diff --git a/conf/defaults.ini b/conf/defaults.ini
index 2d6e1235b605f..fbb9da626711c 100644
--- a/conf/defaults.ini
+++ b/conf/defaults.ini
@@ -455,6 +455,9 @@ sigv4_verbose_logging = false
 # Set to true to enable Azure authentication option for HTTP-based datasources
 azure_auth_enabled = false
 
+# Use email lookup in addition to the unique ID provided by the IdP
+oauth_allow_insecure_email_lookup = false
+
 #################################### Anonymous Auth ######################
 [auth.anonymous]
 # enable anonymous access
diff --git a/conf/sample.ini b/conf/sample.ini
index 227c90e895d06..6509e8ae60ae9 100644
--- a/conf/sample.ini
+++ b/conf/sample.ini
@@ -225,7 +225,7 @@
 ;google_analytics_ua_id =
 
 # Google Analytics 4 tracking code, only enabled if you specify an id here
-;google_analytics_4_id = 
+;google_analytics_4_id =
 
 # Google Tag Manager ID, only enabled if you specify an id here
 ;google_tag_manager_id =
@@ -455,6 +455,9 @@
 # Set to true to enable Azure authentication option for HTTP-based datasources.
 ;azure_auth_enabled = false
 
+# Use email lookup in addition to the unique ID provided by the IdP
+;oauth_allow_insecure_email_lookup = false
+
 #################################### Anonymous Auth ######################
 [auth.anonymous]
 # enable anonymous access
diff --git a/docs/sources/setup-grafana/configure-security/configure-authentication/_index.md b/docs/sources/setup-grafana/configure-security/configure-authentication/_index.md
index 6575bf6828a3d..6190f881a82ae 100644
--- a/docs/sources/setup-grafana/configure-security/configure-authentication/_index.md
+++ b/docs/sources/setup-grafana/configure-security/configure-authentication/_index.md
@@ -72,6 +72,9 @@ token_rotation_interval_minutes = 10
 
 # The maximum lifetime (seconds) an API key can be used. If it is set all the API keys should have limited lifetime that is lower than this value.
 api_key_max_seconds_to_live = -1
+
+# Enforce user lookup based on email instead of the unique ID provided by the IdP.
+oauth_allow_insecure_email_lookup = false
 ```
 
 ### Anonymous authentication
@@ -114,6 +117,20 @@ You can hide the Grafana login form using the below configuration settings.
 disable_login_form = true
 ```
 
+### Enable email lookup
+
+Enable user lookup based on email in addition to using unique ID provided by IdPs.
+
+By default, Grafana relies on the user unique ID provided by the identity provider.
+Looking up users by email can be safe for some identity providers (for example, when they are single tenants and unique non-editable, validated emails are provided), as well as in some infrastructures.
+
+We strongly recommend against enabling email lookups, however it is possible to do with the following configuration.
+
+```bash
+[auth]
+oauth_allow_insecure_email_lookup = true
+```
+
 ### Automatic OAuth login
 
 Set to true to attempt login with OAuth automatically, skipping the login screen.