-grafana
+      destination: /docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-access/configure-authentication/azuread/#enable-azure-ad-oauth-in-grafana
    - pattern: /docs/grafana-cloud/
-      destination: /docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-security/configure-authentication/azuread/#enable-azure-ad-oauth-in-grafana
+      destination: /docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-access/configure-authentication/azuread/#enable-azure-ad-oauth-in-grafana
 ---

 # Azure Monitor data source
@@ -38,9 +38,9 @@ refs:
      destination: /docs/grafana/<GRAFANA_VERSION>/dashboards/build-dashboards/
  configure-authentication:
    - pattern: /docs/grafana/
-      destination: /docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-security/configure-authentication/
+      destination: /docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-access/configure-authentication/
    - pattern: /docs/grafana-cloud/
-      destination: /docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-security/configure-authentication/
+      destination: /docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-access/configure-authentication/
  data-source-management:
    - pattern: /docs/grafana/
      destination: /docs/grafana/<GRAFANA_VERSION>/administration/data-source-management/
@@ -39,9 +39,9 @@ refs:
      destination: /docs/grafana/<GRAFANA_VERSION>/dashboards/build-dashboards/
  configure-authentication:
    - pattern: /docs/grafana/
-      destination: /docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-security/configure-authentication/
+      destination: /docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-access/configure-authentication/
    - pattern: /docs/grafana-cloud/
-      destination: /docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-security/configure-authentication/
+      destination: /docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-access/configure-authentication/
  data-source-management:
    - pattern: /docs/grafana/
      destination: /docs/grafana/<GRAFANA_VERSION>/administration/data-source-management/
@@ -146,6 +146,10 @@ To simplify syntax and to allow for dynamic components, such as date range filte
 Use macros in the `SELECT` clause to simplify the creation of time series queries.
 From the **Data operations** drop-down, choose a macro such as `$\_\_timeGroup` or `$\_\_timeGroupAlias`. Then, select a time column from the **Column** drop-down and a time interval from the **Interval** drop-down. This generates a time-series query based on your selected time grouping.

+{{< admonition type="warning" >}}
+Time macros (`$__time`, `$__timeFilter`, etc.) don't support time zone parameters in Microsoft SQL Server and always expand to UTC values. If your timestamps aren't stored in UTC (common with `datetime`/`datetime2` types), convert them to UTC in your SQL query using `AT TIME ZONE … AT TIME ZONE 'UTC'` rather than passing a time zone argument to a macro.
+{{< /admonition >}}
+
 | **Macro**                                              | **Description**                                                                                                                                                                                                                          |
 | ------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
 | `$__time(dateColumn)`                                  | Renames the specified column to `_time`. <br/>Example: `dateColumn AS time`                                                                                                                                                              |
@@ -99,15 +99,15 @@ After creating a Azure Monitor Managed Service for Prometheus data source:

 1. In the data source configuration page, locate the **Authentication** section
 2. Select your authentication method:
-   - **Managed Identity**: For Azure-hosted Grafana instances. To learn more about Entra login for Grafana, refer to [Configure Azure AD/Entra ID OAuth authentication](/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-security/configure-authentication/azuread/#configure-azure-adentra-id-oauth-authentication)
+   - **Managed Identity**: For Azure-hosted Grafana instances. To learn more about Entra login for Grafana, refer to [Configure Entra ID/Entra ID OAuth authentication](/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-access/configure-authentication/azuread/#configure-azure-adentra-id-oauth-authentication)
   - **App Registration**: For service principal authentication
-   - **Current User**: Uses the current user's Azure AD credentials
+   - **Current User**: Uses the current user's Entra ID credentials

 3. Configure based on your chosen method:

 | Setting                     | Description                     | Example                                |
 | --------------------------- | ------------------------------- | -------------------------------------- |
-| **Directory (tenant) ID**   | Your Azure AD tenant ID         | `12345678-1234-1234-1234-123456789012` |
+| **Directory (tenant) ID**   | Your Entra ID tenant ID         | `12345678-1234-1234-1234-123456789012` |
 | **Application (client) ID** | Your app registration client ID | `87654321-4321-4321-4321-210987654321` |
 | **Client secret**           | Your app registration secret    | `your-client-secret`                   |

@@ -27,16 +27,16 @@ The most basic example for a dashboard for which there is no authentication. You
 curl http://localhost:3000/api/search
 ```

-Here's a cURL command that works for getting the home dashboard when you are running Grafana locally with [basic authentication](/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/#basic-auth) enabled using the default admin credentials:
+Here's a cURL command that works for getting the home dashboard when you are running Grafana locally with [basic authentication](/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-access/configure-authentication/#basic-auth) enabled using the default admin credentials:

 ```
 curl http://admin:admin@localhost:3000/api/search
 ```

-To pass a username and password with [HTTP basic authorization](/docs/grafana/latest/administration/roles-and-permissions/access-control/manage-rbac-roles/), encode them as base64.
+To pass a username and password with [HTTP basic authorization](/docs/grafana/<GRAFANA_VERSION>/administration/roles-and-permissions/access-control/manage-rbac-roles/), encode them as base64.
 You can't use authorization tokens in the request.

-For example, to [list permissions associated with roles](/docs/grafana/latest/administration/roles-and-permissions/access-control/manage-rbac-roles/) given a username of `user` and password of `password`, use:
+For example, to [list permissions associated with roles](/docs/grafana/<GRAFANA_VERSION>/administration/roles-and-permissions/access-control/manage-rbac-roles/) given a username of `user` and password of `password`, use:

 ```
 curl --location '<grafana_url>/api/access-control/builtin-roles' --user 'user:password'
@@ -25,7 +25,7 @@ title: SSO Settings API
 The API can be used to create, update, delete, get, and list SSO Settings for OAuth2 and SAML.

 The settings managed by this API are stored in the database and override
-[settings from other sources](../../../setup-grafana/configure-security/configure-authentication/)
+[settings from other sources](../../../setup-grafana/configure-access/configure-authentication/)
 (arguments, environment variables, settings file, etc).
 Therefore, every time settings for a specific provider are removed or reset to the default settings at runtime,
 the settings are inherited from the other sources in the reverse order of precedence
@@ -40,7 +40,7 @@ For information on how to use the query editor to create queries for tracing dat

 ## Trace view

-Grafana's trace view provides an overview of a request as it travels through your system. The following sections provide detail on various elements of the trace view.
+The trace view provides an overview of a request as it travels through your system. The following sections provide detail on various elements of the trace view.

 {{< figure src="/media/docs/tempo/screenshot-grafana-trace-view.png" class="docs-image--no-shadow" max-width= "900px" caption="Trace view" >}}

@@ -74,6 +74,14 @@ Click anywhere on the span row to reveal span details.

 {{< figure src="/media/docs/tempo/screenshot-grafana-trace-view-timeline.png" class="docs-image--no-shadow" max-width= "900px"  caption="Trace view timeline" >}}

+The **Span duration bar** highlights the trace’s critical path with a darker segment. This darker segment means the span lies on the trace’s critical path, following the CRISP (Critical Path for Service Performance) algorithm.
+
+Use the highlight to focus on spans that drive end‑to‑end latency. Spans outside the critical path do not increase the trace duration.
+
+{{< figure src="/media/docs/grafana/explore/traces-panel-critical-path.png" class="docs-image--no-shadow" max-width= "900px"  caption="Critical path span" >}}
+
+You can also focus on this path by clicking the **Show critical path only** button in the **Span filters** options.
+
 ### Span details

 Traces are composed of one or more spans.
@@ -128,9 +136,6 @@ To only show the spans you have matched, toggle **Show matches only**.

 Refer to [Span filters](/docs/grafana/<GRAFANA_VERSION>/datasources/tempo/span-filters/) for more in depth information.

-Watch the following video to learn more about filtering trace spans in Grafana:
-{{< youtube id="VP2XV3IIc80" >}}
-
 ### Trace to logs

 You can navigate from a span in a trace view directly to logs relevant for that span.
@@ -16,7 +16,7 @@ weight: 5

 [Grafana open source software](/oss/) enables you to query, visualize, alert on, and explore your metrics, logs, and traces wherever they are stored. Grafana OSS provides you with tools to turn your time-series database (TSDB) data into insightful graphs and visualizations. The Grafana OSS plugin framework also enables you to connect other data sources like NoSQL/SQL databases, ticketing tools like Jira or ServiceNow, and CI/CD tooling like GitLab.

-After you have [installed Grafana](../setup-grafana/installation/) and set up your first dashboard using instructions in [Getting started with Grafana](../getting-started/build-first-dashboard/), you will have many options to choose from depending on your requirements. For example, if you want to view weather data and statistics about your smart home, then you can create a [playlist](../dashboards/create-manage-playlists/). If you are the administrator for an enterprise and are managing Grafana for multiple teams, then you can set up [provisioning](../administration/provisioning/) and [authentication](../setup-grafana/configure-security/configure-authentication/).
+After you have [installed Grafana](../setup-grafana/installation/) and set up your first dashboard using instructions in [Getting started with Grafana](../getting-started/build-first-dashboard/), you will have many options to choose from depending on your requirements. For example, if you want to view weather data and statistics about your smart home, then you can create a [playlist](../dashboards/create-manage-playlists/). If you are the administrator for an enterprise and are managing Grafana for multiple teams, then you can set up [provisioning](../administration/provisioning/) and [authentication](../setup-grafana/configure-access/configure-authentication/).

 The following sections provide an overview of Grafana features and links to product documentation to help you learn more. For more guidance and ideas, check out our [Grafana Community forums](https://community.grafana.com/).

@@ -54,7 +54,7 @@ Discover hundreds of [dashboards](/grafana/dashboards) and [plugins](/grafana/pl

 ## Authentication

-Grafana supports different authentication methods, such as LDAP and OAuth, and allows you to map users to organizations. Refer to the [User authentication overview](../setup-grafana/configure-security/configure-authentication/) for more information.
+Grafana supports different authentication methods, such as LDAP and OAuth, and allows you to map users to organizations. Refer to the [User authentication overview](../setup-grafana/configure-access/configure-authentication/) for more information.

 In Grafana Enterprise, you can also map users to teams: If your company has its own authentication system, Grafana allows you to map the teams in your internal systems to teams in Grafana. That way, you can automatically give people access to the dashboards designated for their teams. Refer to [Grafana Enterprise](grafana-enterprise/) for more information.

@@ -29,31 +29,31 @@ Grafana Enterprise includes integrations with more ways to authenticate your use

 ### Team sync

-[Team sync](/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-security/configure-team-sync/) allows you to set up synchronization between teams in Grafana and teams in your auth provider so that your users automatically end up in the right team.
+[Team sync](/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-access/configure-team-sync/) allows you to set up synchronization between teams in Grafana and teams in your auth provider so that your users automatically end up in the right team.

 Supported auth providers:

- [Auth Proxy](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-security/configure-authentication/auth-proxy#team-sync-enterprise-only)
- [Azure AD OAuth](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-security/configure-authentication/azuread/#team-sync-enterprise-only)
- [GitHub OAuth](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-security/configure-authentication/github/#configure-team-synchronization)
- [Generic OAuth integration](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-security/configure-authentication/generic-oauth/#configure-team-synchronization)
- [GitLab OAuth](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-security/configure-authentication/gitlab/#configure-team-synchronization)
- [Google OAuth](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-security/configure-authentication/google/#configure-team-synchronization)
- [LDAP](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-security/configure-authentication/enhanced-ldap/#ldap-group-synchronization-for-teams)
- [Okta](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-security/configure-authentication/okta#configure-team-synchronization-enterprise-only)
- [SAML](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-security/configure-authentication/saml#configure-team-sync)
+- [Auth Proxy](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-access/configure-authentication/auth-proxy#team-sync-enterprise-only)
+- [Entra ID OAuth](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-access/configure-authentication/azuread/#team-sync-enterprise-only)
+- [GitHub OAuth](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-access/configure-authentication/github/#configure-team-synchronization)
+- [Generic OAuth integration](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-access/configure-authentication/generic-oauth/#configure-team-synchronization)
+- [GitLab OAuth](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-access/configure-authentication/gitlab/#configure-team-synchronization)
+- [Google OAuth](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-access/configure-authentication/google/#configure-team-synchronization)
+- [LDAP](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-access/configure-authentication/enhanced-ldap/#ldap-group-synchronization-for-teams)
+- [Okta](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-access/configure-authentication/okta#configure-team-synchronization-enterprise-only)
+- [SAML](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-access/configure-authentication/saml#configure-team-sync)

 ### Enhanced LDAP integration

-With [enhanced LDAP integration](/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-security/configure-authentication/enhanced-ldap/), you can set up active LDAP synchronization.
+With [enhanced LDAP integration](/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-access/configure-authentication/enhanced-ldap/), you can set up active LDAP synchronization.

 ### SAML authentication

-[SAML authentication](/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-security/configure-authentication/saml/) enables users to authenticate with single sign-on services that use Security Assertion Markup Language (SAML).
+[SAML authentication](/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-access/configure-authentication/saml/) enables users to authenticate with single sign-on services that use Security Assertion Markup Language (SAML).

 ### Protected roles

-With [protected roles](/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-security/configure-authentication/#protected-roles), you can define user roles that are exempt from being converted from one authentication type to another when changing auth providers.
+With [protected roles](/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-access/configure-authentication/#protected-roles), you can define user roles that are exempt from being converted from one authentication type to another when changing auth providers.

 ## Enterprise features

@@ -12,6 +12,7 @@ labels:
  products:
    - enterprise
    - oss
+    - cloud
 title: Observability as Code
 weight: 100
 cards:
@@ -32,11 +33,11 @@ cards:
      height: 24
      href: ./foundation-sdk/
      description: The Grafana Foundation SDK is a set of tools, types, and libraries that let you define Grafana dashboards and resources using strongly typed code.
-    - title: Git Sync (experimental)
+    - title: Git Sync (private preview)
      height: 24
      href: ./provision-resources/intro-git-sync/
      description: Git Sync is an experimental feature that lets you store your dashboard files in a GitHub repository and synchronize those changes with your Grafana instance.
-    - title: File provisioning (experimental)
+    - title: File provisioning (private preview)
      height: 24
      href: ./provision-resources/
      description: File provisioning in Grafana lets you include resources, including folders and dashboard JSON files, that are stored in a local file system.
@@ -177,7 +177,6 @@ To save a query you've created:
 - No validation is performed when you save a query, so it's possible to save an invalid query. You should confirm the query is working properly before you save it.
 - Saved queries are currently accessible from the query editors in Dashboards and Explore.
 - You can save a maximum of 1000 queries.
- Users with the Viewer role who have access to Explore can use saved queries, but can't write them.
 - If you have multiple queries open in Explore and you edit one of them by way of the **Edit in Explore** function in the **Saved queries** drawer, the edited query replaces your open queries in Explore.

 ### Special data sources
@@ -60,12 +60,6 @@ A key capability of SQL expressions is the ability to JOIN data from multiple ta

 To work with SQL expressions, you must use data from a backend data source. In Grafana, a backend data source refers to a data source plugin or integration that communicates with a database, service, or API through the Grafana server, rather than directly from the browser (frontend).

-## Known limitations
-
- Currently, only one SQL expression is supported per panel or alert.
- Grafana supports certain data sources. Refer to [compatible data sources](#compatible-data-sources) for a current list.
- Autocomplete is available, but column/field autocomplete is only available after enabling the `sqlExpressionsColumnAutoComplete` feature toggle, which is provided on an experimental basis.
-
 ## Compatible data sources

 The following are compatible data sources:
@@ -238,6 +232,81 @@ During conversion:
 - The `metric_name` column stores the raw metric identifier.
 - For time series data, Grafana includes a `time` column with timestamps

+## Known limitations
+
+- Currently, only one SQL expression is supported per panel or alert.
+- Grafana supports certain data sources. Refer to [compatible data sources](#compatible-data-sources) for a current list.
+- Autocomplete is available, but column/field autocomplete is only available after enabling the `sqlExpressionsColumnAutoComplete` feature toggle, which is provided on an experimental basis.
+
+### Schema changes and missing data
+
+SQL expressions have known limitations that may cause queries to fail or return unexpected results. These constraints are inherent to how the feature is implemented and should be understood when building queries.
+
+The following situations are affected:
+
+- Error responses – When a data source query returns an error, SQL expressions cannot interpret the result.
+
+- No data responses – If a query returns no rows, the SQL expression engine cannot infer a schema.
+
+- Dynamic schema responses – If the set of columns or labels changes between query executions, SQL expressions may fail because it treats column changes as schema changes.
+
+SQL expressions are powered by an embedded SQL engine where each query result is treated as a table. The schema of that table is derived from the columns returned by the underlying data source.
+
+Unlike traditional SQL databases, where schemas are usually fixed, many Grafana data sources (for example, Prometheus) can return results with varying label sets or no data at all.
+
+When this happens:
+
+- A missing column appears to the SQL engine as if it doesn’t exist.
+- A completely empty result provides no schema for subsequent SQL operations.
+- Error responses break the assumption that the query returns tabular data.
+
+As a result, SQL expressions can’t gracefully handle changes in schema or no-data conditions, since these cases violate the static schema model that SQL relies on.
+
+#### Workarounds
+
+You can mitigate these issues in the following ways:
+
+- Avoid `SELECT *` – Explicitly select only the columns you expect to exist.
+
+- Ensure a consistent schema – If possible, configure your query to always return columns, even when no data is present.
+
+#### Example: Handling Prometheus no data
+
+When joining results from the same Prometheus query across different data source instances, you can use this pattern:
+
+```sql
+-- Prometheus query
+sum by (cluster) (up{job=~".*zruler.*"})
+or on (cluster) (
+  (0/0) *
+  (
+    label_replace(vector(1), "cluster", "fake", "", "")
+  )
+)
+
+-- SQL expression
+SELECT
+    COALESCE(a.time, b.time) AS time,
+    COALESCE(a.cluster, b.cluster) AS cluster,
+    COALESCE(a.up, 0) + COALESCE(b.up, 0) AS unified_up
+FROM (
+    SELECT time, cluster, __value__ AS up
+    FROM A
+    WHERE cluster != 'fake'
+    ORDER BY time
+    LIMIT 5
+) a
+FULL OUTER JOIN (
+    SELECT time, cluster, __value__ AS up
+    FROM B
+    WHERE cluster != 'fake'
+    ORDER BY time
+    LIMIT 5
+) b ON a.time = b.time;
+```
+
+This approach ensures that a schema exists even when one query returns no data.
+
 ## SQL expressions examples

 1. Create the following Prometheus query:
@@ -1,8 +1,11 @@
 ---
+aliases:
+  - ../setup-grafana/configure-security/planning-iam-strategy/ # /docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-security/planning-iam-strategy/
+  - ./configure-security/planning-iam-strategy/ # /docs/grafana/next/setup-grafana/configure-security/planning-iam-strategy/
 title: Plan your IAM integration strategy
-menuTitle: Plan your IAM integration strategy
+menuTitle: Configure access management
 description: Learn how to plan your identity and access management strategy before setting up Grafana.
-weight: 100
+weight: 700
 keywords:
  - IdP
  - IAM
@@ -12,7 +15,7 @@ keywords:

 # Plan your IAM integration strategy

-This section describes the decisions you should make when using an Identity and Access Management (IAM) provider to manage access to Grafana. IAM ensures that users have secure access to sensitive data and [other resources](../../../administration/data-source-management/), simplifying user management and authentication.
+This section describes the decisions you should make when using an Identity and Access Management (IAM) provider to manage access to Grafana. IAM ensures that users have secure access to sensitive data and [other resources](../../administration/data-source-management/), simplifying user management and authentication.

 ## Benefits of integrating with an IAM provider

@@ -33,12 +36,12 @@ In order to plan an integration with Grafana, assess your organization's current
 As a first step, determine how you want to manage users who will access Grafana.

 Do you already use an identity provider to manage users? If so, Grafana might be able to integrate with your identity provider through one of our IdP integrations.
-Refer to [Configure authentication documentation](../configure-authentication/) for the list of supported providers.
+Refer to [Configure authentication documentation](../configure-access/configure-authentication/) for the list of supported providers.

 If you are not interested in setting up an external identity provider, but still want to limit access to your Grafana instance, consider using Grafana's basic authentication.

 Finally, if you want your Grafana instance to be accessible to everyone, you can enable anonymous access to Grafana.
-For information, refer to the [anonymous authentication documentation](../configure-authentication/#anonymous-authentication).
+For information, refer to the [anonymous authentication documentation](../configure-access/configure-authentication/#anonymous-authentication).

 ## Ways to organize users

@@ -51,7 +54,7 @@ Organize users in subgroups that are sensible to the organization. For example:

 ### Users in Grafana teams

-You can organize users into [teams](../../../administration/team-management/) and assign them roles and permissions reflecting the current organization. For example, instead of assigning five users access to the same dashboard, you can create a team of those users and assign dashboard permissions to the team.
+You can organize users into [teams](../../administration/team-management/) and assign them roles and permissions reflecting the current organization. For example, instead of assigning five users access to the same dashboard, you can create a team of those users and assign dashboard permissions to the team.

 A user can belong to multiple teams and be a member or an administrator for a given team. Team members inherit permissions from the team but cannot edit the team itself. Team administrators can add members to a team and update its settings, such as the team name, team members, roles assigned, and UI preferences.

@@ -59,17 +62,17 @@ Teams are a perfect solution for working with a subset of users. Teams can share

 ### Users in Grafana organizations

-[Grafana organizations](../../../administration/organization-management/) allow complete isolation of resources, such as dashboards and data sources. Users can be members of one or several organizations, and they can only access resources from an organization they belong to.
+[Grafana organizations](../../administration/organization-management/) allow complete isolation of resources, such as dashboards and data sources. Users can be members of one or several organizations, and they can only access resources from an organization they belong to.

 Having multiple organizations in a single instance of Grafana lets you manage your users in one place while completely separating resources.

-Organizations provide a higher measure of isolation within Grafana than teams do and can be helpful in certain scenarios. However, because organizations lack the scalability and flexibility of teams and [folders](../../../dashboards/manage-dashboards/#create-a-dashboard-folder), we do not recommend using them as the default way to group users and resources.
+Organizations provide a higher measure of isolation within Grafana than teams do and can be helpful in certain scenarios. However, because organizations lack the scalability and flexibility of teams and [folders](../../dashboards/manage-dashboards/#create-a-dashboard-folder), we do not recommend using them as the default way to group users and resources.

 Note that Grafana Cloud does not support having more than 1 organizations per instance.

 ### Choosing between teams and organizations

-[Grafana teams](../../../administration/team-management/) and Grafana organizations serve similar purposes in the Grafana platform. Both are designed to help group users and manage and control access to resources.
+[Grafana teams](../../administration/team-management/) and Grafana organizations serve similar purposes in the Grafana platform. Both are designed to help group users and manage and control access to resources.

 Teams provide more flexibility, as resources can be accessible by multiple teams, and team creation and management are simple.

@@ -106,7 +109,7 @@ A common use case for creating a service account is to perform operations on aut
 - Set up an external SAML authentication provider
 - Interact with Grafana without signing in as a user

-In [Grafana Enterprise](../../../introduction/grafana-enterprise/), you can also use service accounts in combination with [role-based access control](../../../administration/roles-and-permissions/access-control/) to grant very specific permissions to applications that interact with Grafana.
+In [Grafana Enterprise](../../introduction/grafana-enterprise/), you can also use service accounts in combination with [role-based access control](../../administration/roles-and-permissions/access-control/) to grant very specific permissions to applications that interact with Grafana.

 {{< admonition type="note" >}}
 Service accounts can only act in the organization they are created for. We recommend creating service accounts in each organization if you have the same task needed for multiple organizations.
@@ -141,7 +144,7 @@ You can assign roles through the user interface or APIs, establish them through

 ### What are roles?

-Within an organization, Grafana has established three primary [organization roles](../../../administration/roles-and-permissions/#organization-roles) - organization administrator, editor, and viewer - which dictate the user's level of access and permissions, including the ability to edit data sources or create teams. Grafana also has an empty role that you can start with and to which you can gradually add custom permissions.
+Within an organization, Grafana has established three primary [organization roles](../../administration/roles-and-permissions/#organization-roles) - organization administrator, editor, and viewer - which dictate the user's level of access and permissions, including the ability to edit data sources or create teams. Grafana also has an empty role that you can start with and to which you can gradually add custom permissions.
 To be a member of any organization, every user must be assigned a role.

 In addition, Grafana provides a server administrator role that grants access to and enables interaction with resources that affect the entire instance, including organizations, users, and server-wide settings.
@@ -149,23 +152,23 @@ This particular role can only be accessed by users of self-hosted Grafana instan

 ### What are permissions?

-Each role consists of a set of [permissions](../../../administration/roles-and-permissions/#dashboard-permissions) that determine the tasks a user can perform in the system.
+Each role consists of a set of [permissions](../../administration/roles-and-permissions/#dashboard-permissions) that determine the tasks a user can perform in the system.
 For example, the **Admin** role includes permissions that let an administrator create and delete users.

 Grafana allows for precise permission settings on both dashboards and folders, giving you the ability to control which users and teams can view, edit, and administer them.
 For example, you might want a certain viewer to be able to edit a dashboard. While that user can see all dashboards, you can grant them access to update only one of them.

-In [Grafana Enterprise](../../../introduction/grafana-enterprise/), you can also grant granular permissions for data sources to control who can query and edit them.
+In [Grafana Enterprise](../../introduction/grafana-enterprise/), you can also grant granular permissions for data sources to control who can query and edit them.

 Dashboard, folder, and data source permissions can be set through the UI or APIs or provisioned through Terraform.

 ### Role-based access control

 {{< admonition type="note" >}}
-Available in [Grafana Enterprise](../../../introduction/grafana-enterprise/) and [Grafana Cloud](/docs/grafana-cloud/).
+Available in [Grafana Enterprise](../../introduction/grafana-enterprise/) and [Grafana Cloud](/docs/grafana-cloud/).
 {{< /admonition >}}

-If you think that the basic organization and server administrator roles are too limiting, it might be beneficial to employ [role-based access control (RBAC)](../../../administration/roles-and-permissions/access-control/).
+If you think that the basic organization and server administrator roles are too limiting, it might be beneficial to employ [role-based access control (RBAC)](../../administration/roles-and-permissions/access-control/).
 RBAC is a flexible approach to managing user access to Grafana resources, including users, data sources, and reports. It enables easy granting, changing, and revoking of read and write access for users.

 RBAC comes with pre-defined roles, such as data source writer, which allows updating, reading, or querying all data sources.
@@ -182,7 +185,7 @@ When connecting Grafana to an identity provider, it's important to think beyond
 Team sync is a feature that allows you to synchronize teams or groups from your authentication provider with teams in Grafana. This means that users of specific teams or groups in LDAP, OAuth, or SAML will be automatically added or removed as members of corresponding teams in Grafana. Whenever a user logs in, Grafana will check for any changes in the teams or groups of the authentication provider and update the user's teams in Grafana accordingly. This makes it easy to manage user permissions across multiple systems.

 {{< admonition type="note" >}}
-Available in [Grafana Enterprise](../../../introduction/grafana-enterprise/) and to customers on select Grafana Cloud plans. For pricing information, visit [pricing](https://grafana.com/pricing/) or contact our sales team.
+Available in [Grafana Enterprise](../../introduction/grafana-enterprise/) and to customers on select Grafana Cloud plans. For pricing information, visit [pricing](https://grafana.com/pricing/) or contact our sales team.
 {{< /admonition >}}

 {{< admonition type="note" >}}
@@ -191,22 +194,20 @@ Team synchronization occurs only when a user logs in. However, if you are using

 ### Role Sync

-Grafana can synchronize basic roles from your authentication provider by mapping attributes from the identity provider to the user role in Grafana. This means that users with specific attributes, like role, team, or group membership in LDAP, OAuth, or SAML, will be automatically assigned the corresponding role in Grafana. Whenever a user logs in, Grafana will check for any changes in the user information retrieved from the authentication provider and update the user's role in Grafana accordingly.
+Grafana can synchronize basic roles from your authentication provider by mapping attributes from the identity provider to the user role in Grafana. This means that users with specific attributes, like role, team, or group membership in LDAP, OAuth, or SAML, can be automatically assigned the corresponding role in Grafana. Whenever a user logs in, Grafana checks for any changes in the user information retrieved from the authentication provider and updates the user's role in Grafana accordingly.

 ### Organization sync

 Organization sync is the process of binding all the users from an organization in Grafana. This delegates the role of managing users to the identity provider. This way, there's no need to manage user access from Grafana because the identity provider will be queried whenever a new user tries to log in.

-With organization sync, users from identity provider groups can be assigned to corresponding Grafana organizations. This functionality is similar to role sync but with the added benefit of specifying the organization that a user belongs to for a particular identity provider group. Please note that this feature is only available for self-hosted Grafana instances, as Cloud Grafana instances have a single organization limit.
+With organization sync, you can assign users from identity provider groups to corresponding Grafana organizations. This functionality is similar to role sync but with the added benefit of specifying the organization that a user belongs to for a particular identity provider group. Please note that this feature is only available for self-hosted Grafana instances, as Cloud Grafana instances have a single organization limit.

 {{< admonition type="note" >}}
-Organization sync is currently only supported for SAML and LDAP.
-{{< /admonition >}}

-{{< admonition type="note" >}}
-You don't need to invite users through Grafana when syncing with Organization sync.
-{{< /admonition >}}
+The following applies:
+
+- Organization sync is currently only supported for SAML and LDAP.
+- You can only map basic roles with Organization sync.
+- You don't need to invite users through Grafana when syncing with Organization sync.

-{{< admonition type="note" >}}
-Currently, only basic roles can be mapped via Organization sync.
 {{< /admonition >}}
@@ -1,16 +1,17 @@
 ---
 aliases:
-  - ../../auth/
-  - ../../auth/overview/
-description: Learn about all the ways in which you can configure Grafana to authenticate
-  users.
+  - ../../auth/ # /docs/grafana/next/auth/
+  - ../../auth/overview/ # /docs/grafana/next/auth/overview/
+  - ../setup-grafana/configure-security/configure-authentication/ # /docs/grafana/next/setup-grafana/setup-grafana/configure-security/configure-authentication/
+  - ../configure-security/configure-authentication/ # /docs/grafana/next/setup-grafana/configure-security/configure-authentication/
+description: Learn about all the ways in which you can configure Grafana to authenticate users.
 labels:
  products:
    - cloud
    - enterprise
    - oss
 title: Configure authentication
-weight: 200
+weight: 100
 ---

 # Configure authentication
@@ -23,7 +24,7 @@ The following table shows all supported authentication methods and the features
 | :---------------------------------- | :---------------- | :----------- | :----------- | :-------------------- | :-------- | :------------- | :---------- | :------------------- | :--------- | :------------ | :----------- |
 | [Anonymous access](anonymous-auth/) | N/A               | N/A          | N/A          | N/A                   | N/A       | N/A            | N/A         | N/A                  | N/A        | N/A           | N/A          |
 | [Auth Proxy](auth-proxy/)           | no                | yes          | yes          | no                    | yes       | no             | N/A         | no                   | N/A        | N/A           | N/A          |
-| [Azure AD OAuth](azuread/)          | yes               | yes          | yes          | yes                   | yes       | yes            | N/A         | yes                  | yes        | yes           | N/A          |
+| [Entra ID OAuth](azuread/)          | yes               | yes          | yes          | yes                   | yes       | yes            | N/A         | yes                  | yes        | yes           | N/A          |
 | [Basic auth](grafana/)              | yes               | N/A          | yes          | yes                   | N/A       | N/A            | N/A         | N/A                  | N/A        | N/A           | N/A          |
 | [Passwordless auth](passwordless/)  | yes               | N/A          | yes          | yes                   | N/A       | N/A            | N/A         | N/A                  | N/A        | N/A           | N/A          |
 | [Generic OAuth](generic-oauth/)     | yes               | yes          | yes          | yes                   | yes       | no             | N/A         | yes                  | yes        | yes           | N/A          |
@@ -58,7 +59,7 @@ Fields explanation:

 **Single Logout:** Logging out from Grafana also logs you out of provider session

-**SCIM support:** Support for SCIM provisioning. Supported Identity Providers are Azure AD and Okta.
+**SCIM support:** Support for SCIM provisioning. Supported Identity Providers are Entra ID and Okta.

 ## Configuring multiple identity providers

@@ -83,7 +84,7 @@ To enable this option, refer to the [Enable email lookup](#enable-email-lookup)

 Grafana and the Grafana Cloud portal currently do not include built-in support for multi-factor authentication (MFA).

-We strongly recommend integrating an external identity provider (IdP) that supports MFA, such as Okta, Azure AD, or Google Workspace. By configuring your Grafana instances to use an external IdP, you can leverage MFA to protect your accounts and resources effectively.
+We strongly recommend integrating an external identity provider (IdP) that supports MFA, such as Okta, Entra ID, or Google Workspace. By configuring your Grafana instances to use an external IdP, you can leverage MFA to protect your accounts and resources effectively.

 ## Login and short-lived tokens

@@ -1,6 +1,8 @@
 ---
 aliases:
-  - ../../../auth/anonymous-auth/
+  - ../../../auth/anonymous-auth/ # /docs/grafana/next/auth/anonymous-auth/
+  - ../../configure-security/setup-grafana/configure-security/configure-authentication/anonymous-auth/ # /docs/grafana/next/setup-grafana/configure-security/setup-grafana/configure-security/configure-authentication/anonymous-auth/
+  - ../../configure-security/configure-authentication/anonymous-auth/ # /docs/grafana/next/setup-grafana/configure-security/configure-authentication/anonymous-auth/
 description: Learn how to configure anonymous access in Grafana
 labels:
  products:
@@ -1,7 +1,9 @@
 ---
 aliases:
-  - ../../../auth/auth-proxy/
-  - ../../../tutorials/authproxy/
+  - ../../../auth/auth-proxy/ # /docs/grafana/next/auth/auth-proxy/
+  - ../../../tutorials/authproxy/ # /docs/grafana/next/tutorials/authproxy/
+  - ../../configure-security/setup-grafana/configure-security/configure-authentication/authproxy/ # /docs/grafana/next/setup-grafana/configure-security/setup-grafana/configure-security/configure-authentication/authproxy/
+  - ../../configure-security/configure-authentication/auth-proxy/ # /docs/grafana/next/setup-grafana/configure-security/configure-authentication/auth-proxy/
 description: Grafana Auth Proxy Guide
 keywords:
  - grafana
@@ -1,7 +1,9 @@
 ---
 aliases:
-  - ../../../enterprise/enhanced_ldap/
-  - ../../../auth/enhanced_ldap/
+  - ../../../enterprise/enhanced_ldap/ # /docs/grafana/next/enterprise/enhanced_ldap/
+  - ../../../auth/enhanced_ldap/ # /docs/grafana/next/auth/enhanced_ldap/
+  - ../../configure-security/setup-grafana/configure-security/configure-authentication/enhanced_ldap/ # /docs/grafana/next/setup-grafana/configure-security/setup-grafana/configure-security/configure-authentication/enhanced_ldap/
+  - ../../configure-security/configure-authentication/enhanced-ldap/ # /docs/grafana/next/setup-grafana/configure-security/configure-authentication/enhanced-ldap/
 description: Grafana Enhanced LDAP Integration Guide
 keywords:
  - grafana
@@ -41,7 +43,7 @@ Grafana keeps track of all synchronized users in teams, and you can see which us
 This mechanism allows Grafana to remove an existing synchronized user from a team when its LDAP group membership changes. This mechanism also allows you to manually add
 a user as member of a team, and it will not be removed when the user signs in. This gives you flexibility to combine LDAP group memberships and Grafana team memberships.

-[Learn more about team sync.](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-security/configure-team-sync)
+[Learn more about team sync.](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-access/configure-team-sync)

 <div class="clearfix"></div>

@@ -1,7 +1,10 @@
 ---
 aliases:
-  - ../../../auth/azuread/
-description: Grafana Azure AD OAuth Guide
+  - ../../../auth/azuread/ # /docs/grafana/next/auth/azuread/
+  - ../../configure-security/setup-grafana/configure-security/configure-authentication/azuread/ # /docs/grafana/next/setup-grafana/configure-security/setup-grafana/configure-security/configure-authentication/azuread/
+  - ../../configure-security/configure-authentication/azuread/ # /docs/grafana/next/setup-grafana/configure-security/configure-authentication/azuread/
+  - ./azuread/ # /docs/grafana/next/setup-grafana/configure-access/configure-authentication/azuread/
+description: Grafana Entra ID OAuth Guide
 keywords:
  - grafana
  - configuration
@@ -80,7 +83,7 @@ To enable the Azure AD/Entra ID OAuth, register your application with Entra ID.
       {{< /admonition >}}

     - **_Workload Identity (K8s/AKS)_**
-       1. Refer to [Federated identity credential for an Azure AD application](https://azure.github.io/azure-workload-identity/docs/topics/federated-identity-credential.html#azure-portal-ui) for a complete guide on setting up a federated credential for workload identity.
+       1. Refer to [Federated identity credential for an Entra ID application](https://azure.github.io/azure-workload-identity/docs/topics/federated-identity-credential.html#azure-portal-ui) for a complete guide on setting up a federated credential for workload identity.
          Add a new entry under Federated credentials with the following configuration.
          - Federated credential scenario: Select **Kubernetes accessing Azure resources**.
          - [Cluster issuer URL](https://learn.microsoft.com/en-us/azure/aks/use-oidc-issuer#get-the-oidc-issuer-url): The OIDC issuer URL that your cluster is integrated with. For example: `https://{region}.oic.prod-aks.azure.com/{tenant_id}/{uuid}`.
@@ -95,7 +98,7 @@ To enable the Azure AD/Entra ID OAuth, register your application with Entra ID.

       1. You may optionally set `workload_identity_token_file` (env var `GF_AUTH_AZUREAD_WORKLOAD_IDENTITY_TOKEN_FILE`) under `[auth.azuread]` to `/var/run/secrets/azure/tokens/azure-identity-token` in the Grafana server configuration for this to work. (Optional, defaults to `/var/run/secrets/azure/tokens/azure-identity-token`)

-       1. You must have set `client_id` (env var `GF_AUTH_AZUREAD_CLIENT_ID`) under `[auth.azuread]` in the Grafana server configuration for this to work. This must match the Entra ID/Azure AD App Registration Application (client) ID.
+       1. You must have set `client_id` (env var `GF_AUTH_AZUREAD_CLIENT_ID`) under `[auth.azuread]` in the Grafana server configuration for this to work. This must match the Entra ID/Entra ID App Registration Application (client) ID.

       1. You must have set `token_url` (env var `GF_AUTH_AZUREAD_TOKEN_URL`) under `[auth.azuread]` to `https://login.microsoftonline.com/{tenantID}/oauth2/v2.0/token` in the Grafana server configuration for this to work.

@@ -228,7 +231,7 @@ Ensure that you have followed the steps in [Create the Microsoft Entra ID applic

 ## Configure Azure AD authentication client using the Grafana UI

-As a Grafana Admin, you can configure your Azure AD/Entra ID OAuth client from within Grafana using the Grafana UI. To do this, navigate to the **Administration > Authentication > Azure AD** page and fill in the form. If you have a current configuration in the Grafana configuration file, the form will be pre-populated with those values. Otherwise the form will contain default values.
+As a Grafana Admin, you can configure your Entra ID OAuth client from within Grafana using the Grafana UI. To do this, navigate to the **Administration > Authentication > Entra ID** page and fill in the form. If you have a current configuration in the Grafana configuration file, the form will be pre-populated with those values. Otherwise the form will contain default values.

 After you have filled in the form, click **Save** to save the configuration. If the save was successful, Grafana will apply the new configurations.

@@ -244,7 +247,7 @@ If you run Grafana in high availability mode, configuration changes may not get
 resource "grafana_sso_settings" "azuread_sso_settings" {
  provider_name = "azuread"
  oauth2_settings {
-    name                          = "Azure AD"
+    name                          = "Entra ID"
    auth_url                      = "https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/authorize"
    token_url                     = "https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/token"
    client_authentication         = "CLIENT_AUTHENTICATION_OPTION"
@@ -422,7 +425,7 @@ the correct teams.

 You can reference Entra ID groups by group object ID, like `8bab1c86-8fba-33e5-2089-1d1c80ec267d`.

-To learn more, refer to the [Team Sync](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-security/configure-team-sync) documentation.
+To learn more, refer to the [Team Sync](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-access/configure-team-sync) documentation.

 ## Common troubleshooting

@@ -522,38 +525,37 @@ skip_org_role_sync = true

 The following table outlines the various Azure AD/Entra ID configuration options. You can apply these options as environment variables, similar to any other configuration within Grafana. For more information, refer to [Override configuration with environment variables](../../../configure-grafana/#override-configuration-with-environment-variables).

-| Setting                         | Required | Supported on Cloud | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     | Default                                              |
-| ------------------------------- | -------- | ------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------- |
-| `enabled`                       | No       | Yes                | Enables Azure AD/Entra ID authentication.                                                                                                                                                                                                                                                                                                                                                                                                                                                       | `false`                                              |
-| `name`                          | No       | Yes                | Name that refers to the Azure AD/Entra ID authentication from the Grafana user interface.                                                                                                                                                                                                                                                                                                                                                                                                       | `OAuth`                                              |
-| `icon`                          | No       | Yes                | Icon used for the Azure AD/Entra ID authentication in the Grafana user interface.                                                                                                                                                                                                                                                                                                                                                                                                               | `signin`                                             |
-| `client_authentication`         | Yes      | Yes                | Defines the client authentication method used to authenticate to the token endpoint. Supported values: `none`, `client_secret_post`, `managed_identity`, or `workload_identity`.                                                                                                                                                                                                                                                                                                                |                                                      |
-| `workload_identity_token_file`  | No       | Yes                | The path to the token file used to authenticate to the OAuth2 provider. This is only required when `client_authentication` is set to `workload_identity`. The token file contains the service account token projected by Kubernetes.                                                                                                                                                                                                                                                            | `/var/run/secrets/azure/tokens/azure-identity-token` |
-| `federated_credential_audience` | No       | Yes                | The audience of the federated identity credential of your OAuth2 app. Required when `client_authentication` is set to `managed_identity` or `workload_identity`. For public cloud, this is typically `api://AzureADTokenExchange`.                                                                                                                                                                                                                                                              | `api://AzureADTokenExchange`                         |
-| `client_id`                     | Yes      | Yes                | Client ID of the App (`Application (client) ID` on the **App registration** dashboard).                                                                                                                                                                                                                                                                                                                                                                                                         |                                                      |
-| `client_secret`                 | Yes      | Yes                | Client secret of the App.                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |                                                      |
-| `auth_url`                      | Yes      | Yes                | Authorization endpoint of the Azure AD/Entra ID OAuth2 provider.                                                                                                                                                                                                                                                                                                                                                                                                                                |                                                      |
-| `token_url`                     | Yes      | Yes                | Endpoint used to obtain the OAuth2 access token.                                                                                                                                                                                                                                                                                                                                                                                                                                                |                                                      |
-| `auth_style`                    | No       | Yes                | Name of the [OAuth2 AuthStyle](https://pkg.go.dev/golang.org/x/oauth2#AuthStyle) to be used when ID token is requested from OAuth2 provider. It determines how `client_id` and `client_secret` are sent to Oauth2 provider. Available values are `AutoDetect`, `InParams` and `InHeader`.                                                                                                                                                                                                       | `AutoDetect`                                         |
-| `scopes`                        | No       | Yes                | List of comma- or space-separated OAuth2 scopes.                                                                                                                                                                                                                                                                                                                                                                                                                                                | `openid email profile`                               |
-| `allow_sign_up`                 | No       | Yes                | Controls Grafana user creation through the Azure AD/Entra ID login. Only existing Grafana users can log in with Azure AD/Entra ID if set to `false`.                                                                                                                                                                                                                                                                                                                                            | `true`                                               |
-| `auto_login`                    | No       | Yes                | Set to `true` to enable users to bypass the login screen and automatically log in. This setting is ignored if you configure multiple auth providers to use auto-login.                                                                                                                                                                                                                                                                                                                          | `false`                                              |
-| `login_prompt`                  | No       | Yes                | Indicates the type of user interaction when the user logs in with Azure AD/Entra ID. Available values are `login`, `consent` and `select_account`.                                                                                                                                                                                                                                                                                                                                              |                                                      |
-| `role_attribute_strict`         | No       | Yes                | Set to `true` to deny user login if the Grafana org role cannot be extracted using `role_attribute_path` or `org_mapping`. For more information on user role mapping, refer to [Map roles](#map-roles).                                                                                                                                                                                                                                                                                         | `false`                                              |
-| `org_attribute_path`            | No       | No                 | [JMESPath](http://jmespath.org/examples.html) expression to use for Grafana org to role lookup. Grafana will first evaluate the expression using the OAuth2 ID token. If no value is returned, the expression will be evaluated using the user information obtained from the UserInfo endpoint. The result of the evaluation will be mapped to org roles based on `org_mapping`. For more information on org to role mapping, refer to [Org roles mapping example](#org-roles-mapping-example). |                                                      |
-| `org_mapping`                   | No       | No                 | List of comma- or space-separated `<ExternalOrgName>:<OrgIdOrName>:<Role>` mappings. Value can be `*` meaning "All users". Role is optional and can have the following values: `None`, `Viewer`, `Editor` or `Admin`. For more information on external organization to role mapping, refer to [Org roles mapping example](#org-roles-mapping-example).                                                                                                                                          |                                                      |
-| `allow_assign_grafana_admin`    | No       | No                 | Set to `true` to automatically sync the Grafana server administrator role. When enabled, if the Azure AD/Entra ID user's App role is `GrafanaAdmin`, Grafana grants the user server administrator privileges and the organization administrator role. If disabled, the user will only receive the organization administrator role. For more details on user role mapping, refer to [Map roles](#map-roles).                                                                                     | `false`                                              |
-| `skip_org_role_sync`            | No       | Yes                | Set to `true` to stop automatically syncing user roles. This will allow you to set organization roles for your users from within Grafana manually.                                                                                                                                                                                                                                                                                                                                              | `false`                                              |
-| `allowed_groups`                | No       | Yes                | List of comma- or space-separated groups. The user should be a member of at least one group to log in. If you configure `allowed_groups`, you must also configure Azure AD/Entra ID to include the `groups` claim following [Configure group membership claims on the Azure Portal](#configure-group-membership-claims-on-the-azure-portal).                                                                                                                                                    |                                                      |
-| `allowed_organizations`         | No       | Yes                | List of comma- or space-separated Azure tenant identifiers. The user should be a member of at least one tenant to log in.                                                                                                                                                                                                                                                                                                                                                                       |                                                      |
-| `allowed_domains`               | No       | Yes                | List of comma- or space-separated domains. The user should belong to at least one domain to log in.                                                                                                                                                                                                                                                                                                                                                                                             |                                                      |
-| `domain_hint`                   | No       | Yes                | The realm of the user in a federated directory. This skips the email-based discovery process that the user goes through on the Azure AD/Entra ID sign-in page, for a slightly more streamlined user experience. More info [here](https://learn.microsoft.com/en-us/entra/identity-platform/v2-protocols-oidc#send-the-sign-in-request).                                                                                                                                                         |                                                      |
-
-| `tls_skip_verify_insecure` | No | No | If set to `true`, the client accepts any certificate presented by the server and any host name in that certificate. _You should only use this for testing_, because this mode leaves SSL/TLS susceptible to man-in-the-middle attacks. | `false` |
-| `tls_client_cert` | No | No | The path to the certificate. | |
-| `tls_client_key` | No | No | The path to the key. | |
-| `tls_client_ca` | No | No | The path to the trusted certificate authority list. | |
-| `use_pkce` | No | Yes | Set to `true` to use [Proof Key for Code Exchange (PKCE)](https://datatracker.ietf.org/doc/html/rfc7636). Grafana uses the SHA256 based `S256` challenge method and a 128 bytes (base64url encoded) code verifier. | `true` |
-| `use_refresh_token` | No | Yes | Enables the use of refresh tokens and checks for access token expiration. When enabled, Grafana automatically adds the `offline_access` scope to the list of scopes. | `true` |
-| `force_use_graph_api` | No | Yes | Set to `true` to always fetch groups from the Microsoft Graph API instead of the `id_token`. If a user belongs to more than 200 groups, the Microsoft Graph API will be used to retrieve the groups regardless of this setting. | `false` |
-| `signout_redirect_url` | No | Yes | URL to redirect to after the user logs out. | |
+| Setting                         | Required | Supported on Cloud | Description                                                                                                                                                                                                                                                                                                 | Default                                              |
+| ------------------------------- | -------- | ------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------- |
+| `enabled`                       | No       | Yes                | Enables Azure AD/Entra ID authentication.                                                                                                                                                                                                                                                                   | `false`                                              |
+| `name`                          | No       | Yes                | Name that refers to the Azure AD/Entra ID authentication from the Grafana user interface.                                                                                                                                                                                                                   | `OAuth`                                              |
+| `icon`                          | No       | Yes                | Icon used for the Azure AD/Entra ID authentication in the Grafana user interface.                                                                                                                                                                                                                           | `signin`                                             |
+| `client_authentication`         | Yes      | Yes                | Defines the client authentication method used to authenticate to the token endpoint. Supported values: `none`, `client_secret_post`, `managed_identity`, or `workload_identity`.                                                                                                                            |                                                      |
+| `workload_identity_token_file`  | No       | Yes                | The path to the token file used to authenticate to the OAuth2 provider. This is only required when `client_authentication` is set to `workload_identity`. The token file contains the service account token projected by Kubernetes.                                                                        | `/var/run/secrets/azure/tokens/azure-identity-token` |
+| `federated_credential_audience` | No       | Yes                | The audience of the federated identity credential of your OAuth2 app. Required when `client_authentication` is set to `managed_identity` or `workload_identity`. For public cloud, this is typically `api://AzureADTokenExchange`.                                                                          | `api://AzureADTokenExchange`                         |
+| `client_id`                     | Yes      | Yes                | Client ID of the App (`Application (client) ID` on the **App registration** dashboard).                                                                                                                                                                                                                     |                                                      |
+| `client_secret`                 | Yes      | Yes                | Client secret of the App.                                                                                                                                                                                                                                                                                   |                                                      |
+| `auth_url`                      | Yes      | Yes                | Authorization endpoint of the Azure AD/Entra ID OAuth2 provider.                                                                                                                                                                                                                                            |                                                      |
+| `token_url`                     | Yes      | Yes                | Endpoint used to obtain the OAuth2 access token.                                                                                                                                                                                                                                                            |                                                      |
+| `auth_style`                    | No       | Yes                | Name of the [OAuth2 AuthStyle](https://pkg.go.dev/golang.org/x/oauth2#AuthStyle) to be used when ID token is requested from OAuth2 provider. It determines how `client_id` and `client_secret` are sent to the provider. Available values: `AutoDetect`, `InParams`, and `InHeader`.                        | `AutoDetect`                                         |
+| `scopes`                        | No       | Yes                | List of comma- or space-separated OAuth2 scopes.                                                                                                                                                                                                                                                            | `openid email profile`                               |
+| `allow_sign_up`                 | No       | Yes                | Controls Grafana user creation through the Azure AD/Entra ID login. Only existing Grafana users can log in if set to `false`.                                                                                                                                                                               | `true`                                               |
+| `auto_login`                    | No       | Yes                | Set to `true` to enable users to bypass the login screen and automatically log in. Ignored if multiple auth providers use auto-login.                                                                                                                                                                       | `false`                                              |
+| `login_prompt`                  | No       | Yes                | Indicates the type of user interaction when logging in. Available values: `login`, `consent`, and `select_account`.                                                                                                                                                                                         |                                                      |
+| `role_attribute_strict`         | No       | Yes                | Set to `true` to deny login if Grafana org role cannot be extracted using `role_attribute_path` or `org_mapping`. See [Map roles](#map-roles).                                                                                                                                                              | `false`                                              |
+| `org_attribute_path`            | No       | No                 | [JMESPath](http://jmespath.org/examples.html) expression for Grafana org to role lookup. Grafana evaluates this using the OAuth2 ID token, then the UserInfo endpoint if no value is returned. The result maps to org roles via `org_mapping`. See [Org roles mapping example](#org-roles-mapping-example). |                                                      |
+| `org_mapping`                   | No       | No                 | List of comma- or space-separated `<ExternalOrgName>:<OrgIdOrName>:<Role>` mappings. `*` means “All users”. Role values: `None`, `Viewer`, `Editor`, or `Admin`. See [Org roles mapping example](#org-roles-mapping-example).                                                                               |                                                      |
+| `allow_assign_grafana_admin`    | No       | No                 | Set to `true` to sync the Grafana server admin role automatically. When enabled, users with the `GrafanaAdmin` App role get both server admin and org admin roles. If disabled, they get only org admin. See [Map roles](#map-roles).                                                                       | `false`                                              |
+| `skip_org_role_sync`            | No       | Yes                | Set to `true` to stop automatically syncing user roles. Allows manual role assignment in Grafana.                                                                                                                                                                                                           | `false`                                              |
+| `allowed_groups`                | No       | Yes                | List of comma- or space-separated groups. User must belong to at least one. If configured, you must also configure Azure AD/Entra ID to include the `groups` claim. See [Configure group membership claims on the Azure Portal](#configure-group-membership-claims-on-the-azure-portal).                    |                                                      |
+| `allowed_organizations`         | No       | Yes                | List of comma- or space-separated Azure tenant identifiers. User must belong to at least one tenant.                                                                                                                                                                                                        |                                                      |
+| `allowed_domains`               | No       | Yes                | List of comma- or space-separated domains. User must belong to at least one.                                                                                                                                                                                                                                |                                                      |
+| `domain_hint`                   | No       | Yes                | Realm of the user in a federated directory. Skips the email-based discovery step for a streamlined sign-in. See [Microsoft docs](https://learn.microsoft.com/en-us/entra/identity-platform/v2-protocols-oidc#send-the-sign-in-request).                                                                     |                                                      |
+| `tls_skip_verify_insecure`      | No       | No                 | If `true`, accepts any certificate and host name. **Use only for testing**—this disables SSL/TLS verification and is insecure.                                                                                                                                                                              | `false`                                              |
+| `tls_client_cert`               | No       | No                 | Path to the certificate file.                                                                                                                                                                                                                                                                               |                                                      |
+| `tls_client_key`                | No       | No                 | Path to the key file.                                                                                                                                                                                                                                                                                       |                                                      |
+| `tls_client_ca`                 | No       | No                 | Path to the trusted certificate authority list.                                                                                                                                                                                                                                                             |                                                      |
+| `use_pkce`                      | No       | Yes                | Set to `true` to use [Proof Key for Code Exchange (PKCE)](https://datatracker.ietf.org/doc/html/rfc7636). Grafana uses the SHA256-based `S256` challenge method and a 128-byte (base64url encoded) code verifier.                                                                                           | `true`                                               |
+| `use_refresh_token`             | No       | Yes                | Enables refresh tokens and checks access token expiration. When enabled, Grafana adds the `offline_access` scope automatically.                                                                                                                                                                             | `true`                                               |
+| `force_use_graph_api`           | No       | Yes                | Set to `true` to always fetch groups from the Microsoft Graph API instead of the `id_token`. If the user belongs to more than 200 groups, the Graph API will be used regardless.                                                                                                                            | `false`                                              |
+| `signout_redirect_url`          | No       | Yes                | URL to redirect to after the user logs out.                                                                                                                                                                                                                                                                 |                                                      |
@@ -1,6 +1,8 @@
 ---
 aliases:
-  - ../../../auth/generic-oauth/
+  - ../../../auth/generic-oauth/ # /docs/grafana/next/auth/generic-oauth/
+  - ../../configure-security/setup-grafana/configure-security/configure-authentication/generic-oauth/ # /docs/grafana/next/setup-grafana/configure-security/setup-grafana/configure-security/configure-authentication/generic-oauth/
+  - ../../configure-security/configure-authentication/generic-oauth/ # /docs/grafana/next/setup-grafana/configure-security/configure-authentication/generic-oauth/
 description: Configure Generic OAuth authentication
 keywords:
  - grafana
@@ -23,7 +25,7 @@ weight: 700

 Grafana provides OAuth2 integrations for the following auth providers:

- [Azure AD OAuth](../azuread/)
+- [Entra ID OAuth](../azuread/)
 - [GitHub OAuth](../github/)
 - [GitLab OAuth](../gitlab/)
 - [Google OAuth](../google/)
@@ -44,7 +46,7 @@ To follow this guide:
 - If you are using refresh tokens, ensure you know how to set them up with your OAuth2 provider. Consult the documentation of your OAuth2 provider for more information.

 {{< admonition type="note" >}}
-If Users use the same email address in Azure AD that they use with other authentication providers (such as Grafana.com), you need to do additional configuration to ensure that the users are matched correctly. Please refer to the [Using the same email address to login with different identity providers](../#using-the-same-email-address-to-login-with-different-identity-providers) documentation for more information.
+If Users use the same email address in Entra ID that they use with other authentication providers (such as Grafana.com), you need to do additional configuration to ensure that the users are matched correctly. Please refer to the [Using the same email address to login with different identity providers](../#using-the-same-email-address-to-login-with-different-identity-providers) documentation for more information.
 {{< /admonition >}}

 ## Configure generic OAuth authentication client using the Grafana UI
@@ -119,7 +121,7 @@ To integrate your OAuth2 provider with Grafana using our Generic OAuth authentic
   c. Enable the refresh token on the provider if required.

 1. [Configure role mapping](#configure-role-mapping).
-1. Optional: [Configure team synchronization](https://grafana.com/docs/grafana/<GRAFANA_VERSION/setup-grafana/configure-security/configure-team-sync/).
+1. Optional: [Configure team synchronization](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-access/configure-team-sync/).
 1. Restart Grafana.

   You should now see a Generic OAuth login button on the login page and be able to log in or sign up with your OAuth2 provider.
@@ -330,7 +332,7 @@ Generic OAuth groups can be referenced by group ID, such as `8bab1c86-8fba-33e5-
 Group information can be extracted from the OAuth2 ID token, user information from the UserInfo endpoint, or the OAuth2 access token.
 For information on configuring OAuth2 groups with Grafana using the `groups_attribute_path` configuration option, refer to [configuration options](#configuration-options).

-To learn more about Team Sync, refer to [Configure team sync](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-security/configure-team-sync/).
+To learn more about Team Sync, refer to [Configure team sync](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-access/configure-team-sync/).

 ### Team synchronization example

@@ -1,6 +1,8 @@
 ---
 aliases:
-  - ../../../auth/github/
+  - ../../../auth/github/ # /docs/grafana/next/auth/github/
+  - ../../configure-security/setup-grafana/configure-security/configure-authentication/github/ # /docs/grafana/next/setup-grafana/configure-security/setup-grafana/configure-security/configure-authentication/github/
+  - ../../configure-security/configure-authentication/github/ # /docs/grafana/next/setup-grafana/configure-security/configure-authentication/github/
 description: Configure GitHub OAuth authentication
 keywords:
  - grafana
@@ -102,7 +104,7 @@ To configure GitHub authentication with Grafana, follow these steps:
   Review the list of other GitHub [configuration options](#configuration-options) and complete them, as necessary.

 1. [Configure role mapping](#configure-role-mapping).
-1. Optional: [Configure team synchronization](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-security/configure-team-sync/).
+1. Optional: [Configure team synchronization](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-access/configure-team-sync/).
 1. Restart Grafana.

   You should now see a GitHub login button on the login page and be able to log in or sign up with your GitHub accounts.
@@ -224,7 +226,7 @@ GitHub teams can be referenced in two ways:

 Examples: `https://github.com/orgs/grafana/teams/developers` or `@grafana/developers`.

-To learn more about Team Sync, refer to [Configure team sync](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-security/configure-team-sync/).
+To learn more about Team Sync, refer to [Configure team sync](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-access/configure-team-sync/).

 ## Configuration options

@@ -1,6 +1,8 @@
 ---
 aliases:
-  - ../../../auth/gitlab/
+  - ../../../auth/gitlab/ # /docs/grafana/next/auth/gitlab/
+  - ../../configure-security/setup-grafana/configure-security/configure-authentication/gitlab/ # /docs/grafana/next/setup-grafana/configure-security/setup-grafana/configure-security/configure-authentication/gitlab/
+  - ../../configure-security/configure-authentication/gitlab/ # /docs/grafana/next/setup-grafana/configure-security/configure-authentication/gitlab/
 description: Grafana GitLab OAuth Guide
 keywords:
  - grafana
@@ -110,7 +112,7 @@ To configure GitLab authentication with Grafana, follow these steps:
   a. Set `use_refresh_token` to `true` in `[auth.gitlab]` section in Grafana configuration file.

 1. [Configure role mapping](#configure-role-mapping).
-1. Optional: [Configure team synchronization](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-security/configure-team-sync/).
+1. Optional: [Configure team synchronization](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-access/configure-team-sync/).
 1. Restart Grafana.

   You should now see a GitLab login button on the login page and be able to log in or sign up with your GitLab accounts.
@@ -246,7 +248,7 @@ GitLab groups are referenced by the group name. For example, `developers`. To re
 Note that in GitLab, the group or subgroup name does not always match its display name, especially if the display name contains spaces or special characters.
 Make sure you always use the group or subgroup name as it appears in the URL of the group or subgroup.

-To learn more about Team Sync, refer to [Configure team sync](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-security/configure-team-sync/).
+To learn more about Team Sync, refer to [Configure team sync](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-access/configure-team-sync/).

 ## Configuration options

@@ -1,6 +1,8 @@
 ---
 aliases:
-  - ../../../auth/google/
+  - ../../../auth/google/ # /docs/grafana/next/auth/google/
+  - ../../configure-security/setup-grafana/configure-security/configure-authentication/google/ # /docs/grafana/next/setup-grafana/configure-security/setup-grafana/configure-security/configure-authentication/google/
+  - ../../configure-security/configure-authentication/google/ # /docs/grafana/next/setup-grafana/configure-security/configure-authentication/google/
 description: Grafana Google OAuth Guide
 labels:
  products:
@@ -182,7 +184,7 @@ To set up team sync for Google OAuth:
 1. Configure team sync in your Grafana team's `External group sync` tab.
   The external group ID for a Google group is the group's email address, such as `dev@grafana.com`.

-To learn more about Team Sync, refer to [Configure Team Sync](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-security/configure-team-sync/).
+To learn more about Team Sync, refer to [Configure Team Sync](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-access/configure-team-sync/).

 #### Configure allowed groups

@@ -1,6 +1,8 @@
 ---
 aliases:
-  - ../../../auth/grafana-cloud/
+  - ../../../auth/grafana-cloud/ # /docs/grafana/next/auth/grafana-cloud/
+  - ../../configure-security/setup-grafana/configure-security/configure-authentication/grafana-cloud/ # /docs/grafana/next/setup-grafana/configure-security/setup-grafana/configure-security/configure-authentication/grafana-cloud/
+  - ../../configure-security/configure-authentication/grafana-cloud/ # /docs/grafana/next/setup-grafana/configure-security/configure-authentication/grafana-cloud/
 description: Grafana Cloud Authentication
 labels:
  products:
@@ -1,6 +1,8 @@
 ---
 aliases:
-  - ../../../auth/grafana/
+  - ../../../auth/grafana/ # /docs/grafana/next/auth/grafana/
+  - ../../configure-security/setup-grafana/configure-security/configure-authentication/grafana/ # /docs/grafana/next/setup-grafana/configure-security/setup-grafana/configure-security/configure-authentication/grafana/
+  - ../../configure-security/configure-authentication/grafana/ # /docs/grafana/next/setup-grafana/configure-security/configure-authentication/grafana/
 description: Learn how to configure basic authentication in Grafana
 labels:
  products:
@@ -1,6 +1,8 @@
 ---
 aliases:
-  - ../../../auth/jwt/
+  - ../../../auth/jwt/ # /docs/grafana/next/auth/jwt/
+  - ../../configure-security/setup-grafana/configure-security/configure-authentication/jwt/ # /docs/grafana/next/setup-grafana/configure-security/setup-grafana/configure-security/configure-authentication/jwt/
+  - ../../configure-security/configure-authentication/jwt/ # /docs/grafana/next/setup-grafana/configure-security/configure-authentication/jwt/
 description: Grafana JWT Authentication
 labels:
  products:
@@ -1,4 +1,7 @@
 ---
+aliases:
+  - ../../configure-security/setup-grafana/configure-security/configure-authentication/keycloak-multitenant/ # /docs/grafana/next/setup-grafana/configure-security/setup-grafana/configure-security/configure-authentication/keycloak-multitenant/
+  - ../../configure-security/configure-authentication/keycloak-multitenant/ # /docs/grafana/next/setup-grafana/configure-security/configure-authentication/keycloak-multitenant/
 description: Multiple providers with Keycloak
 keywords:
  - grafana
@@ -26,21 +29,21 @@ This guide explains how to set up multiple providers of the same type with Keycl

 The idea is to set up multiple OIDC providers in Keycloak with different tenants and configure Grafana to use the same Keycloak instance as the authentication provider.

-## Azure AD configuration
+## Entra ID configuration

-For Azure AD, repeat the following steps for each tenant you want to set up in Keycloak.
+For Entra ID, repeat the following steps for each tenant you want to set up in Keycloak.

 ### Overview

-1. Register your application in Azure AD.
+1. Register your application in Entra ID.
 1. Give access to the application to the users in the tenant.
 1. Create credentials for the application.
 1. Configure the application in Keycloak.
 1. Configure Grafana to use Keycloak.

-#### Register your application in Azure AD
+#### Register your application in Entra ID

-Registering an application in Azure AD is a one-time process. You can follow the steps in the [Azure AD documentation](https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app) to register your application.
+Registering an application in Entra ID is a one-time process. You can follow the steps in the [Entra ID documentation](https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app) to register your application.

 1. Go to the Azure portal and ensure you are using the correct tenant also known as directory.
 1. Search for **App Registrations** and click on **New registration**.
@@ -56,7 +59,7 @@ Assigning the correct access to users ensures only intended users or groups have

 #### Create credentials for the application

-To authenticate with Azure AD, the Keycloak application needs a client ID and client secret.
+To authenticate with Entra ID, the Keycloak application needs a client ID and client secret.

 1. Search for **App Registrations** and look for the application ypu just created.
 1. Click on **Certificates & Secrets**.
@@ -65,7 +68,7 @@ To authenticate with Azure AD, the Keycloak application needs a client ID and cl
 #### Configure the application in Keycloak

 1. Go to the Keycloak admin console.
-1. Go to the Realm where you want to configure the Azure AD tenant.
+1. Go to the Realm where you want to configure the Entra ID tenant.
 1. Go to the Identity Providers section and click on **Add provider**.
 1. Select **OpenID Connect v1.0**.
   1. Select a unique **Alias** and **Display name**.
@@ -83,13 +86,13 @@ To authenticate with Azure AD, the Keycloak application needs a client ID and cl
   1. Click Add.

 {{< admonition type="note" >}}
-Up to this point, you have created an App Registration in Azure AD, assigned users to the application, created credentials for the application, and configured the application in Keycloak. In the Keycloak Client's section, the client with ID `account` Home URL can be used to test the configuration. This will open a new tab where you can login into the correct Keycloak realm with the Azure AD tenant you just configured.
+Up to this point, you have created an App Registration in Entra ID, assigned users to the application, created credentials for the application, and configured the application in Keycloak. In the Keycloak Client's section, the client with ID `account` Home URL can be used to test the configuration. This will open a new tab where you can login into the correct Keycloak realm with the Entra ID tenant you just configured.
 {{< /admonition >}}

-Repeat this steps, for every Azure AD tenant you want to configure in Keycloak.
+Repeat this steps, for every Entra ID tenant you want to configure in Keycloak.

 #### Configure Grafana to use Keycloak

-Now that the Azure AD tenants are configured in Keycloak, you can configure Grafana to use Keycloak as the authentication provider.
+Now that the Entra ID tenants are configured in Keycloak, you can configure Grafana to use Keycloak as the authentication provider.

 Refer to the [Keycloak documentation](https://grafana.com/docs/grafana/latest/auth/keycloak/) to configure Grafana to use Keycloak as the authentication provider.
@@ -1,6 +1,8 @@
 ---
 aliases:
-  - ../../../auth/keycloak/
+  - ../../../auth/keycloak/ # /docs/grafana/next/auth/keycloak/
+  - ../../configure-security/setup-grafana/configure-security/configure-authentication/keycloak/ # /docs/grafana/next/setup-grafana/configure-security/setup-grafana/configure-security/configure-authentication/keycloak/
+  - ../../configure-security/configure-authentication/keycloak/ # /docs/grafana/next/setup-grafana/configure-security/configure-authentication/keycloak/
 description: Grafana Keycloak Guide
 keywords:
  - grafana
@@ -25,7 +27,7 @@ Keycloak OAuth2 authentication allows users to log in to Grafana using their Key
 Refer to [Generic OAuth authentication](../generic-oauth/) for extra configuration options available for this provider.

 {{< admonition type="note" >}}
-If Users use the same email address in Keycloak that they use with other authentication providers (such as Grafana.com), you need to do additional configuration to ensure that the users are matched correctly. Please refer to the [Using the same email address to login with different identity providers](../#using-the-same-email-address-to-login-with-different-identity-providers) documentation for more information.
+If you use the same email address in Keycloak as in other authentication providers (such as Grafana.com), you need to do additional configuration to ensure that the users are matched correctly. Please refer to the [Using the same email address to login with different identity providers](../#using-the-same-email-address-to-login-with-different-identity-providers) documentation for more information.
 {{< /admonition >}}

 You may have to set the `root_url` option of `[server]` for the callback URL to be
@@ -112,7 +114,7 @@ viewer
 Available in [Grafana Enterprise](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/introduction/grafana-enterprise/) and to customers on select Grafana Cloud plans. For pricing information, visit [pricing](https://grafana.com/pricing/) or contact our sales team.
 {{< /admonition >}}

-[Teamsync](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-security/configure-team-sync/) is a feature that allows you to map groups from your identity provider to Grafana teams. This is useful if you want to give your users access to specific dashboards or folders based on their group membership.
+[Team Sync](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-access/configure-team-sync/) is a feature that allows you to map groups from your identity provider to Grafana teams. This is useful if you want to give your users access to specific dashboards or folders based on their group membership.

 To enable teamsync, you need to add a `groups` mapper to the client configuration in Keycloak.
 This will add the `groups` claim to the id_token. You can then use the `groups` claim to map groups to teams in Grafana.
@@ -1,6 +1,8 @@
 ---
 aliases:
-  - ../../../auth/enhanced-ldap/
+  - ../../../auth/enhanced-ldap/ # /docs/grafana/next/auth/enhanced-ldap/
+  - ../../configure-security/setup-grafana/configure-security/configure-authentication/ldap-ui/ # /docs/grafana/next/setup-grafana/configure-security/setup-grafana/configure-security/configure-authentication/ldap-ui/
+  - ../../configure-security/configure-authentication/ldap-ui/ # /docs/grafana/next/setup-grafana/configure-security/configure-authentication/ldap-ui/
 description: Learn about configuring LDAP authentication in Grafana using the Grafana UI.
 labels:
  products:
@@ -1,7 +1,9 @@
 ---
 aliases:
-  - ../../../auth/ldap/
-  - ../../../installation/ldap/
+  - ../../../auth/ldap/ # /docs/grafana/next/auth/ldap/
+  - ../../../installation/ldap/ # /docs/grafana/next/installation/ldap/
+  - ../../configure-security/setup-grafana/configure-security/configure-authentication/ldap/ # /docs/grafana/next/setup-grafana/configure-security/setup-grafana/configure-security/configure-authentication/ldap/
+  - ../../configure-security/configure-authentication/ldap/ # /docs/grafana/next/setup-grafana/configure-security/configure-authentication/ldap/
 description: Grafana LDAP Authentication Guide
 labels:
  products:
@@ -1,6 +1,8 @@
 ---
 aliases:
-  - ../../../auth/okta/
+  - ../../../auth/okta/ # /docs/grafana/next/auth/okta/
+  - ../../configure-security/setup-grafana/configure-security/configure-authentication/okta/ # /docs/grafana/next/setup-grafana/configure-security/setup-grafana/configure-security/configure-authentication/okta/
+  - ../../configure-security/configure-authentication/okta/ # /docs/grafana/next/setup-grafana/configure-security/configure-authentication/okta/
 description: Grafana Okta OIDC Guide
 labels:
  products:
@@ -246,7 +248,7 @@ the correct teams.

 Okta groups can be referenced by group names, like `Admins` or `Editors`.

-To learn more about Team Sync, refer to [Configure Team Sync](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-security/configure-team-sync/).
+To learn more about Team Sync, refer to [Configure Team Sync](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-access/configure-team-sync/).

 ## Configuration options

@@ -1,4 +1,7 @@
 ---
+aliases:
+  - ../../configure-security/setup-grafana/configure-security/configure-authentication/passwordless/ # /docs/grafana/next/setup-grafana/configure-security/setup-grafana/configure-security/configure-authentication/passwordless/
+  - ../../configure-security/configure-authentication/passwordless/ # /docs/grafana/next/setup-grafana/configure-security/configure-authentication/passwordless/
 description: Learn how to configure passwordless authentication with magic links in Grafana
 labels:
  products:
@@ -8,8 +8,9 @@ aliases:
  - ../../../enterprise/saml/enable-saml/ # /docs/grafana/latest/enterprise/saml/enable-saml/
  - ../../../enterprise/saml/set-up-saml-with-okta/ # /docs/grafana/latest/enterprise/saml/set-up-saml-with-okta/
  - ../../../enterprise/saml/troubleshoot-saml/ # /docs/grafana/latest/enterprise/saml/troubleshoot-saml/
-description: Learn how to configure SAML authentication in Grafana's configuration
-  file.
+  - ../../configure-security/setup-grafana/configure-security/configure-authentication/saml/ # /docs/grafana/next/setup-grafana/configure-security/setup-grafana/configure-security/configure-authentication/saml/
+  - ../../configure-security/configure-authentication/saml/ # /docs/grafana/next/setup-grafana/configure-security/configure-authentication/saml/
+description: Learn how to configure SAML authentication in Grafana's configuration file.
 labels:
  products:
    - cloud
@@ -31,13 +32,14 @@ You can configure SAML authentication in Grafana through one of the following me

 - [Configure SAML using the Grafana configuration file](#configure-saml-using-the-grafana-configuration-file)
 - Configure SAML using the [SSO Settings API](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/developers/http_api/sso-settings/)
- Configure SAML using the [SAML user interface](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-security/configure-authentication/saml/saml-ui/)
+- Configure SAML using the [SAML user interface](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-access/configure-authentication/saml/saml-ui/)
 - Configure SAML using the [Grafana Terraform provider](https://registry.terraform.io/providers/grafana/grafana/<GRAFANA_VERSION>/docs/resources/sso_settings)

-If you are using Okta or Azure AD as Identity Provider, see the following documentation for configuration:
+If you are using Okta or Entra ID as Identity Provider, see the following documentation for configuration:

- [Configure SAML with Azure AD](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-security/configure-authentication/saml/configure-saml-with-azuread/)
- [Configure SAML with Okta](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-security/configure-authentication/saml/configure-saml-with-okta/)
+- [Configure SAML with Entra ID](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-access/configure-authentication/saml/configure-saml-with-azuread/)
+- [Configure SAML with Okta](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-access/configure-authentication/saml/configure-saml-with-okta/)
+- [Configure SAML with Okta catalog application](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-access/configure-authentication/saml/configure-saml-with-okta/oin-application)

 All methods offer the same configuration options. However, if you want to keep all of Grafana authentication settings in one place, use the Grafana configuration file or the Terraform provider. If you are a Grafana Cloud user, you do not have access to Grafana configuration file. Instead, configure SAML through the other methods.

@@ -84,10 +86,10 @@ The integration provides two key endpoints as part of Grafana:

 1. In the `[auth.saml]` section in the Grafana configuration file, set [`enabled`](/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-grafana/enterprise-configuration/#enabled-3) to `true`.
 2. Configure SAML options:
-   - Review all [available configuration options](/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-security/configure-authentication/saml/saml-configuration-options/)
+   - Review all [available configuration options](/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-access/configure-authentication/saml/saml-configuration-options/)
   - For IdP-specific configuration, refer to:
-     - [Configure SAML with Okta](/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-security/configure-authentication/saml/configure-saml-with-okta/)
-     - [Configure SAML with Entra ID](/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-security/configure-authentication/saml/configure-saml-with-azuread/)
+     - [Configure SAML with Okta](/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-access/configure-authentication/saml/configure-saml-with-okta/)
+     - [Configure SAML with Entra ID](/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-access/configure-authentication/saml/configure-saml-with-azuread/)
 3. Save the configuration file and then restart the Grafana server.

 When you are finished, the Grafana configuration might look like this example:
@@ -177,14 +179,14 @@ By default, new Grafana users using SAML authentication will have an account cre

 ## Integrating with SCIM Provisioning

-If you are also using SCIM provisioning for this Grafana application in Azure AD, it's crucial to align the user identifiers between SAML and SCIM for seamless operation. The unique identifier that links the SAML user to the SCIM provisioned user is determined by the `assertion_attribute_external_uid` setting in the Grafana SAML configuration. This `assertion_attribute_external_uid` should correspond to the `externalId` used in SCIM provisioning (typically set to the Azure AD `user.objectid`).
+If you are also using SCIM provisioning for this Grafana application in Entra ID, it's crucial to align the user identifiers between SAML and SCIM for seamless operation. The unique identifier that links the SAML user to the SCIM provisioned user is determined by the `assertion_attribute_external_uid` setting in the Grafana SAML configuration. This `assertion_attribute_external_uid` should correspond to the `externalId` used in SCIM provisioning (typically set to the Entra ID `user.objectid`).

 1.  **Ensure Consistent Identifier in SAML Assertion:**
-    - The unique identifier from Azure AD (typically `user.objectid`) that you mapped to the `externalId` attribute in Grafana in your SCIM provisioning setup **must also be sent as a claim in the SAML assertion.** For more details on SCIM, refer to the [SCIM provisioning documentation](/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-security/configure-scim-provisioning/).
-    - In the Azure AD Enterprise Application, under **Single sign-on** > **Attributes & Claims**, ensure you add a claim that provides this identifier. For example, you might add a claim named `UserID` (or similar, like `externalId`) that sources its value from `user.objectid`.
+    - The unique identifier from Entra ID (typically `user.objectid`) that you mapped to the `externalId` attribute in Grafana in your SCIM provisioning setup **must also be sent as a claim in the SAML assertion.** For more details on SCIM, refer to the [SCIM provisioning documentation](/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-access/configure-authentication/).
+    - In the Entra ID Enterprise Application, under **Single sign-on** > **Attributes & Claims**, ensure you add a claim that provides this identifier. For example, you might add a claim named `UserID` (or similar, like `externalId`) that sources its value from `user.objectid`.

 2.  **Configure Grafana SAML Settings for SCIM:**
-    - In the `[auth.saml]` section of your Grafana configuration, set `assertion_attribute_external_uid` to the name of the SAML claim you configured in the previous step (e.g., `userUID` or the full URI like `http://schemas.microsoft.com/identity/claims/objectidentifier` if that's how Azure AD sends it).
+    - In the `[auth.saml]` section of your Grafana configuration, set `assertion_attribute_external_uid` to the name of the SAML claim you configured in the previous step (e.g., `userUID` or the full URI like `http://schemas.microsoft.com/identity/claims/objectidentifier` if that's how Entra ID sends it).
    - The `assertion_attribute_login` setting should still be configured to map to the attribute your users will log in with (e.g., `userPrincipalName`, `mail`).

    _Example Grafana Configuration:_
@@ -196,20 +198,20 @@ If you are also using SCIM provisioning for this Grafana application in Azure AD
    assertion_attribute_external_uid = http://schemas.microsoft.com/identity/claims/objectidentifier # Or your custom claim name for user.objectid
    ```

-    Ensure that the value specified in `assertion_attribute_external_uid` precisely matches the name of the claim as it's sent in the SAML assertion from Azure AD.
+    Ensure that the value specified in `assertion_attribute_external_uid` precisely matches the name of the claim as it's sent in the SAML assertion from Entra ID.

-3.  **SCIM Linking Identifier and Azure AD:**
+3.  **SCIM Linking Identifier and Entra ID:**
    - By default (if `assertion_attribute_external_uid` is not set), Grafana uses the `userUID` attribute from the SAML assertion for SCIM linking.
-    - **Recommended for Azure AD:** For SCIM integration with Azure AD, it is necessary to:
-      1.  Ensure Azure AD sends the `user.objectid` in a claim.
-      2.  Either set this claim name in Azure AD to `userUID`, or, if you want to use a different claim name, set `assertion_attribute_external_uid` in Grafana to match the claim name you chose in Azure AD.
+    - **Recommended for Entra ID:** For SCIM integration with Entra ID, it is necessary to:
+      1.  Ensure Entra ID sends the `user.objectid` in a claim.
+      2.  Either set this claim name in Entra ID to `userUID`, or, if you want to use a different claim name, set `assertion_attribute_external_uid` in Grafana to match the claim name you chose in Entra ID.

 ## Configure automatic login

 Set `auto_login` option to true to attempt login automatically, skipping the login screen.
 This setting is ignored if multiple auth providers are configured to use auto login.

-For more information about automatic login behavior and troubleshooting, see [Automatic login](/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-security/configure-authentication/#automatic-oauth-login).
+For more information about automatic login behavior and troubleshooting, see [Automatic login](/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-access/configure-authentication/#automatic-oauth-login).

 ```
 auto_login = true
@@ -247,9 +249,9 @@ IdP-initiated SSO has some security risks, so make sure you understand the risks

 For advanced configuration and troubleshooting, please refer to the one of the following pages:

- [Configure SAML request signing](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-security/configure-authentication/saml/configure-saml-request-signing/)
- [Configure SAML single logout](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-security/configure-authentication/saml/configure-saml-single-logout/)
- [Configure Organization mapping](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-security/configure-authentication/saml/configure-saml-org-mapping/)
- [Configure Role and Team sync](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-security/configure-authentication/saml/configure-saml-team-role-mapping/)
- [SAML configuration options](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-security/configure-authentication/saml/saml-configuration-options/)
- [Troubleshooting](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-security/configure-authentication/saml/troubleshoot-saml/)
+- [Configure SAML request signing](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-access/configure-authentication/saml/configure-saml-signing-encryption/)
+- [Configure SAML single logout](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-access/configure-authentication/saml/configure-saml-single-logout/)
+- [Configure Organization mapping](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-access/configure-authentication/saml/configure-saml-org-mapping/)
+- [Configure Role and Team sync](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-access/configure-authentication/saml/configure-saml-team-role-mapping/)
+- [SAML configuration options](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-access/configure-authentication/saml/saml-configuration-options/)
+- [Troubleshooting](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-access/configure-authentication/saml/troubleshoot-saml/)
@@ -1,4 +1,7 @@
 ---
+aliases:
+  - ../../../configure-security/configure-authentication/setup-grafana/configure-security/configure-authentication/saml/configure-saml-org-mapping/ # /docs/grafana/next/setup-grafana/configure-security/configure-authentication/setup-grafana/configure-security/configure-authentication/saml/configure-saml-org-mapping/
+  - ../../../configure-security/configure-authentication/saml/configure-saml-org-mapping/ # /docs/grafana/next/setup-grafana/configure-security/configure-authentication/saml/configure-saml-org-mapping/
 description: Learn how to configure SAML authentication in Grafana's UI.
 labels:
  products:
@@ -1,4 +1,7 @@
 ---
+aliases:
+  - ../../../configure-security/configure-authentication/setup-grafana/configure-security/configure-authentication/saml/configure-saml-signing-encryption/ # /docs/grafana/next/setup-grafana/configure-security/configure-authentication/setup-grafana/configure-security/configure-authentication/saml/configure-saml-signing-encryption/
+  - ../../../configure-security/configure-authentication/saml/configure-saml-signing-encryption/ # /docs/grafana/next/setup-grafana/configure-security/configure-authentication/saml/configure-saml-signing-encryption/
 description: Learn how to configure SAML authentication in Grafana's UI.
 labels:
  products:
@@ -1,4 +1,7 @@
 ---
+aliases:
+  - ../../../configure-security/configure-authentication/setup-grafana/configure-security/configure-authentication/saml/configure-saml-single-logout/ # /docs/grafana/next/setup-grafana/configure-security/configure-authentication/setup-grafana/configure-security/configure-authentication/saml/configure-saml-single-logout/
+  - ../../../configure-security/configure-authentication/saml/configure-saml-single-logout/ # /docs/grafana/next/setup-grafana/configure-security/configure-authentication/saml/configure-saml-single-logout/
 description: Learn how to configure SAML authentication in Grafana's UI.
 labels:
  products:
@@ -1,4 +1,8 @@
 ---
+aliases:
+  - ../../../configure-access/configure-authentication/saml/configure-saml-team-role-mapping/ # /docs/grafana/next/configure-access/configure-authentication/saml/configure-saml-team-role-mapping/
+  - ../../../configure-security/configure-authentication/setup-grafana/configure-security/configure-authentication/saml/configure-saml-team-role-mapping/ # /docs/grafana/next/setup-grafana/configure-security/configure-authentication/setup-grafana/configure-security/configure-authentication/saml/configure-saml-team-role-mapping/
+  - ../../../configure-security/configure-authentication/saml/configure-saml-team-role-mapping/ # /docs/grafana/next/setup-grafana/configure-security/configure-authentication/saml/configure-saml-team-role-mapping/
 description: Learn how to configure SAML authentication in Grafana's UI.
 labels:
  products:
@@ -65,7 +69,7 @@ The following `External Group ID`s would be valid for input in the desired team'
 - `admins_group`
 - `division_1`

-[Learn more about Team Sync](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-security/configure-team-sync/)
+[Learn more about Team Sync](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-access/configure-team-sync/)

 # Configure role sync for SAML

@@ -1,4 +1,8 @@
 ---
+aliases:
+  - ../../../configure-access/configure-authentication/saml/configure-saml-with-azuread/ # /docs/grafana/next/setup-grafana/configure-access/configure-authentication/saml/configure-saml-with-azuread/
+  - ../../../configure-security/configure-authentication/setup-grafana/configure-security/configure-authentication/saml/configure-saml-with-entraid/ # /docs/grafana/next/setup-grafana/configure-security/configure-authentication/setup-grafana/configure-security/configure-authentication/saml/configure-saml-with-entraid/
+  - ../../../configure-security/configure-authentication/saml/configure-saml-with-azuread/ # /docs/grafana/next/setup-grafana/configure-security/configure-authentication/saml/configure-saml-with-azuread/
 description: Learn how to configure SAML authentication in Grafana's UI.
 labels:
  products:
@@ -16,7 +20,7 @@ Grafana supports user authentication through Microsoft Entra ID. This topic show
 {{< admonition type="note" >}}
 If an Entra ID user belongs to more than 150 groups, a Graph API endpoint is used instead.

-Grafana versions 11.1 and below, do not support fetching the groups from the Graph API endpoint. As a result, users with more than 150 groups will not be able to retrieve their groups. Instead, it is recommended that you use the Azure AD connector.
+Grafana versions 11.1 and below, do not support fetching the groups from the Graph API endpoint. As a result, users with more than 150 groups will not be able to retrieve their groups. Instead, it is recommended that you use the Entra ID connector.

 As of Grafana 11.2, the SAML integration offers a mechanism to retrieve user groups from the Graph API.

@@ -78,11 +82,11 @@ In order to validate Entra ID users with Grafana, you need to configure the SAML
 1. In the **Add a client secret** pane, enter a description for the secret.
 1. Set the expiration date for the secret.
 1. Select **Add**.
-1. Copy the value of the secret. This value is used in the `client_secret` field in the [SAML configuration](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-security/configure-authentication/saml/saml-configuration-options/).
+1. Copy the value of the secret. This value is used in the `client_secret` field in the [SAML configuration](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-access/configure-authentication/saml/saml-configuration-options/).

 ## Configure SAML assertions when using SCIM provisioning

-In order to verify the logged in user is the same user that was provisioned through Azure AD, you need to include the same `externalId` in the SAML assertion by mapping the SAML assertion `assertion_attribute_external_id`.
+In order to verify the logged in user is the same user that was provisioned through Entra ID, you need to include the same `externalId` in the SAML assertion by mapping the SAML assertion `assertion_attribute_external_id`.

 1. Open your Entra ID application.
 1. Select the SAML single sign-on configuration.
@@ -1,4 +1,7 @@
 ---
+aliases:
+  - ../../../configure-security/configure-authentication/setup-grafana/configure-security/configure-authentication/saml/configure-saml-with-okta/ # /docs/grafana/next/setup-grafana/configure-security/configure-authentication/setup-grafana/configure-security/configure-authentication/saml/configure-saml-with-okta/
+  - ../../../configure-security/configure-authentication/saml/configure-saml-with-okta/ # /docs/grafana/next/setup-grafana/configure-security/configure-authentication/saml/configure-saml-with-okta/
 description: Learn how to configure SAML authentication in Grafana's UI.
 labels:
  products:
@@ -1,4 +1,8 @@
 ---
+aliases:
+  - ../../../configure-access/configure-authentication/saml/saml-configuration-options/_index.md/ # /docs/grafana/next/setup-grafana/configure-access/configure-authentication/saml/saml-configuration-options/_index.md/
+  - ../../../configure-security/configure-authentication/setup-grafana/configure-security/configure-authentication/saml/saml-configuration-options/ # /docs/grafana/next/setup-grafana/configure-security/configure-authentication/setup-grafana/configure-security/configure-authentication/saml/saml-configuration-options/
+  - ../../../configure-security/configure-authentication/saml/saml-configuration-options/ # /docs/grafana/next/setup-grafana/configure-security/configure-authentication/saml/saml-configuration-options/
 labels:
  products:
    - cloud
@@ -1,6 +1,9 @@
 ---
 aliases:
-  - ../saml-ui/ # /docs/grafana/latest/setup-grafana/configure-security/configure-authentication/saml-ui/
+  - ../../../configure-security/configure-authentication/saml-ui/ # /docs/grafana/next/setup-grafana/configure-security/configure-authentication/saml-ui/
+  - ../saml-ui/ # /docs/grafana/latest/setup-grafana/configure-access/configure-authentication/saml-ui/
+  - ../../../configure-security/configure-authentication/setup-grafana/configure-security/configure-authentication/saml/saml-ui/ # /docs/grafana/next/setup-grafana/configure-security/configure-authentication/setup-grafana/configure-security/configure-authentication/saml/saml-ui/
+  - ../../../configure-security/configure-authentication/saml/saml-ui/ # /docs/grafana/next/setup-grafana/configure-security/configure-authentication/saml/saml-ui/
 description: Learn how to configure SAML authentication in Grafana's UI.
 labels:
  products:
@@ -125,11 +128,11 @@ Learn more about [team sync](../../../configure-team-sync) and [configuring team
   Role mapping will automatically update user's [basic role](../../../../../administration/roles-and-permissions/access-control/#basic-roles) based on their SAML roles every time the user logs in to Grafana.
   Learn more about [SAML role synchronization](../configure-saml-team-role-mapping/#configure-role-sync).

-1. If you're setting up Grafana with Azure AD using the SAML protocol and want to fetch user groups from the Graph API, complete the **Azure AD Service Account Configuration** subsection.
-   1. Set up a service account in Azure AD and provide the necessary details in the **Azure AD Service Account Configuration** section.
-   1. Provide the **Client ID** of your Azure AD application.
-   1. Provide the **Client Secret** of your Azure AD application, the **Client Secret** will be used to request an access token from Azure AD.
-   1. Provide the Azure AD request **Access Token URL**.
+1. If you're setting up Grafana with Entra ID using the SAML protocol and want to fetch user groups from the Graph API, complete the **Entra ID Service Account Configuration** subsection.
+   1. Set up a service account in Entra ID and provide the necessary details in the **Entra ID Service Account Configuration** section.
+   1. Provide the **Client ID** of your Entra ID application.
+   1. Provide the **Client Secret** of your Entra ID application, the **Client Secret** will be used to request an access token from Entra ID.
+   1. Provide the Entra ID request **Access Token URL**.
   1. If you don't have users with more than 150 groups, you can still force the use of the Graph API by enabling the **Force use Graph API** toggle.
 1. If you have multiple organizations and want to automatically add users to organizations, complete the **Org mapping section**.

@@ -1,4 +1,7 @@
 ---
+aliases:
+  - ../../../configure-security/configure-authentication/setup-grafana/configure-security/configure-authentication/saml/troublsehoot-saml/ # /docs/grafana/next/setup-grafana/configure-security/configure-authentication/setup-grafana/configure-security/configure-authentication/saml/troublsehoot-saml/
+  - ../../../configure-security/configure-authentication/saml/troubleshoot-saml/ # /docs/grafana/next/setup-grafana/configure-security/configure-authentication/saml/troubleshoot-saml/
 description: Learn how to configure SAML authentication in Grafana's UI.
 labels:
  products:
@@ -110,7 +113,7 @@ Ensure `cookie_secure` is set to true to ensure that cookies are only sent over

 ### Troubleshoot Graph API calls

-When setting up SAML authentication with Azure AD, you may encounter issues with Graph API calls. This can happen if the Azure AD application is not properly configured to allow Graph API access.
+When setting up SAML authentication with Entra ID, you may encounter issues with Graph API calls. This can happen if the Entra ID application is not properly configured to allow Graph API access.

 To help in the troubleshooting process, test the Graph API calls using the following commands:

@@ -122,9 +125,9 @@ curl -X POST "{token_url}" \

 Where the following values come from your [SAML configuration](../saml-configuration-options/_index.md#saml-configuration-options):

- `token_url`: The token URL of your Azure AD application.
- `client_id`: The client ID of your Azure AD application.
- `client_secret`: The client secret of your Azure AD application.
+- `token_url`: The token URL of your Entra ID application.
+- `client_id`: The client ID of your Entra ID application.
+- `client_secret`: The client secret of your Entra ID application.

 The response should look like:

@@ -153,4 +156,4 @@ The response should look like:
 }
 ```

-If the second call fails due to 401 or 403, you may need to check the Azure AD application settings to ensure that Graph API access is enabled.
+If the second call fails due to 401 or 403, you may need to check the Entra ID application settings to ensure that Graph API access is enabled.
@@ -1,4 +1,7 @@
 ---
+aliases:
+  - ../setup-grafana/configure-security/configure-scim-provisioning/ # /docs/grafana/next/setup-grafana/setup-grafana/configure-security/configure-scim-provisioning/
+  - ../configure-security/configure-scim-provisioning/ # /docs/grafana/next/setup-grafana/configure-security/configure-scim-provisioning/
 description: Learn how to use SCIM provisioning to synchronize users and groups from your identity provider to Grafana. SCIM enables automated user management, team provisioning, and enhanced security through real-time synchronization with your identity provider.
 keywords:
  - grafana
@@ -12,7 +15,7 @@ labels:
    - enterprise
 menuTitle: Configure SCIM provisioning
 title: Configure SCIM provisioning
-weight: 300
+weight: 200
 ---

 # Configure SCIM provisioning
@@ -52,7 +55,7 @@ SCIM offers several advantages for managing users and teams in Grafana:
 ## Authentication and access requirements

 {{< admonition type="warning" title="Critical: Aligning SAML Identifier with SCIM externalId" >}}
-When using SAML for authentication alongside SCIM provisioning, a critical security measure is to ensure proper alignment between the the SCIM user's `externalId` and the SAML user identifier. The unique identifier used for SCIM provisioning (which becomes the `externalId` in Grafana, often sourced from a stable IdP attribute like Azure AD's `user.objectid`) **must also be sent as a claim in the SAML assertion from your Identity Provider.**
+When using SAML for authentication alongside SCIM provisioning, a critical security measure is to ensure proper alignment between the the SCIM user's `externalId` and the SAML user identifier. The unique identifier used for SCIM provisioning (which becomes the `externalId` in Grafana, often sourced from a stable IdP attribute like Entra ID's `user.objectid`) **must also be sent as a claim in the SAML assertion from your Identity Provider.**
 Furthermore, the Grafana SAML configuration must be correctly set up to identify and use this specific claim for linking the authenticated SAML user to their SCIM-provisioned user. This can be achieved by either ensuring the primary SAML login identifier by using the `assertion_attribute_external_uid` setting in Grafana to explicitly set the name of the SAML claim that contains the stable unique identifier attribute.

 **Why is this important?**
@@ -60,7 +63,7 @@ A mismatch or inconsistent mapping between this SAML login identifier and the SC

 Grafana relies on this linkage to correctly associate the authenticated user from SAML with the provisioned user from SCIM. Failure to ensure a consistent and unique identifier across both systems can break this linkage, leading to incorrect user mapping and potential unauthorized access.

-Always verify that your SAML identity provider is configured to send a stable, unique user identifier that your SCIM configuration maps to `externalId`. Refer to your identity provider's documentation and the specific Grafana SCIM integration guides (e.g., for [Azure AD](configure-scim-with-azuread/) or [Okta](configure-scim-with-okta/)) for detailed instructions on configuring these attributes correctly.
+Always verify that your SAML identity provider is configured to send a stable, unique user identifier that your SCIM configuration maps to `externalId`. Refer to your identity provider's documentation and the specific Grafana SCIM integration guides (e.g., for [Entra ID](configure-scim-with-azuread/) or [Okta](configure-scim-with-okta/)) for detailed instructions on configuring these attributes correctly.
 {{< /admonition >}}

 When you enable SCIM in Grafana, the following requirements and restrictions apply:
@@ -68,8 +71,8 @@ When you enable SCIM in Grafana, the following requirements and restrictions app
 1. **Use the same identity provider for user provisioning and for authentication flow**: You must use the same identity provider for both authentication and user provisioning.

 2. **Security restriction**: When using SAML, the login authentication flow requires the SAML assertion exchange between the Identity Provider and Grafana to include the `userUID` SAML assertion with the user's unique identifier at the Identity Provider.
-   - Configure `userUID` SAML assertion in [Azure AD](/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-security/configure-authentication/saml/configure-saml-with-azuread/#configure-saml-assertions-when-using-scim-provisioning)
-   - Configure `userUID` SAML assertion in [Okta](/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-security/configure-authentication/saml/configure-saml-with-okta/#configure-saml-assertions-when-using-scim-provisioning)
+   - Configure `userUID` SAML assertion in [Entra ID](/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-access/configure-authentication/saml/configure-saml-with-azuread/#configure-saml-assertions-when-using-scim-provisioning)
+   - Configure `userUID` SAML assertion in [Okta](/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-access/configure-authentication/saml/configure-saml-with-okta/#configure-saml-assertions-when-using-scim-provisioning)

 ## Configure SCIM in Grafana

@@ -86,7 +89,7 @@ The table below describes all SCIM configuration options. Like any other Grafana

 - SCIM group sync (`group_sync_enabled = true`) and Team Sync cannot be enabled simultaneously
 - You can use SCIM user sync (`user_sync_enabled = true`) alongside Team Sync
- For more details about migration and compatibility, see [SCIM vs Team Sync](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-security/configure-scim-provisioning/manage-users-teams/#scim-vs-team-sync)
+- For more details about migration and compatibility, see [SCIM vs Team Sync](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-access/configure-scim-provisioning/manage-users-teams/#scim-vs-team-sync)
  {{< /admonition >}}

 ### Example SCIM configuration
@@ -126,7 +129,7 @@ The Terraform `grafana_scim_config` resource supports the same configuration opt

 The following identity providers are supported:

- [Azure AD](../configure-authentication/azuread/)
+- [Entra ID](../configure-authentication/azuread/)
 - [Okta](../configure-authentication/saml/)

 ## How it works
@@ -161,5 +164,5 @@ The following table compares SCIM with other synchronization methods to help you

 - [Manage users and teams with SCIM provisioning](manage-users-teams/)
 - [Troubleshoot SCIM provisioning](troubleshooting/)
- [Configure SCIM with Azure AD](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-security/configure-scim-provisioning/configure-scim-with-azuread/)
- [Configure SCIM with Okta](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-security/configure-scim-provisioning/configure-scim-with-okta/)
+- [Configure SCIM with Entra ID](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-access/configure-authentication/configure-scim-with-azuread/)
+- [Configure SCIM with Okta](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-access/configure-authentication/configure-scim-with-okta/)
@@ -1,5 +1,11 @@
 ---
-description: Learn how to configure SCIM provisioning with Azure AD in Grafana Enterprise. This guide provides step-by-step instructions for setting up automated user and team management, including enterprise application configuration, service account creation, attribute mapping, and provisioning settings to ensure seamless integration between Azure AD and Grafana.
+aliases:
+  - ../../configure-access/configure-authentication/configure-scim-with-azuread/ # /docs/grafana/next/setup-grafana/configure-access/configure-authentication/configure-scim-with-azuread/
+  - ../../configure-security/setup-grafana/configure-security/configure-scim-provisioning/configure-scim-with-azuread/ # /docs/grafana/next/setup-grafana/configure-security/setup-grafana/configure-security/configure-scim-provisioning/configure-scim-with-azuread/
+  - ../../configure-security/configure-scim-provisioning/configure-scim-with-azuread/ # /docs/grafana/next/setup-grafana/configure-security/configure-scim-provisioning/configure-scim-with-azuread/
+  - ../../configure-access/configure-scim-with-azuread/ # /docs/grafana/next/setup-grafana/configure-access/configure-scim-provisioning/configure-scim-with-azuread/
+
+description: Learn how to configure SCIM provisioning with Entra ID in Grafana Enterprise. This guide provides step-by-step instructions for setting up automated user and team management, including enterprise application configuration, service account creation, attribute mapping, and provisioning settings to ensure seamless integration between Entra ID and Grafana.
 keywords:
  - grafana
  - scim
@@ -13,12 +19,12 @@ labels:
  products:
    - cloud
    - enterprise
-menuTitle: Configure SCIM with Azure AD
-title: Configure SCIM with Azure AD
+menuTitle: Configure SCIM with Entra ID
+title: Configure SCIM with Entra ID
 weight: 320
 ---

-# Configure SCIM with Azure AD
+# Configure SCIM with Entra ID

 {{< admonition type="note" >}}
 Available in [Grafana Enterprise](/docs/grafana/<GRAFANA_VERSION>/introduction/grafana-enterprise/) and to customers on select Grafana Cloud plans. For pricing information, visit [pricing](https://grafana.com/pricing/) or contact our sales team.
@@ -28,7 +34,7 @@ Available in [Grafana Enterprise](/docs/grafana/<GRAFANA_VERSION>/introduction/g
 **Public Preview:** SCIM provisioning is currently in Public Preview. While functional, the feature is actively being refined and may undergo changes. We recommend thorough testing in non-production environments before deploying to production systems.
 {{< /admonition >}}

-This guide explains how to configure SCIM provisioning with Azure AD to automate user and team management in Grafana.
+This guide explains how to configure SCIM provisioning with Entra ID to automate user and team management in Grafana.

 {{< admonition type="note" >}}
 This feature is behind the `enableSCIM` feature toggle.
@@ -39,23 +45,23 @@ For more information, refer to the [feature toggles documentation](/docs/grafana

 {{< admonition type="note" >}}
 **Important SAML and SCIM Configuration:**
-When using SAML for authentication alongside SCIM provisioning with Azure AD, it is crucial to correctly align user identifiers.
+When using SAML for authentication alongside SCIM provisioning with Entra ID, it is crucial to correctly align user identifiers.
 For detailed information on why this is critical for security and how to configure it, refer to the main [SCIM provisioning documentation](../).

-Refer to the [SAML authentication with Azure AD documentation](../../configure-authentication/saml/configure-saml-with-azuread/) for specific instructions on how to configure SAML claims and Grafana SAML settings for your Azure AD SCIM setup.
+Refer to the [SAML authentication with Entra ID documentation](../../configure-authentication/saml/configure-saml-with-azuread/) for specific instructions on how to configure SAML claims and Grafana SAML settings for your Entra ID SCIM setup.
 {{< /admonition >}}

 ## Prerequisites

-Before configuring SCIM with Azure AD, ensure you have:
+Before configuring SCIM with Entra ID, ensure you have:

 - Grafana Enterprise or a paid Grafana Cloud account with SCIM provisioning enabled.
- Admin access to both Grafana and Azure AD
+- Admin access to both Grafana and Entra ID
 - SCIM feature enabled in Grafana

 ## Configure SCIM in Grafana

-To enable SCIM provisioning in Grafana, create a service account and generate a service account token that will be used to authenticate SCIM requests from Azure AD.
+To enable SCIM provisioning in Grafana, create a service account and generate a service account token that will be used to authenticate SCIM requests from Entra ID.

 ### Create a service account

@@ -63,15 +69,15 @@ To enable SCIM provisioning in Grafana, create a service account and generate a
 2. Click **Add service account**
 3. Create a new service account with Admin role
 4. Create a new token for the newly created service account and save it securely
-   - This token will be used in the Azure AD configuration
+   - This token will be used in the Entra ID configuration

-## Configure SCIM in Azure AD
+## Configure SCIM in Entra ID

-Configure the enterprise application in Azure AD to enable automated user and team synchronization with Grafana. This involves creating a new application and setting up both authentication and provisioning.
+Configure the enterprise application in Entra ID to enable automated user and team synchronization with Grafana. This involves creating a new application and setting up both authentication and provisioning.

 ### Create the enterprise application

-1. Open Azure Portal Entra ID (Azure AD)
+1. Open Azure Portal Entra ID (Entra ID)
 2. Click **+ Add** dropdown
 3. Click **Add Enterprise Application**
 4. Click **+ Create Your Own Application**
@@ -101,18 +107,18 @@ Configure the enterprise application in Azure AD to enable automated user and te

 ### Configure attribute mappings

-After setting the Tenant URL and Secret Token, navigate to the **Mappings** section within the same **Provisioning** settings in your Azure AD enterprise application and then click **Provision Microsoft Entra ID Users**. This is where you will define how Azure AD attributes correspond to the SCIM attributes for Grafana, including the mandatory `externalId`.
+After setting the Tenant URL and Secret Token, navigate to the **Mappings** section within the same **Provisioning** settings in your Entra ID enterprise application and then click **Provision Microsoft Entra ID Users**. This is where you will define how Entra ID attributes correspond to the SCIM attributes for Grafana, including the mandatory `externalId`.

 {{< admonition type="note" >}}

- Only work email addresses are supported. Azure AD must be configured to use `emails[type eq "work"].value` for email mapping.
- The `externalId` attribute in Grafana is mandatory. Azure AD uses this to uniquely identify users and groups. You must map an attribute from Azure AD to the `externalId` attribute in Grafana. This Azure AD attribute must be **a stable and a unique identifier for each individual user** (for example, the `objectId` attribute in Azure AD is commonly used for this purpose).
+- Only work email addresses are supported. Entra ID must be configured to use `emails[type eq "work"].value` for email mapping.
+- The `externalId` attribute in Grafana is mandatory. Entra ID uses this to uniquely identify users and groups. You must map an attribute from Entra ID to the `externalId` attribute in Grafana. This Entra ID attribute must be **a stable and a unique identifier for each individual user** (for example, the `objectId` attribute in Entra ID is commonly used for this purpose).

 {{< /admonition >}}

 Configure the following required attributes:

-| Azure AD Attribute                                            | Grafana Attribute              |
+| Entra ID Attribute                                            | Grafana Attribute              |
 | ------------------------------------------------------------- | ------------------------------ |
 | `userPrincipalName`                                           | `userName`                     |
 | `mail`                                                        | `emails[type eq "work"].value` |
@@ -122,7 +128,7 @@ Configure the following required attributes:

 ### Enable provisioning

-Click **Start provisioning** from the top action bar in the **Overview** page from your Azure AD enterprise application.
+Click **Start provisioning** from the top action bar in the **Overview** page from your Entra ID enterprise application.

 ### Configure group provisioning

@@ -137,7 +143,7 @@ To enable group synchronization:

 After completing the configuration:

-1. Test the SCIM connector in Azure AD
+1. Test the SCIM connector in Entra ID
 2. Assign a test user to the application
 3. Verify the user is provisioned in Grafana
 4. Test group synchronization if configured
@@ -1,4 +1,8 @@
 ---
+aliases:
+  - ../../configure-access/configure-authentication/configure-scim-with-okta/ # /docs/grafana/next/setup-grafana/configure-access/configure-authentication/configure-scim-with-okta/
+  - ../../configure-security/setup-grafana/configure-security/configure-scim-provisioning/configure-scim-with-okta/ # /docs/grafana/next/setup-grafana/configure-security/setup-grafana/configure-security/configure-scim-provisioning/configure-scim-with-okta/
+  - ../../configure-security/configure-scim-provisioning/configure-scim-with-okta/ # /docs/grafana/next/setup-grafana/configure-security/configure-scim-provisioning/configure-scim-with-okta/
 description: Learn how to configure SCIM provisioning with Okta in Grafana. This guide provides step-by-step instructions for setting up automated user and team management, including SAML configuration, service account creation, attribute mapping, and provisioning settings to ensure seamless integration between Okta and Grafana.
 keywords:
  - grafana
@@ -1,5 +1,8 @@
 ---
-description: Learn how to implement SCIM provisioning in Grafana for automated user and team synchronization. SCIM integrates with identity providers like Okta and Azure AD to streamline user management, automate team provisioning, and replace Team Sync.
+aliases:
+  - ../../configure-security/setup-grafana/configure-security/configure-scim-provisioning/manage-users-teams/ # /docs/grafana/next/setup-grafana/configure-security/setup-grafana/configure-security/configure-scim-provisioning/manage-users-teams/
+  - ../../configure-security/configure-scim-provisioning/manage-users-teams/ # /docs/grafana/next/setup-grafana/configure-security/configure-scim-provisioning/manage-users-teams/
+description: Learn how to implement SCIM provisioning in Grafana for automated user and team synchronization. SCIM integrates with identity providers like Okta and Entra ID to streamline user management, automate team provisioning, and replace Team Sync.
 keywords:
  - grafana
  - scim
@@ -49,7 +52,7 @@ After a user is provisioned through SCIM, they cannot be deleted from Grafana -

 For detailed configuration steps specific to the identity provider, see:

- [Configure SCIM with Azure AD](../configure-scim-with-azuread/)
+- [Configure SCIM with Entra ID](../configure-scim-with-azuread/)
 - [Configure SCIM with Okta](../configure-scim-with-okta/)

 ### How SCIM identifies users
@@ -69,10 +72,10 @@ SCIM uses a specific process to establish and maintain user identity between the
   - Grafana updates the authentication validations to expect this External ID

 3. **Matching the User During Login:**
-   When a user logs in via SAML, Grafana needs to securely match them to the correct user account provisioned by SCIM. This requires using a consistent, unique identifier across both processes (for example, the user's `objectId` in Azure AD).
-   - **Configure SAML Claims:** Set up your identity provider (e.g., Azure AD) to include this unique identifier in the information it sends during SAML login.
+   When a user logs in via SAML, Grafana needs to securely match them to the correct user account provisioned by SCIM. This requires using a consistent, unique identifier across both processes (for example, the user's `objectId` in Entra ID).
+   - **Configure SAML Claims:** Set up your identity provider (e.g., Entra ID) to include this unique identifier in the information it sends during SAML login.
   - **Configure Grafana SAML:** In the Grafana SAML settings, use the `assertion_attribute_login` setting to specify which incoming SAML attribute contains this unique identifier.
-   - **Configure SCIM Mapping:** To complete the link, ensure your SCIM attribute mapping in the identity provider sets the user's Grafana **externalId** attribute to be the _same_ unique identifier provided via SAML (for example, the user's `objectId` in Azure AD).
+   - **Configure SCIM Mapping:** To complete the link, ensure your SCIM attribute mapping in the identity provider sets the user's Grafana **externalId** attribute to be the _same_ unique identifier provided via SAML (for example, the user's `objectId` in Entra ID).
   - See [SAML configuration details](../../configure-authentication/saml/#integrating-with-scim-provisioning) for specific configuration guidance.

 This process ensures secure and consistent user identification across both systems, preventing security issues that could arise from email changes or other user attribute modifications.
@@ -224,7 +227,7 @@ Teams provisioned through SCIM cannot be deleted manually from Grafana - they ca

 For detailed configuration steps specific to the identity provider, see:

- [Configure SCIM with Azure AD](../configure-scim-with-azuread/)
+- [Configure SCIM with Entra ID](../configure-scim-with-azuread/)
 - [Configure SCIM with Okta](../configure-scim-with-okta/)

 ### SCIM vs Team Sync
@@ -275,5 +278,5 @@ Team membership maintenance:
 ## Next steps

 - [Troubleshoot SCIM provisioning](../troubleshooting/)
- [Configure SCIM with Azure AD](../configure-scim-with-azuread/)
+- [Configure SCIM with Entra ID](../configure-scim-with-azuread/)
 - [Configure SCIM with Okta](../configure-scim-with-okta/)
@@ -1,4 +1,7 @@
 ---
+aliases:
+  - ../../configure-security/setup-grafana/configure-security/configure-scim-provisioning/troubleshooting/ # /docs/grafana/next/setup-grafana/configure-security/setup-grafana/configure-security/configure-scim-provisioning/troubleshooting/
+  - ../../configure-security/configure-scim-provisioning/troubleshooting/ # /docs/grafana/next/setup-grafana/configure-security/configure-scim-provisioning/troubleshooting/
 description: Troubleshoot common SCIM provisioning issues in Grafana, including user provisioning, authentication, and login problems.
 keywords:
  - grafana
@@ -65,11 +68,11 @@ Where:

 | SAML Assertion | Identity Provider | Value                            |
 | -------------- | ----------------- | -------------------------------- |
-| `userUID`      | Azure AD          | `objectId`                       |
+| `userUID`      | Entra ID          | `objectId`                       |
 | `userUID`      | Okta              | `user.getInternalProperty("id")` |

 ## Next steps

 - [Manage users and teams with SCIM provisioning](../manage-users-teams/)
- [Configure SCIM with Azure AD](../configure-scim-with-azuread/)
+- [Configure SCIM with Entra ID](../configure-scim-with-azuread/)
 - [Configure SCIM with Okta](../configure-scim-with-okta/)
@@ -1,15 +1,16 @@
 ---
 aliases:
-  - ../../auth/team-sync/
-  - ../../enterprise/team-sync/
-description: Learn how to use Team Sync to synchronize between your authentication
-  provider teams and Grafana teams.
+  - ../setup-grafana/configure-security/configure-team-sync/ # /docs/grafana/next/setup-grafana/setup-grafana/configure-security/configure-team-sync/
+  - ../../auth/team-sync/ # /docs/grafana/next/auth/team-sync/
+  - ../../enterprise/team-sync/ # /docs/grafana/next/enterprise/team-sync/
+  - ../configure-security/configure-team-sync/ # /docs/grafana/next/setup-grafana/configure-security/configure-team-sync/
+description: Learn how to use Team Sync to synchronize between your authentication provider teams and Grafana teams.
 labels:
  products:
    - cloud
    - enterprise
 title: Configure Team Sync
-weight: 1000
+weight: 600
 ---

 # Configure Team Sync
@@ -29,15 +30,15 @@ This mechanism allows Grafana to remove an existing synchronized user from a tea

 ## Supported providers

- [Auth Proxy](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-security/configure-authentication/auth-proxy/#team-sync)
- [Azure AD](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-security/configure-authentication/azuread/#team-sync)
- [Generic OAuth integration](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-security/configure-authentication/generic-oauth/#configure-team-synchronization)
- [GitHub OAuth](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-security/configure-authentication/github/#configure-team-synchronization)
- [GitLab OAuth](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-security/configure-authentication/gitlab/#configure-team-synchronization)
- [Google OAuth](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-security/configure-authentication/google/#configure-team-synchronization)
- [LDAP](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-security/configure-authentication/enhanced-ldap/)
- [Okta](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-security/configure-authentication/okta/#configure-team-synchronization)
- [SAML](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-security/configure-authentication/saml/)
+- [Auth Proxy](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-access/configure-authentication/auth-proxy/#team-sync)
+- [Entra ID](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-access/configure-authentication/azuread/#team-sync)
+- [Generic OAuth integration](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-access/configure-authentication/generic-oauth/#configure-team-synchronization)
+- [GitHub OAuth](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-access/configure-authentication/github/#configure-team-synchronization)
+- [GitLab OAuth](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-access/configure-authentication/gitlab/#configure-team-synchronization)
+- [Google OAuth](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-access/configure-authentication/google/#configure-team-synchronization)
+- [LDAP](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-access/configure-authentication/enhanced-ldap/)
+- [Okta](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-access/configure-authentication/okta/#configure-team-synchronization)
+- [SAML](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-access/configure-authentication/saml/)

 ## Synchronize a Grafana team with an external group

@@ -1,6 +1,8 @@
 ---
 aliases:
-  - ../../enterprise/manage-single-access/
+  - ../setup-grafana/configure-security/manage-single-access/ # /docs/grafana/next/setup-grafana/setup-grafana/configure-security/manage-single-access/
+  - ../../enterprise/manage-single-access/ # /docs/grafana/next/enterprise/manage-single-access/
+  - ../configure-security/manage-single-access/ # /docs/grafana/next/setup-grafana/configure-security/manage-single-access/
 description: Manage multi-team access in a single Grafana instance
 keywords:
  - grafana
@@ -14,7 +16,8 @@ labels:
    - cloud
    - enterprise
 title: Manage multi-team access in a single Grafana instance
-weight: 1200
+menuTitle: Multi-team access
+weight: 500
 refs:
  create-folder:
    - pattern: /docs/grafana/
@@ -38,17 +41,17 @@ refs:
      destination: /docs/grafana-cloud/security-and-account-management/authentication-and-permissions/access-control/rbac-fixed-basic-role-definitions/#fixed-role-definitions
  drilldown:
    - pattern: /docs/grafana/
-      destination: /docs/grafana/<GRAFANA_VERSION/explore/simplified-exploration/
+      destination: /docs/grafana/<GRAFANA_VERSION>/explore/simplified-exploration/
    - pattern: /docs/grafana-cloud/
      destination: /docs/grafana-cloud/visualizations/simplified-exploration/
  add-data-source:
    - pattern: /docs/grafana/
-      destination: /docs/grafana/<GRAFANA_VERSION/datasources/#add-a-data-source
+      destination: /docs/grafana/<GRAFANA_VERSION>/datasources/#add-a-data-source
    - pattern: /docs/grafana-cloud/
      destination: /docs/grafana-cloud/connect-externally-hosted/data-sources/#add-a-data-source
  lbac:
    - pattern: /docs/grafana/
-      destination: /docs/grafana/<GRAFANA_VERSION/administration/data-source-management/teamlbac
+      destination: /docs/grafana/<GRAFANA_VERSION>/administration/data-source-management/teamlbac
    - pattern: /docs/grafana-cloud/
      destination: /docs/grafana-cloud/security-and-account-management/authentication-and-permissions/access-policies/label-access-policies
 ---
@@ -143,7 +146,7 @@ For example, users working in [Frontend Observability](https://grafana.com/docs/

 After you've made sure the model is working, you can codify it.

-You can add any new users to your Grafana instance with an Identity Provider through [SCIM](../../configure-security/configure-scim-provisioning/). Use [role sync](../../configure-security/configure-authentication/saml/configure-saml-team-role-mapping/#configure-role-sync-for-saml) to automatically assign users the correct basic role (Viewer, Editor, or Admin) based on their mapped attributes in the IdP..
+You can add any new users to your Grafana instance with an Identity Provider through [SCIM](../../configure-access/configure-authentication/). Use [role sync](../../../configure-access/configure-authentication/saml/configure-saml-team-role-mapping/#configure-role-sync-for-saml) to automatically assign users the correct basic role (Viewer, Editor, or Admin) based on their mapped attributes in the IdP..

 You can also use Terraform to provision teams their folders, fixed roles, and shared data source LBAC rules. For example, if you need to add a new team (Team D), you only need to add the new team to Grafana and run the Terraform script, which will automatically set them up to start using Grafana.

@@ -1026,7 +1026,7 @@ This is a comma-separated list of usernames. Users specified here are hidden in

 ### `[auth]`

-Grafana provides many ways to authenticate users. Refer to the Grafana [Authentication overview](../configure-security/configure-authentication/) and other authentication documentation for detailed instructions on how to set up and configure authentication.
+Grafana provides many ways to authenticate users. Refer to the Grafana [Authentication overview](../configure-access/configure-authentication/) and other authentication documentation for detailed instructions on how to set up and configure authentication.

 #### `login_cookie_name`

@@ -1231,25 +1231,25 @@ This means the plugin can only access data and resources within that specific or

 ### `[auth.anonymous]`

-Refer to [Anonymous authentication](../configure-security/configure-authentication/grafana/#anonymous-authentication) for detailed instructions.
+Refer to [Anonymous authentication](../configure-access/configure-authentication/grafana/#anonymous-authentication) for detailed instructions.

 <hr />

 ### `[auth.github]`

-Refer to [GitHub OAuth2 authentication](../configure-security/configure-authentication/github/) for detailed instructions.
+Refer to [GitHub OAuth2 authentication](../configure-access/configure-authentication/github/) for detailed instructions.

 <hr />

 ### `[auth.gitlab]`

-Refer to [GitLab OAuth 2.0 authentication](../configure-security/configure-authentication/gitlab/) for detailed instructions.
+Refer to [GitLab OAuth 2.0 authentication](../configure-access/configure-authentication/gitlab/) for detailed instructions.

 <hr />

 ### `[auth.google]`

-Refer to [Google OAuth2 authentication](../configure-security/configure-authentication/google/) for detailed instructions.
+Refer to [Google OAuth2 authentication](../configure-access/configure-authentication/google/) for detailed instructions.

 <hr />

@@ -1267,37 +1267,37 @@ Legacy key names, still in the configuration file so they work in environment va

 ### `[auth.azuread]`

-Refer to [Azure AD OAuth2 authentication](../configure-security/configure-authentication/azuread/) for detailed instructions.
+Refer to [Entra ID OAuth2 authentication](../configure-access/configure-authentication/azuread/) for detailed instructions.

 <hr />

 ### `[auth.okta]`

-Refer to [Okta OAuth2 authentication](../configure-security/configure-authentication/okta/) for detailed instructions.
+Refer to [Okta OAuth2 authentication](../configure-access/configure-authentication/okta/) for detailed instructions.

 <hr />

 ### `[auth.generic_oauth]`

-Refer to [Generic OAuth authentication](../configure-security/configure-authentication/generic-oauth/) for detailed instructions.
+Refer to [Generic OAuth authentication](../configure-access/configure-authentication/generic-oauth/) for detailed instructions.

 <hr />

 ### `[auth.basic]`

-Refer to [Basic authentication](../configure-security/configure-authentication/#basic-authentication) for detailed instructions.
+Refer to [Basic authentication](../configure-access/configure-authentication/#basic-authentication) for detailed instructions.

 <hr />

 ### `[auth.proxy]`

-Refer to [Auth proxy authentication](../configure-security/configure-authentication/auth-proxy/) for detailed instructions.
+Refer to [Auth proxy authentication](../configure-access/configure-authentication/auth-proxy/) for detailed instructions.

 <hr />

 ### `[auth.ldap]`

-Refer to [LDAP authentication](../configure-security/configure-authentication/ldap/) for detailed instructions.
+Refer to [LDAP authentication](../configure-access/configure-authentication/ldap/) for detailed instructions.

 ### `[aws]`

@@ -1370,27 +1370,27 @@ Should be set for user-assigned identity and should be empty for system-assigned

 #### `workload_identity_enabled`

-Specifies whether Azure AD Workload Identity authentication should be enabled in data sources that support it.
+Specifies whether Entra ID Workload Identity authentication should be enabled in data sources that support it.

-For more documentation on Azure AD Workload Identity, review [Azure AD Workload Identity](https://azure.github.io/azure-workload-identity/docs/) documentation.
+For more documentation on Entra ID Workload Identity, review [Entra ID Workload Identity](https://azure.github.io/azure-workload-identity/docs/) documentation.

 Disabled by default, needs to be explicitly enabled.

 #### `workload_identity_tenant_id`

-Tenant ID of the Azure AD Workload Identity.
+Tenant ID of the Entra ID Workload Identity.

-Allows to override default tenant ID of the Azure AD identity associated with the Kubernetes service account.
+Allows to override default tenant ID of the Entra ID identity associated with the Kubernetes service account.

 #### `workload_identity_client_id`

-Client ID of the Azure AD Workload Identity.
+Client ID of the Entra ID Workload Identity.

-Allows to override default client ID of the Azure AD identity associated with the Kubernetes service account.
+Allows to override default client ID of the Entra ID identity associated with the Kubernetes service account.

 #### `workload_identity_token_file`

-Custom path to token file for the Azure AD Workload Identity.
+Custom path to token file for the Entra ID Workload Identity.

 Allows to set a custom path to the projected service account token file.

@@ -1456,7 +1456,7 @@ Disabled by default, needs to be explicitly enabled.

 ### `[auth.jwt]`

-Refer to [JWT authentication](../configure-security/configure-authentication/jwt/) for more information.
+Refer to [JWT authentication](../configure-access/configure-authentication/jwt/) for more information.

 <hr />

@@ -2567,7 +2567,7 @@ Available to Grafana administrators only, enables installing, uninstalling, and
 Set to `true` by default.
 Setting it to `false` hides the controls.

-For more information, refer to [Plugin catalog](../../administration/plugin-management/#plugin-catalog).
+For more information, refer to [Plugin catalog](../../administration/plugin-management/#access-the-plugin-catalog).

 #### `plugin_admin_external_manage_enabled`

@@ -6,7 +6,6 @@ description: Learn how to integrate Grafana with Hashicorp Vault so that you can
 labels:
  products:
    - enterprise
-    - oss
 title: Integrate Grafana with Hashicorp Vault
 weight: 500
 ---
@@ -8,6 +8,7 @@ title: 'Custom webhook example'
 ---

 ```go
+{- /* Generates a pretty-printed JSON payload with alert group info and individual alerts metadata. */ -}}
 {{ define "webhook.custom.payload" -}}
  {{ coll.Dict
  "receiver" .Receiver
@@ -10,4 +10,4 @@ There are numerous authentication methods available in Grafana to verify user id
 You can also configure Grafana to automatically update users' roles and team memberships in Grafana based on the information returned by the auth provider integration.

 When deciding on an authentication method, it's important to take into account your current identity and access management system as well as the specific authentication and authorization features you require.
-For a complete list of the available authentication options and the features they support, refer to [Configure authentication](/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-security/configure-authentication).
+For a complete list of the available authentication options and the features they support, refer to [Configure authentication](/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-access/configure-authentication).
@@ -270,7 +270,7 @@ With the new user interface (UI), you can now configure SAML without needing to

 The SAML UI is available in Grafana Enterprise, Cloud Pro, and Advanced. It's user-friendly, with clear instructions and helpful prompts to guide you through the process.

-For more information on how to set up SAML using the Grafana UI, refer to [Configure SAML authentication using the Grafana user interface](../../setup-grafana/configure-security/configure-authentication/saml-ui/).
+For more information on how to set up SAML using the Grafana UI, refer to [Configure SAML authentication using the Grafana user interface](../../setup-grafana/configure-access/configure-authentication/saml-ui/).

 ### Case-insensitive usernames and email addresses

@@ -439,7 +439,7 @@ Grafana now supports GitLab OIDC through the `GitLab` OAuth provider in addition
 This change also allows Grafana to reduce the access scope to only the required scopes for authentication and authorization, instead
 of full read API access.

-To learn how to migrate your GitLab OAuth2 setup to OIDC, refer to our [GitLab authentication documentation](../../setup-grafana/configure-security/configure-authentication/gitlab/).
+To learn how to migrate your GitLab OAuth2 setup to OIDC, refer to our [GitLab authentication documentation](../../setup-grafana/configure-access/configure-authentication/gitlab/).

 ### Google OIDC and Team Sync support

@@ -451,7 +451,7 @@ Grafana now supports Google OIDC through the `Google` OAuth provider in addition

 This release also adds support for Google OIDC in Team Sync. You can now easily add users to teams by using their Google groups.

-To learn how to migrate your Google OAuth2 setup to OIDC and how to set up Team Sync, refer to our [Google authentication documentation](../../setup-grafana/configure-security/configure-authentication/google/).
+To learn how to migrate your Google OAuth2 setup to OIDC and how to set up Team Sync, refer to our [Google authentication documentation](../../setup-grafana/configure-access/configure-authentication/google/).

 ## Plugins

@@ -459,7 +459,7 @@ This is useful if you want to limit the access users have to your Grafana instan

 We've also added support for controlling allowed groups when using Google OIDC.

-Refer to the [Google Authentication documentation](http://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-security/configure-authentication/google/) to learn how to use these new options.
+Refer to the [Google Authentication documentation](http://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-access/configure-authentication/google/) to learn how to use these new options.

 ### Configure refresh token handling separately for OAuth providers

@@ -471,7 +471,7 @@ With Grafana v9.3, we introduced a [feature toggle](https://grafana.com/docs/gra

 With the current release, we've introduced a new configuration option for each OAuth provider called `use_refresh_token` that allows you to configure whether the particular OAuth integration should use refresh tokens to automatically refresh access tokens when they expire. In addition, to further improve security and provide secure defaults, `use_refresh_token` is enabled by default for providers that support either refreshing tokens automatically or client-controlled fetching of refresh tokens. It's enabled by default for the following OAuth providers: `AzureAD`, `GitLab`, `Google`.

-For more information on how to set up refresh token handling, please refer to [the documentation of the particular OAuth provider.](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-security/configure-authentication/).
+For more information on how to set up refresh token handling, please refer to [the documentation of the particular OAuth provider.](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-access/configure-authentication/).

 {{< admonition type="note" >}}
 The `use_refresh_token` configuration must be used in conjunction with the `accessTokenExpirationCheck` [feature toggle](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-grafana/feature-toggles/). If you disable the `accessTokenExpirationCheck` feature toggle, Grafana won't check the expiration of the access token and won't automatically refresh the expired access token, even if the `use_refresh_token` configuration is set to `true`.
@@ -407,4 +407,4 @@ When anonymous access has been enabled, any device which accesses Grafana in the

 {{< youtube id="B72X3_9e-ds" >}}

-[Documentation](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-security/configure-authentication/grafana/)
+[Documentation](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-access/configure-authentication/grafana/)
@@ -219,7 +219,7 @@ We are working on adding complete support for configuring all other supported OA

 {{< youtube id="xXW2eRTbjDY" >}}

-[Documentation](https://grafana.com/docs/grafana/next/setup-grafana/configure-security/configure-authentication/)
+[Documentation](https://grafana.com/docs/grafana/next/setup-grafana/configure-access/configure-authentication/)

 ## Data sources

@@ -376,7 +376,7 @@ If you manage your users using Grafana's built-in basic authorization as an iden

 Starting with Grafana v11.0, you can enable an opinionated strong password policy feature. This configuration option validates all password updates to comply with our strong password policy.

-To learn more about Grafana's strong password policy, refer to the [documentation](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-security/configure-authentication/grafana/#strong-password-policy).
+To learn more about the strong password policy in Grafana, refer to the [documentation](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-access/configure-authentication/grafana/#strong-password-policy).

 ### Anonymous users are billed in Grafana Enterprise

@@ -388,6 +388,6 @@ We are announcing a license change to the anonymous access feature in Grafana 1

 **Affected Grafana versions**

-[Anonymous authentication](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-security/configure-authentication/grafana/#anonymous-authentication) is disabled by default in Grafana Cloud. This licensing change only affects Grafana Enterprise (self-managed) edition. Anonymous users will be charged as active users in Grafana Enterprise.
+[Anonymous authentication](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-access/configure-authentication/grafana/#anonymous-authentication) is disabled by default in Grafana Cloud. This licensing change only affects Grafana Enterprise (self-managed) edition. Anonymous users will be charged as active users in Grafana Enterprise.

-[Documentation](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-security/configure-authentication/grafana/#anonymous-devices)
+[Documentation](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-access/configure-authentication/grafana/#anonymous-devices)
@@ -254,7 +254,7 @@ This is a longstanding feature request from the community. We collaborated with

 For Generic OAuth and Okta, you can configure the claim (using the `org_attribute_path` setting) that contains the organizations which the user belongs to. Other OAuth providers use the same attribute for organization mapping that is used for group mapping: Entra ID (previously Azure AD), GitLab and Google use the current user’s Groups, and GitHub uses the user’s Teams.

-To configure organization mapping for your instance, please check the documentation for the OAuth provider you are using in the [Grafana documentation](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-security/configure-authentication/). You can find an example of how to configure organization mapping on each OAuth provider page under the **Org roles mapping example** section.
+To configure organization mapping for your instance, please check the documentation for the OAuth provider you are using in the [Grafana documentation](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-access/configure-authentication/). You can find an example of how to configure organization mapping on each OAuth provider page under the **Org roles mapping example** section.

 ### Better SAML integration for Azure AD

@@ -266,7 +266,7 @@ When setting up Grafana with Azure AD using the SAML protocol, the Azure AD Grap

 With Grafana 11.2, we offer a mechanism for setting up an application as a Service Account in Azure AD and retrieving information from Graph API.

-Please refer to our [documentation](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-security/configure-authentication/saml/#configure-a-graph-api-application-in-azure-ad) on how to set up an Azure AD registered application for this setup.
+Please refer to our [documentation](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-access/configure-authentication/saml/#configure-a-graph-api-application-in-azure-ad) on how to set up an Azure AD registered application for this setup.

 ### API support for LDAP configuration

@@ -225,11 +225,11 @@ This release includes a series of features that build on our new usage analytics

 ### SAML Role and Team Sync

-SAML support in Grafana Enterprise is improved by adding Role and Team Sync. Read more about how to use these features in the [SAML team sync documentation](../../setup-grafana/configure-security/configure-authentication/saml/#configure-team-sync).
+SAML support in Grafana Enterprise is improved by adding Role and Team Sync. Read more about how to use these features in the [SAML team sync documentation](../../setup-grafana/configure-access/configure-authentication/saml/#configure-team-sync).

 ### Okta OAuth Team Sync

-Okta gets its own provider which adds support for Team Sync. Read more about it in the [Okta documentation](../../setup-grafana/configure-security/configure-authentication/okta/).
+Okta gets its own provider which adds support for Team Sync. Read more about it in the [Okta documentation](../../setup-grafana/configure-access/configure-authentication/okta/).

 ## Changelog

@@ -146,11 +146,11 @@ Insights:

 ### SAML single logout

-SAML’s single logout (SLO) capability allows users to log out from all applications associated with the current identity provider (IdP) session established via SAML SSO. For more information, refer to the [docs](../../setup-grafana/configure-security/configure-authentication/saml/#single-logout).
+SAML’s single logout (SLO) capability allows users to log out from all applications associated with the current identity provider (IdP) session established via SAML SSO. For more information, refer to the [docs](../../setup-grafana/configure-access/configure-authentication/saml/#single-logout).

 ### SAML IdP-initiated single sign on

-IdP-initiated single sign on (SSO) allows the user to log in directly from the SAML identity provider (IdP). It is disabled by default for security reasons. For more information, refer to the [docs](../../setup-grafana/configure-security/configure-authentication/saml/#idp-initiated-single-sign-on-sso).
+IdP-initiated single sign on (SSO) allows the user to log in directly from the SAML identity provider (IdP). It is disabled by default for security reasons. For more information, refer to the [docs](../../setup-grafana/configure-access/configure-authentication/saml/#idp-initiated-single-sign-on-sso).

 ## Changelog

@@ -211,7 +211,7 @@ For more information, refer to [Export logs of usage insights](../../setup-grafa

 ### New audit log events

-New log out events are logged based on when a token expires or is revoked, as well as [SAML Single Logout](../../setup-grafana/configure-security/configure-authentication/saml/#single-logout). A `tokenId` field was added to all audit logs to help understand which session was logged out of.
+New log out events are logged based on when a token expires or is revoked, as well as [SAML Single Logout](../../setup-grafana/configure-access/configure-authentication/saml/#single-logout). A `tokenId` field was added to all audit logs to help understand which session was logged out of.

 Also, a counter for audit log writing actions with status (success / failure) and logger (loki / file / console) labels was added.

@@ -160,7 +160,7 @@ Log navigation in Explore has been significantly improved. We added pagination t

 You can now use the Plugin catalog app to easily manage your plugins from within Grafana. Install, update, and uninstall plugins without requiring a server restart.

-[Plugin catalog](../../administration/plugin-management/#plugin-catalog) was added as a result of this feature.
+[Plugin catalog](../../administration/plugin-management/#access-the-plugin-catalog) was added as a result of this feature.

 ### Performance improvements

@@ -267,11 +267,11 @@ JWT is a new authentication option in Grafana.

 You can now configure Grafana to accept a JWT token provided in the HTTP header.

-[JWT authentication](../../setup-grafana/configure-security/configure-authentication/jwt/) was added and [Configuration](../../setup-grafana/configure-grafana/#authjwt) was updated as a result of this feature.
+[JWT authentication](../../setup-grafana/configure-access/configure-authentication/jwt/) was added and [Configuration](../../setup-grafana/configure-grafana/#authjwt) was updated as a result of this feature.

 #### OAuth

-[Generic OAuth authentication](../../setup-grafana/configure-security/configure-authentication/generic-oauth/) has been updated as a result of these changes.
+[Generic OAuth authentication](../../setup-grafana/configure-access/configure-authentication/generic-oauth/) has been updated as a result of these changes.

 ##### Added OAuth support for empty scopes

@@ -130,13 +130,13 @@ Enable role-based access control by adding the term `accesscontrol` to the list

 #### Assign SAML users different roles in different Organizations

-You can use Grafana's SAML integration to map organizations in your SAML service to [Organizations](../../setup-grafana/configure-security/configure-authentication/saml/#configure-organization-mapping) in Grafana so that users who authenticate using SAML have the right permissions. Previously, you could only choose a single role (Viewer, Editor, or Admin) for users, which would apply to all of their Organizations. Now, you can map a given SAML user or org to different roles in different Organizations, so that, for example, they can be a Viewer in one Organization and an Admin in another.
+You can use Grafana SAML integration to map organizations in your SAML service to [Organizations](../../setup-grafana/configure-access/configure-authentication/saml/#configure-organization-mapping) in Grafana so that users who authenticate using SAML have the right permissions. Previously, you could only choose a single role (Viewer, Editor, or Admin) for users, which would apply to all of their Organizations. Now, you can map a given SAML user or org to different roles in different Organizations, so that, for example, they can be a Viewer in one Organization and an Admin in another.

 Additionally, you can now grant multiple SAML organizations access to Grafana, using the `allowed_organizations` attribute. Previously, you could only map one.

 {{< figure src="/static/img/docs/enterprise/8-4-SAML-auth.png" max-width="1200px" caption="Assign SAML users role" >}}

-Learn more in our [SAML docs](../../setup-grafana/configure-security/configure-authentication/saml/).
+Learn more in our [SAML docs](../../setup-grafana/configure-access/configure-authentication/saml/).

 ### Performance improvements

@@ -58,7 +58,7 @@ To see JWT URL embedding in action, see the [sample project](https://github.com/

 You can now use GitHub OAuth2 to map users or teams to specific [Grafana organization roles](../../administration/roles-and-permissions/#organization-roles) by using `role_attribute_path` configuration option.
 Grafana will use [JMESPath](https://jmespath.org/examples.html) for path lookup and role mapping.
-For more information, see the [documentation](../../setup-grafana/configure-security/configure-authentication/github/#map-roles).
+For more information, see the [documentation](../../setup-grafana/configure-access/configure-authentication/github/#map-roles).

 Grafana Cloud users can access this feature by [opening a support ticket in the Cloud Portal](/profile/org#support).

@@ -242,7 +242,7 @@ To learn more, see the [configuration documentation](../../setup-grafana/configu
 When you synchronize users from a SAML, LDAP, or OAuth provider, some user settings, such as name and email address, are synchronized from your identity provider.
 Previously, you could edit those settings in the Grafana UI, but they would revert back.
 To make user management clearer, you can now see which settings are synchronized from your identity provider, but you cannot edit those settings.
-To learn more about authentication, see the [documentation](../../setup-grafana/configure-security/configure-authentication/).
+To learn more about authentication, see the [documentation](../../setup-grafana/configure-access/configure-authentication/).

 {{< figure src="/static/img/docs/enterprise/oauth-synced-user-9-1.png" max-width="750px" caption="Non-interactive view of a user synced via OAuth" >}}

@@ -205,7 +205,7 @@ _Generally available in Grafana Enterprise, Grafana Cloud Pro, and Advanced._
 ### Map a user to all organizations in Grafana

 You can now use `*` as the Grafana organization in the mapping to add all users from a given SAML Organization to all existing Grafana organizations.
-For more information, see ["Configure SAML authentication"](/docs/grafana/next/setup-grafana/configure-security/configure-authentication/saml/#configure-organization-mapping) in the documentation.
+For more information, see ["Configure SAML authentication"](/docs/grafana/next/setup-grafana/configure-access/configure-authentication/saml/#configure-organization-mapping) in the documentation.

 ### Skip organization role sync

@@ -215,13 +215,13 @@ If you use a SAML identity provider to manage your users but prefer to assign ro

 Use the `skip_org_role_sync` configuration option when configuring SAML to prevent synchronization with SAML roles and make user roles editable from within Grafana.

-For more information, see the [SAML configuration documentation](/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/saml/).
+For more information, see the [SAML configuration documentation](/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-access/configure-authentication/saml/).

 ## Assign Server Admin permissions from Oauth

 You can now map OAuth groups and roles to Server Admin for the GitLab, GitHub, AzureAD, Okta, and Generic OAuth integrations.
 To enable this functionality, set the `allow_assign_grafana_admin` configuration option to `true` in the desired OAuth integration section.
-For more information, see the [authentication configuration documentation](/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/) for each OAuth client.
+For more information, see the [authentication configuration documentation](/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-access/configure-authentication/) for each OAuth client.

 ## Match parameter support in prometheus labels API

@@ -151,7 +151,7 @@ As part of our efforts to improve the security of Grafana, we are introducing a

 Because this feature introduces a breaking change, it is behind the `accessTokenExpirationCheck` feature toggle and is disabled by default. Enabling this functionality without configuring refresh tokens for the specific OAuth provider will sign users out after their access token has expired, and they would need to sign in again every time.

-Complete documentation on how to configure obtaining a refresh token can be found on the [authentication configuration page](../../setup-grafana/configure-security/configure-authentication/), in the instructions for your Oauth identity provider.
+Complete documentation on how to configure obtaining a refresh token can be found on the [authentication configuration page](../../setup-grafana/configure-access/configure-authentication/), in the instructions for your Oauth identity provider.

 ### Resolve user conflicts in Grafana's CLI

@@ -181,7 +181,7 @@ If you use an LDAP directory to authenticate to Grafana but prefer to assign org
 or via API, you can now skip user organization role synchronization with your LDAP
 directory.

-Use the `skip_org_role_sync` [LDAP authentication configuration option](../../setup-grafana/configure-security/configure-authentication/ldap/#disable-org-role-synchronization)
+Use the `skip_org_role_sync` [LDAP authentication configuration option](../../setup-grafana/configure-access/configure-authentication/ldap/#disable-org-role-synchronization)
 when configuring LDAP authentication to prevent the synchronization between your LDAP groups and organization roles
 and make user roles editable manually.

@@ -192,7 +192,7 @@ Generally available in all editions of Grafana
 If you use Azure AD OAuth2 authentication and use `SecurityEnabled` groups that you don't want Azure to embed in the
 authentication token, you can configure Grafana to use Microsoft's Graph API instead.

-Use the [`force_use_graph_api` configuration option](../../setup-grafana/configure-security/configure-authentication/azuread/#force-fetching-groups-from-microsoft-graph-api)
+Use the [`force_use_graph_api` configuration option](../../setup-grafana/configure-access/configure-authentication/azuread/#force-fetching-groups-from-microsoft-graph-api)
 when configuring Azure AD authentication to force Grafana to fetch groups using Graph API.

 ### RBAC: List token's permissions
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Kim Nylander	b82a89c34e	[DOC] Add doc for critical path highlighting (#113194 ) (cherry picked from commit `33b4d43248`)	2025-10-31 15:16:27 +00:00
grafana-delivery-bot[bot]	75d12036b8	[release-12.2.2] PublicDashboards: Dont call API on dashboard page if public dashboards is disabled (#113282 ) PublicDashboards: Dont call API on dashboard page if public dashboards is disabled (#113273) (cherry picked from commit `452fc04d1d`) Co-authored-by: Matheus Macabu <macabu@users.noreply.github.com>	2025-10-31 11:30:38 +00:00
grafana-delivery-bot[bot]	b344916377	[release-12.2.2] Annotations: Honor dashboardUID on dashboardsWithVisibleAnnotations (#113229 ) Annotations: Honor dashboardUID on dashboardsWithVisibleAnnotations (#112350) * Annotations: Honor dashboardUID on dashboardsWithVisibleAnnotations --------- (cherry picked from commit `75a1846344`) Signed-off-by: Maicon Costa <maiconscosta@gmail.com> Co-authored-by: maicon <maiconscosta@gmail.com>	2025-10-30 14:27:04 -03:00
grafana-delivery-bot[bot]	eb0899aa9e	[release-12.2.2] Docs: Plugins link to catalog (#113199 ) Co-authored-by: Anna Urbiztondo <anna.urbiztondo@grafana.com>	2025-10-30 10:45:45 +01:00
grafana-delivery-bot[bot]	a9d9dc264e	[release-12.2.2] docs(alerting): clarify notification group deletion after group interval elapses (#113174 ) docs(alerting): clarify notification group deletion after group interval elapses (#113160) (cherry picked from commit `7eb8a9af99`) Co-authored-by: Pepe Cano <825430+ppcano@users.noreply.github.com>	2025-10-29 15:27:23 +00:00
grafana-delivery-bot[bot]	324ca8847c	[release-12.2.2] Docs: Add query variable static options (#113169 ) Co-authored-by: Isabel Matwawana <76437239+imatwawana@users.noreply.github.com>	2025-10-29 13:52:31 +00:00
grafana-delivery-bot[bot]	c3460a4038	[release-12.2.2] docs(alerting): add additional migration details (#113165 ) docs(alerting): add additional migration details (#112383) (cherry picked from commit `86bf99aaaa`) Co-authored-by: Pepe Cano <825430+ppcano@users.noreply.github.com>	2025-10-29 13:14:25 +00:00
grafana-delivery-bot[bot]	f639587fc9	[release-12.2.2] Update Git Sync and File provisioning status to private preview (#113162 ) Co-authored-by: Irene Rodríguez <irene.rodriguez@grafana.com>	2025-10-29 14:07:25 +01:00
grafana-delivery-bot[bot]	6751fadc01	[release-12.2.2] Log TLS handshake EOF error as DEBUG instead INFO (#113098 ) Log TLS handshake EOF error as DEBUG instead INFO (#112294) * Log TLS handshake EOF error as DEBUG instead INFO --------- (cherry picked from commit `a75b01907d`) Signed-off-by: Maicon Costa <maiconscosta@gmail.com> Co-authored-by: maicon <maiconscosta@gmail.com>	2025-10-28 16:07:06 -03:00
grafana-delivery-bot[bot]	0f6741ff29	[release-12.2.2] Docs: Admin tweaks - Edits, weights (#113089 ) Co-authored-by: Anna Urbiztondo <anna.urbiztondo@grafana.com>	2025-10-28 13:24:16 +01:00
Irene Rodríguez	d76881cc92	[release-12.2.2] Docs: Fix markdown syntax for config options table (#112846 ) Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: Mihai Doarna <mihai.doarna@grafana.com> Co-authored-by: jtvdez <jacob.valdez@grafana.com> Fix markdown syntax for config options table (#112805)	2025-10-27 14:25:59 +00:00
grafana-delivery-bot[bot]	c001d12745	[release-12.2.2] Docs: Update saved queries permissions for Viewer role (#112979 ) Co-authored-by: Isabel Matwawana <76437239+imatwawana@users.noreply.github.com>	2025-10-24 15:38:34 -04:00
Jack Baldry	0a29332f80	[v12.2] Restructure IAM documentation (#112930 )	2025-10-24 12:48:29 +01:00
grafana-delivery-bot[bot]	06482877cb	[release-12.2.2] DOCS: Added a warning about using timezone with macros in MSSQL (#112909 ) DOCS: Added a warning about using timezone with macros in MSSQL (#112900) added warning about using timezone with macros in MSSQL (cherry picked from commit `64f6bd5348`) Co-authored-by: Larissa Wandzura <126723338+lwandz13@users.noreply.github.com>	2025-10-23 21:31:13 +00:00
grafana-delivery-bot[bot]	7bbc1174d5	[release-12.2.2] pkg/build: Add nocgo option (#112882 ) pkg/build: Add nocgo option (#112834) Add nocgo option (cherry picked from commit `2a0f149a63`) Co-authored-by: Kevin Minehart <5140827+kminehart@users.noreply.github.com>	2025-10-23 16:25:20 +00:00
grafana-delivery-bot[bot]	c94396d80a	[release-12.2.2] Dashboards: Return the correct model in openapi spec (#112872 ) Return the correct model (#112858) (cherry picked from commit `0ba040e866`) Co-authored-by: Selene <selenepinillos@gmail.com>	2025-10-23 17:59:22 +02:00
grafana-delivery-bot[bot]	a46fcfc0c6	[release-12.2.2] Table: Update ad-hoc filter to use name instead of displayName (#112817 )	2025-10-23 08:59:28 -04:00
grafana-delivery-bot[bot]	9990c74ab2	[release-12.2.2] Remove hipchat alert notification details (#112807 ) Co-authored-by: Irene Rodríguez <irene.rodriguez@grafana.com>	2025-10-22 13:37:47 +00:00
grafana-delivery-bot[bot]	708fd7c6e8	[release-12.2.2] Docs: Added known limitations to SQL Expressions (#112760 ) Docs: Added known limitations to SQL Expressions (#112676) * initial new section creation * added additional known limitations * adding some clarification (cherry picked from commit `e5627bcc67`) Co-authored-by: Larissa Wandzura <126723338+lwandz13@users.noreply.github.com>	2025-10-21 16:39:07 -05:00
grafana-delivery-bot[bot]	470edab706	[release-12.2.2] docs(alerting): clarify usage of templates in webhook custom payloads (#112755 ) docs(alerting): clarify usage of templates in webhook custom payloads (#112672) * docs(alerting): clarify usage of templates in webhook custom payloads * Update docs/sources/alerting/configure-notifications/template-notifications/manage-notification-templates.md --------- (cherry picked from commit `fb5c5411f8`) Co-authored-by: Pepe Cano <825430+ppcano@users.noreply.github.com> Co-authored-by: Johnny Kartheiser <140559259+JohnnyK-Grafana@users.noreply.github.com>	2025-10-21 18:49:20 +00:00
grafana-delivery-bot[bot]	569738c316	[release-12.2.1] Alerting: Fix unmarshalling of GettableStatus to include time intervals (#112734 ) Alerting: Fix unmarshalling of GettableStatus to include time intervals (#112602) * move test files into test-data * add test for the bug * populate time-intervals of gettableStatus config (cherry picked from commit `5f9a51418c`) Co-authored-by: Yuri Tseretyan <yuriy.tseretyan@grafana.com>	2025-10-21 13:27:31 -04:00
grafana-delivery-bot[bot]	c66f019dfc	[release-12.2.1] Include author in patch creation (#112696 ) Include author in patch creation (#112675) Include author in security mirror (cherry picked from commit `ef2e62c852`) Co-authored-by: Kevin Minehart <5140827+kminehart@users.noreply.github.com>	2025-10-21 18:08:21 +02:00
grafana-delivery-bot[bot]	576d2e3cb5	[release-12.2.1] Tag / content discrepancy (#111889 ) Co-authored-by: Clément Duveau <clement@duveau.eu>	2025-10-21 14:41:38 +00:00