Au
Applications Azure

Authentik on Ubuntu 24.04 on Azure User Guide

| Product: Authentik on Ubuntu 24.04 LTS on Azure

Overview

Authentik is an open source Identity Provider and Single Sign-On (SSO) platform - a self-hosted alternative to Okta, Auth0 and Keycloak. It centralises authentication for your applications and users with SAML, OAuth2/OIDC and LDAP, a flexible flow engine for login, enrollment and recovery, an outpost model for proxying and protecting applications, and a full admin interface and REST API. The cloudimg image installs the official Authentik self-host Docker Compose stack (the server container serving the web UI, flows and the REST API, the worker container running migrations and background tasks, and a PostgreSQL 16 database), pinned to Authentik 2026.5.3, published on port 80 by the Authentik server itself. Every secret - the PostgreSQL password, the Authentik secret key, the akadmin bootstrap password and API token - is rotated on the first boot of every VM, a fresh akadmin superuser is seeded on a clean database, and all stateful data lives on a dedicated Azure data disk. Backed by 24/7 cloudimg support.

What is included:

  • The official Authentik 2026.5.3 self-host stack running under Docker (the server and worker containers plus PostgreSQL 16), pinned via AUTHENTIK_TAG so it never silently upgrades
  • The Authentik server publishing its web UI, flows and REST API on :80 (and HTTPS on :443) - no extra nginx layer, Authentik handles its own routing
  • An unauthenticated readiness endpoint (/-/health/ready/) and liveness endpoint (/-/health/live/) for load balancers and probes
  • A per-VM akadmin superuser generated on first boot - a unique password and API token recorded in a root-only file - so every VM is secured independently
  • Docker's data-root relocated onto a dedicated 40 GiB Azure data disk at /var/lib/authentik, so the PostgreSQL volume, the Compose project, the media and the certificates survive OS changes and can be resized independently
  • The whole stack managed as one authentik.service systemd unit, plus docker.service, both enabled
  • PostgreSQL bound to the internal Docker network only - just 22/tcp (SSH) and 80/tcp (Authentik HTTP) are exposed
  • 24/7 cloudimg support

Prerequisites

An active Azure subscription, an SSH key pair, and a VNet + subnet in the target region. Standard_B4ms (4 vCPU / 16 GiB RAM) is the recommended starting size - the multi-container Authentik stack needs the memory. NSG inbound: allow 22/tcp from your management network and 80/tcp. Authentik serves plain HTTP on port 80; for production, put it behind your own domain and TLS.

Step 1 - Deploy from the Azure Marketplace

Sign in to the Azure Portal, choose Create a resource, search the Marketplace for Authentik by cloudimg, and select Create. On Basics pick your subscription, resource group, region and size; under Administrator account choose SSH public key and paste your key; under Inbound port rules allow SSH (22) and HTTP (80). Review the dedicated data disk on the Disks tab, then Review + create -> Create.

Step 2 - Deploy from the Azure CLI

az vm create \
  --resource-group <your-rg> \
  --name authentik \
  --image <marketplace-image-urn> \
  --size Standard_B4ms \
  --admin-username azureuser \
  --ssh-key-values ~/.ssh/id_ed25519.pub \
  --vnet-name <your-vnet> --subnet <your-subnet> \
  --public-ip-sku Standard

az vm open-port --resource-group <your-rg> --name authentik --port 80 --priority 1010

Step 3 - Connect to your VM

ssh azureuser@<vm-public-ip>

Step 4 - Confirm the stack is running

The Authentik containers run under Docker as a Compose stack managed by a single systemd unit. On first boot the stack rotates every secret, recreates itself on a fresh database and seeds the akadmin superuser; the multi-container stack can take a couple of minutes to become fully healthy after the VM is created.

systemctl is-active authentik.service

It reports active. You can list the running containers with:

sudo docker compose -f /var/lib/authentik/docker-compose.yml ps

Authentik Compose stack running under Docker - server, worker and PostgreSQL

The whole stack is managed as one systemd unit - use sudo systemctl status authentik and sudo systemctl restart authentik to control every container together.

Step 5 - Retrieve your per-VM admin credentials

The akadmin password and API token are generated uniquely on the first boot of your VM and written to a root-only file:

sudo cat /root/authentik-credentials.txt

This file contains authentik.admin.username (akadmin), authentik.admin.email (admin@cloudimg.local), AUTHENTIK_ADMIN_PASSWORD (for the web UI) and authentik.bootstrap.token (a Bearer token for the REST API). Store them somewhere safe.

Step 6 - Confirm the health endpoint

The Authentik server exposes an unauthenticated readiness endpoint that answers once the database has migrated and the server is ready - ideal for load balancer probes:

curl -s -o /dev/null -w 'ready -> HTTP %{http_code}\n' http://localhost/-/health/ready/

It returns HTTP 204. The web UI is reachable through the same server on port 80:

curl -s -o /dev/null -w 'UI -> HTTP %{http_code}\n' http://localhost/

It returns HTTP 200 (or a 302 redirect into the login flow).

Authentik readiness endpoint and the UI reachability check

Step 7 - Confirm the admin API round-trip

The akadmin bootstrap API token from Step 5 authenticates against the Authentik REST API. Substitute the token from your credentials file for <token> and confirm a valid token is accepted while a wrong one is rejected:

TOKEN=<token>
curl -s -o /dev/null -w 'good -> HTTP %{http_code}\n' \
  -H "Authorization: Bearer ${TOKEN}" \
  http://localhost/api/v3/core/users/me/

curl -s -o /dev/null -w 'bad  -> HTTP %{http_code}\n' \
  -H 'Authorization: Bearer wrong-token-xyz' \
  http://localhost/api/v3/core/users/me/

A valid token returns HTTP 200; a wrong one returns HTTP 403. This proves the per-VM akadmin superuser was seeded and API authentication is enforced.

Authentik admin API round-trip - valid token accepted, wrong token rejected

Step 8 - Sign in to the web UI

Browse to http://<vm-public-ip>/ and sign in with the username akadmin and the password from Step 5. Authentik presents its authentication flow - enter the username, then the password.

Authentik sign-in flow

After signing in, open the admin interface at http://<vm-public-ip>/if/admin/. The dashboard shows overall system status, workers, recent events and quick actions.

Authentik admin dashboard and system status

Under Applications you register the external applications that use Authentik as their identity provider, and under Providers you configure the protocol (SAML, OAuth2/OIDC, LDAP or Proxy) each application uses.

Authentik Applications and Providers view

Under Directory -> Users you manage user accounts, groups and tokens - the akadmin superuser is listed here.

Authentik Users and Directory view

Step 9 - Confirm data lives on the dedicated disk

Docker's data-root is relocated onto the dedicated Azure data disk, so the PostgreSQL database volume, the Compose project, the media and the certificates all live there and survive OS changes:

findmnt /var/lib/authentik

The mount is backed by a separate Azure data disk captured into the image and re-provisioned on every VM. You can confirm Docker is using it:

sudo docker info -f '{{.DockerRootDir}}'

It prints /var/lib/authentik/docker.

Creating your first application

Authentik connects your applications to a single identity source. In the admin interface: open Applications -> Providers and create a provider for your protocol (for example an OAuth2/OIDC provider for a web app, or a SAML provider for an enterprise service); open Applications and create an application bound to that provider, giving it a name and slug; assign access with a policy or group binding; then point your application's SSO configuration at Authentik's issuer/metadata URL. See the Authentik documentation for protocol-specific setup and the full flow, stage and outpost model.

Maintenance

  • Admin credentials: the per-VM akadmin superuser is in /root/authentik-credentials.txt; change the password from the user settings in the web UI after first sign-in.
  • Data: the PostgreSQL volume, the Compose project and the media all live on the /var/lib/authentik data disk (Docker data-root) - snapshot or resize that disk for backups.
  • Stack: manage the whole stack with sudo systemctl <status|restart|stop> authentik, or per-container with sudo docker compose -f /var/lib/authentik/docker-compose.yml <ps|logs|restart>.
  • TLS: Authentik serves plain HTTP on port 80; front it with your own domain and TLS before production use.
  • Security patches: unattended-upgrades remains enabled so the OS continues to receive security updates automatically.

Support

cloudimg provides 24/7 expert support for this image. Contact support@cloudimg.co.uk.