One of the main AWX features is "Role-based access" option(which should be familiar if you worked before with Azure RM). It can be configured to centrally use OAuth2, SAML, RADIUS, or even LDAP. For our environment we will configure Azure AD OAuth2 authentication. For doing that, we will need to create new Azure user and register Azure AD application.
There is misunderstanding in Azure AD about what type account should/could be used in different cases. Which is why the easiest way to avoid it - create new account with a default domain name.
User creation requires admin rights
To check what is default domain please follow instructions below:
Now we can create new user, using default domain (which should end with '.onmicrosoft.com' or '.emea.microsoftonline.com'):
Any application that wants to use the capabilities of Azure AD must first be registered in an Azure AD tenant. Please, be aware, and during registration use 'http://yourdomain/sso/complete/azuread-oauth2/' (not https://) for a 'Sign-on URL':
For a new created application generate secret key and copy application id and application key:
In AWX update the system settings - 'BASE URL' (to the AWX address) and 'REMOTE HOST HEADERS' (add parameter 'HTTP_X_FORWARDED_FOR'):
Fill required parameters using Azure AD application id and secret:
Now we can try to access AWX using Azure user. To be sure that some credentials wasn't cached I suggest using Firefox in private-mode:
As an official documentation says - "an Organization is a logical collection of Users, Teams, Projects, and Inventories, and is the highest level in the Tower object hierarchy."
Also, from the same document - "If you are using Ansible Tower with a Self-Support level license (formerly called Basic), you must use the default Organization. Do not delete it and try to add a new Organization, or you will break your Tower setup. Only two Tower license types (Enterprise: Standard or Enterprise: Premium) have the ability to add new Organizations beyond the default."
Which is why we don't remove/create an organization and just update existing one(please use whatever organization name is preferable for you):
To eliminate disarray let's clean-up created by default environment:
Now then we have ensured that Azure authorization works, we can grant rights to our new user:
From now on we will use Azure's user to engage with AWX. For a test purposes let's create new project using an official example playbook:
