diff --git a/apps/authentik/templates/blueprint-grafana.yaml b/apps/authentik/templates/blueprint-grafana.yaml
new file mode 100644
index 0000000..2161fff
--- /dev/null
+++ b/apps/authentik/templates/blueprint-grafana.yaml
@@ -0,0 +1,48 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: authentik-grafana-blueprint
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/part-of: authentik
+    app.kubernetes.io/managed-by: helm
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: grafana-blueprint
+data:
+  grafana.yaml: |
+    version: 1
+    metadata:
+      name: grafana-sso
+      labels:
+        managed-by: helm
+    entries:
+      - model: authentik_providers_oauth2.oauth2provider
+        id: grafana-provider
+        attrs:
+          name: Grafana
+          client_id: !secret authentik-client-secret-grafana@monitoring#GF_AUTH_GENERIC_OAUTH_CLIENT_ID
+          client_secret: !secret authentik-client-secret-grafana@monitoring#GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET
+          redirect_uris:
+            - https://grafana.noxxos.nl/login/generic_oauth
+          authorization_flow: !Flow default-provider-authorization-flow
+          invalidation_flow: !Flow default-provider-invalidation-flow
+          property_mappings:
+            - !PropertyMapping property-mapping-provider-openid-groups
+          signing_key: !Keypair authentik-self-signed-certificate
+      - model: authentik_core.application
+        id: grafana-app
+        attrs:
+          name: Grafana
+          slug: grafana
+          provider: !provider grafana-provider
+          launch_url: https://grafana.noxxos.nl
+          icon: https://static.goauthentik.io/img/icon/provider/grafana.png
+          group: Dashboards
+          policy_engine_mode: any
+      - model: authentik_policies_policybinding.policybinding
+        id: grafana-app-binding
+        attrs:
+          target: !application grafana-app
+          order: 0
+          enabled: true
+          policy: !Policy policy-everyone
diff --git a/apps/authentik/values.yaml b/apps/authentik/values.yaml
index ac3a8ac..d78ccba 100644
--- a/apps/authentik/values.yaml
+++ b/apps/authentik/values.yaml
@@ -54,28 +54,8 @@ authentik:
         readOnly: true
 
   blueprints:
-    - |
-      version: 1
-      entries:
-        - model: authentik_providers_oauth2.oauth2provider
-          id: grafana-provider
-          attrs:
-            name: Grafana
-            client_id: !secret authentik-client-secret-grafana@monitoring#client-id
-            client_secret: !secret authentik-client-secret-grafana@monitoring#client-secret
-            redirect_uris:
-              - "https://grafana.noxxos.nl/login/generic_oauth"
-            signing_key: !Keypair authentik-self-signed-certificate
-        - model: authentik_core.application
-          id: grafana-app
-          attrs:
-            name: Grafana
-            slug: grafana
-            provider: !provider grafana-provider
-            launch_url: "https://grafana.noxxos.nl"
-            icon: "https://static.goauthentik.io/img/icon/provider/grafana.png"
-            group: "Dashboards"
-            policy_engine_mode: "any"
+    configMaps:
+      - authentik-grafana-blueprint
 
   additionalObjects:
   - apiVersion: postgresql.cnpg.io/v1