Authentik on Ubuntu 24.04 on Azure User Guide
Overview
Authentik is an open source Identity Provider and Single Sign-On (SSO) platform - a self-hosted alternative to Okta, Auth0 and Keycloak. It centralises authentication for your applications and users with SAML, OAuth2/OIDC and LDAP, a flexible flow engine for login, enrollment and recovery, an outpost model for proxying and protecting applications, and a full admin interface and REST API. The cloudimg image installs the official Authentik self-host Docker Compose stack (the server container serving the web UI, flows and the REST API, the worker container running migrations and background tasks, and a PostgreSQL 16 database), pinned to Authentik 2026.5.3, published on port 80 by the Authentik server itself. Every secret - the PostgreSQL password, the Authentik secret key, the akadmin bootstrap password and API token - is rotated on the first boot of every VM, a fresh akadmin superuser is seeded on a clean database, and all stateful data lives on a dedicated Azure data disk. Backed by 24/7 cloudimg support.
What is included:
- The official Authentik 2026.5.3 self-host stack running under Docker (the
serverandworkercontainers plus PostgreSQL 16), pinned viaAUTHENTIK_TAGso it never silently upgrades - The Authentik server publishing its web UI, flows and REST API on
:80(and HTTPS on:443) - no extra nginx layer, Authentik handles its own routing - An unauthenticated readiness endpoint (
/-/health/ready/) and liveness endpoint (/-/health/live/) for load balancers and probes - A per-VM
akadminsuperuser generated on first boot - a unique password and API token recorded in a root-only file - so every VM is secured independently - Docker's data-root relocated onto a dedicated 40 GiB Azure data disk at
/var/lib/authentik, so the PostgreSQL volume, the Compose project, the media and the certificates survive OS changes and can be resized independently - The whole stack managed as one
authentik.servicesystemd unit, plusdocker.service, both enabled - PostgreSQL bound to the internal Docker network only - just
22/tcp(SSH) and80/tcp(Authentik HTTP) are exposed - 24/7 cloudimg support
Prerequisites
An active Azure subscription, an SSH key pair, and a VNet + subnet in the target region. Standard_B4ms (4 vCPU / 16 GiB RAM) is the recommended starting size - the multi-container Authentik stack needs the memory. NSG inbound: allow 22/tcp from your management network and 80/tcp. Authentik serves plain HTTP on port 80; for production, put it behind your own domain and TLS.
Step 1 - Deploy from the Azure Marketplace
Sign in to the Azure Portal, choose Create a resource, search the Marketplace for Authentik by cloudimg, and select Create. On Basics pick your subscription, resource group, region and size; under Administrator account choose SSH public key and paste your key; under Inbound port rules allow SSH (22) and HTTP (80). Review the dedicated data disk on the Disks tab, then Review + create -> Create.
Step 2 - Deploy from the Azure CLI
az vm create \
--resource-group <your-rg> \
--name authentik \
--image <marketplace-image-urn> \
--size Standard_B4ms \
--admin-username azureuser \
--ssh-key-values ~/.ssh/id_ed25519.pub \
--vnet-name <your-vnet> --subnet <your-subnet> \
--public-ip-sku Standard
az vm open-port --resource-group <your-rg> --name authentik --port 80 --priority 1010
Step 3 - Connect to your VM
ssh azureuser@<vm-public-ip>
Step 4 - Confirm the stack is running
The Authentik containers run under Docker as a Compose stack managed by a single systemd unit. On first boot the stack rotates every secret, recreates itself on a fresh database and seeds the akadmin superuser; the multi-container stack can take a couple of minutes to become fully healthy after the VM is created.
systemctl is-active authentik.service
It reports active. You can list the running containers with:
sudo docker compose -f /var/lib/authentik/docker-compose.yml ps

The whole stack is managed as one systemd unit - use sudo systemctl status authentik and sudo systemctl restart authentik to control every container together.
Step 5 - Retrieve your per-VM admin credentials
The akadmin password and API token are generated uniquely on the first boot of your VM and written to a root-only file:
sudo cat /root/authentik-credentials.txt
This file contains authentik.admin.username (akadmin), authentik.admin.email (admin@cloudimg.local), AUTHENTIK_ADMIN_PASSWORD (for the web UI) and authentik.bootstrap.token (a Bearer token for the REST API). Store them somewhere safe.
Step 6 - Confirm the health endpoint
The Authentik server exposes an unauthenticated readiness endpoint that answers once the database has migrated and the server is ready - ideal for load balancer probes:
curl -s -o /dev/null -w 'ready -> HTTP %{http_code}\n' http://localhost/-/health/ready/
It returns HTTP 204. The web UI is reachable through the same server on port 80:
curl -s -o /dev/null -w 'UI -> HTTP %{http_code}\n' http://localhost/
It returns HTTP 200 (or a 302 redirect into the login flow).

Step 7 - Confirm the admin API round-trip
The akadmin bootstrap API token from Step 5 authenticates against the Authentik REST API. Substitute the token from your credentials file for <token> and confirm a valid token is accepted while a wrong one is rejected:
TOKEN=<token>
curl -s -o /dev/null -w 'good -> HTTP %{http_code}\n' \
-H "Authorization: Bearer ${TOKEN}" \
http://localhost/api/v3/core/users/me/
curl -s -o /dev/null -w 'bad -> HTTP %{http_code}\n' \
-H 'Authorization: Bearer wrong-token-xyz' \
http://localhost/api/v3/core/users/me/
A valid token returns HTTP 200; a wrong one returns HTTP 403. This proves the per-VM akadmin superuser was seeded and API authentication is enforced.

Step 8 - Sign in to the web UI
Browse to http://<vm-public-ip>/ and sign in with the username akadmin and the password from Step 5. Authentik presents its authentication flow - enter the username, then the password.

After signing in, open the admin interface at http://<vm-public-ip>/if/admin/. The dashboard shows overall system status, workers, recent events and quick actions.

Under Applications you register the external applications that use Authentik as their identity provider, and under Providers you configure the protocol (SAML, OAuth2/OIDC, LDAP or Proxy) each application uses.

Under Directory -> Users you manage user accounts, groups and tokens - the akadmin superuser is listed here.

Step 9 - Confirm data lives on the dedicated disk
Docker's data-root is relocated onto the dedicated Azure data disk, so the PostgreSQL database volume, the Compose project, the media and the certificates all live there and survive OS changes:
findmnt /var/lib/authentik
The mount is backed by a separate Azure data disk captured into the image and re-provisioned on every VM. You can confirm Docker is using it:
sudo docker info -f '{{.DockerRootDir}}'
It prints /var/lib/authentik/docker.
Creating your first application
Authentik connects your applications to a single identity source. In the admin interface: open Applications -> Providers and create a provider for your protocol (for example an OAuth2/OIDC provider for a web app, or a SAML provider for an enterprise service); open Applications and create an application bound to that provider, giving it a name and slug; assign access with a policy or group binding; then point your application's SSO configuration at Authentik's issuer/metadata URL. See the Authentik documentation for protocol-specific setup and the full flow, stage and outpost model.
Maintenance
- Admin credentials: the per-VM
akadminsuperuser is in/root/authentik-credentials.txt; change the password from the user settings in the web UI after first sign-in. - Data: the PostgreSQL volume, the Compose project and the media all live on the
/var/lib/authentikdata disk (Docker data-root) - snapshot or resize that disk for backups. - Stack: manage the whole stack with
sudo systemctl <status|restart|stop> authentik, or per-container withsudo docker compose -f /var/lib/authentik/docker-compose.yml <ps|logs|restart>. - TLS: Authentik serves plain HTTP on port 80; front it with your own domain and TLS before production use.
- Security patches: unattended-upgrades remains enabled so the OS continues to receive security updates automatically.
Support
cloudimg provides 24/7 expert support for this image. Contact support@cloudimg.co.uk.