diff --git a/pkg/services/authn/grpcutils/config.go b/pkg/services/authn/grpcutils/config.go
index 39325aed943..239ec8d6d48 100644
--- a/pkg/services/authn/grpcutils/config.go
+++ b/pkg/services/authn/grpcutils/config.go
@@ -1,35 +1,66 @@
 package grpcutils
 
 import (
+	"fmt"
+
 	"github.com/grafana/grafana/pkg/setting"
 )
 
+type Mode string
+
+func (s Mode) IsValid() bool {
+	switch s {
+	case ModeOnPrem, ModeCloud:
+		return true
+	}
+	return false
+}
+
+const (
+	ModeOnPrem Mode = "on-prem"
+	ModeCloud  Mode = "cloud"
+)
+
 type GrpcClientConfig struct {
 	Token            string
 	TokenExchangeURL string
 	TokenNamespace   string
+	Mode             Mode
 }
 
-func ReadGrpcClientConfig(cfg *setting.Cfg) *GrpcClientConfig {
+func ReadGrpcClientConfig(cfg *setting.Cfg) (*GrpcClientConfig, error) {
 	section := cfg.SectionWithEnvOverrides("grpc_client_authentication")
 
+	mode := Mode(section.Key("mode").MustString(string(ModeOnPrem)))
+	if !mode.IsValid() {
+		return nil, fmt.Errorf("grpc_client_authentication: invalid mode %q", mode)
+	}
+
 	return &GrpcClientConfig{
 		Token:            section.Key("token").MustString(""),
 		TokenExchangeURL: section.Key("token_exchange_url").MustString(""),
 		TokenNamespace:   section.Key("token_namespace").MustString("stack-" + cfg.StackID),
-	}
+		Mode:             mode,
+	}, nil
 }
 
 type GrpcServerConfig struct {
 	SigningKeysURL   string
 	AllowedAudiences []string
+	Mode             Mode
 }
 
-func ReadGprcServerConfig(cfg *setting.Cfg) *GrpcServerConfig {
+func ReadGprcServerConfig(cfg *setting.Cfg) (*GrpcServerConfig, error) {
 	section := cfg.SectionWithEnvOverrides("grpc_server_authentication")
 
+	mode := Mode(section.Key("mode").MustString(string(ModeOnPrem)))
+	if !mode.IsValid() {
+		return nil, fmt.Errorf("grpc_server_authentication: invalid mode %q", mode)
+	}
+
 	return &GrpcServerConfig{
 		SigningKeysURL:   section.Key("signing_keys_url").MustString(""),
 		AllowedAudiences: section.Key("allowed_audiences").Strings(","),
-	}
+		Mode:             mode,
+	}, nil
 }
diff --git a/pkg/services/authn/grpcutils/grpc_authenticator.go b/pkg/services/authn/grpcutils/grpc_authenticator.go
index 639439ba366..249e122d51b 100644
--- a/pkg/services/authn/grpcutils/grpc_authenticator.go
+++ b/pkg/services/authn/grpcutils/grpc_authenticator.go
@@ -10,7 +10,10 @@ import (
 )
 
 func NewGrpcAuthenticator(cfg *setting.Cfg) (*authnlib.GrpcAuthenticator, error) {
-	authCfg := ReadGprcServerConfig(cfg)
+	authCfg, err := ReadGprcServerConfig(cfg)
+	if err != nil {
+		return nil, err
+	}
 	grpcAuthCfg := authnlib.GrpcAuthenticatorConfig{
 		KeyRetrieverConfig: authnlib.KeyRetrieverConfig{
 			SigningKeysURL: authCfg.SigningKeysURL,
@@ -31,7 +34,7 @@ func NewGrpcAuthenticator(cfg *setting.Cfg) (*authnlib.GrpcAuthenticator, error)
 		authnlib.WithIDTokenAuthOption(true),
 		authnlib.WithKeyRetrieverOption(keyRetriever),
 	}
-	if cfg.StackID == "" {
+	if authCfg.Mode == ModeOnPrem {
 		grpcOpts = append(grpcOpts,
 			// Access token are not yet available on-prem
 			authnlib.WithDisableAccessTokenAuthOption(),
diff --git a/pkg/storage/unified/client.go b/pkg/storage/unified/client.go
index 520b0813165..67ed6eebc06 100644
--- a/pkg/storage/unified/client.go
+++ b/pkg/storage/unified/client.go
@@ -13,6 +13,7 @@ import (
 	infraDB "github.com/grafana/grafana/pkg/infra/db"
 	"github.com/grafana/grafana/pkg/infra/tracing"
 	"github.com/grafana/grafana/pkg/services/apiserver/options"
+	"github.com/grafana/grafana/pkg/services/authn/grpcutils"
 	"github.com/grafana/grafana/pkg/services/featuremgmt"
 	"github.com/grafana/grafana/pkg/setting"
 	"github.com/grafana/grafana/pkg/storage/unified/resource"
@@ -92,7 +93,12 @@ func ProvideUnifiedStorageClient(
 }
 
 func newResourceClient(conn *grpc.ClientConn, cfg *setting.Cfg) (resource.ResourceClient, error) {
-	if cfg.StackID != "" {
+	clientConfig, err := grpcutils.ReadGrpcClientConfig(cfg)
+	if err != nil {
+		return nil, err
+	}
+
+	if clientConfig.Mode == grpcutils.ModeCloud {
 		return resource.NewCloudResourceClient(conn, cfg)
 	}
 	return resource.NewGRPCResourceClient(conn)
diff --git a/pkg/storage/unified/resource/client.go b/pkg/storage/unified/resource/client.go
index 0961a4f3a11..cd0a968c68a 100644
--- a/pkg/storage/unified/resource/client.go
+++ b/pkg/storage/unified/resource/client.go
@@ -95,7 +95,11 @@ func NewGRPCResourceClient(conn *grpc.ClientConn) (ResourceClient, error) {
 
 func NewCloudResourceClient(conn *grpc.ClientConn, cfg *setting.Cfg) (ResourceClient, error) {
 	// scenario: remote cloud
-	grpcClientConfig := clientCfgMapping(grpcutils.ReadGrpcClientConfig(cfg))
+	clientConfig, err := grpcutils.ReadGrpcClientConfig(cfg)
+	if err != nil {
+		return nil, err
+	}
+	grpcClientConfig := clientCfgMapping(clientConfig)
 
 	opts := []authnlib.GrpcClientInterceptorOption{
 		authnlib.WithIDTokenExtractorOption(idTokenExtractor),