diff --git a/.github/workflows/linting-and-tests.yml b/.github/workflows/linting-and-tests.yml
index fc43b572..23688595 100644
--- a/.github/workflows/linting-and-tests.yml
+++ b/.github/workflows/linting-and-tests.yml
@@ -244,6 +244,7 @@ jobs:
         grafana_version:
           - 10.3.0
           - 11.2.0
+          - latest
       fail-fast: false
     with:
       grafana_version: ${{ matrix.grafana_version }}
diff --git a/Tiltfile b/Tiltfile
index 26442416..00d7ec41 100644
--- a/Tiltfile
+++ b/Tiltfile
@@ -32,12 +32,23 @@ def plugin_json():
         return plugin_file
     return 'NOT_A_PLUGIN'
 
+def extra_grafana_ini():
+    return {
+        'feature_toggles': {
+            'accessControlOnCall': 'false'
+        }
+    }
+
 def extra_env():
     return {
         "GF_APP_URL": grafana_url,
         "GF_SERVER_ROOT_URL": grafana_url, 
         "GF_FEATURE_TOGGLES_ENABLE": "externalServiceAccounts",
-        "ONCALL_API_URL": "http://oncall-dev-engine:8080"
+        "ONCALL_API_URL": "http://oncall-dev-engine:8080",
+
+        # Enables managed service accounts for plugin authentication in Grafana >= 11.3
+        # https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#managed_service_accounts_enabled
+        "GF_AUTH_MANAGED_SERVICE_ACCOUNTS_ENABLED": "true",
     }
 
 def extra_deps():
@@ -132,7 +143,16 @@ def load_grafana():
                 "GF_APP_URL": grafana_url,  # older versions of grafana need this
                 "GF_SERVER_ROOT_URL": grafana_url,
                 "GF_FEATURE_TOGGLES_ENABLE": "externalServiceAccounts",
-                "ONCALL_API_URL": "http://oncall-dev-engine:8080"
+                "ONCALL_API_URL": "http://oncall-dev-engine:8080",
+
+                # Enables managed service accounts for plugin authentication in Grafana >= 11.3
+                # https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#managed_service_accounts_enabled
+                "GF_AUTH_MANAGED_SERVICE_ACCOUNTS_ENABLED": "true",
+            },
+            extra_grafana_ini={
+                "feature_toggles": {
+                    "accessControlOnCall": "false"
+                }
             },
         )
 # --- GRAFANA END ----
diff --git a/dev/helm-local.yml b/dev/helm-local.yml
index 33a28790..8655df43 100644
--- a/dev/helm-local.yml
+++ b/dev/helm-local.yml
@@ -47,6 +47,8 @@ externalGrafana:
 grafana:
   enabled: false
   grafana.ini:
+    feature_toggles:
+      accessControlOnCall: false
     server:
       domain: localhost:3000
       root_url: "%(protocol)s://%(domain)s"
@@ -71,6 +73,7 @@ grafana:
           value: oncallpassword
   env:
     GF_FEATURE_TOGGLES_ENABLE: externalServiceAccounts
+    GF_AUTH_MANAGED_SERVICE_ACCOUNTS_ENABLED: true
     GF_SECURITY_ADMIN_PASSWORD: oncall
     GF_SECURITY_ADMIN_USER: oncall
     GF_PLUGINS_ALLOW_LOADING_UNSIGNED_PLUGINS: grafana-oncall-app
diff --git a/helm/oncall/values.yaml b/helm/oncall/values.yaml
index 8ca59a26..826e0a5b 100644
--- a/helm/oncall/values.yaml
+++ b/helm/oncall/values.yaml
@@ -639,6 +639,9 @@ grafana:
       serve_from_sub_path: true
     feature_toggles:
       enable: externalServiceAccounts
+      accessControlOnCall: false
+  env:
+    GF_AUTH_MANAGED_SERVICE_ACCOUNTS_ENABLED: true
   persistence:
     enabled: true
   # Disable psp as PodSecurityPolicy is deprecated in v1.21+, unavailable in v1.25+