After setting up login via Azure AD in AWX, we find that people from other organizations are able to log in, too.
After creating an organization map according to https://docs.ansible.com/ansible-tower/latest/html/administration/social_auth.html#organization-and-team-mapping they don't get assigned to any organization or team anymore, but they're still able to see the list of users.
How can I completely deny login via Azure AD to users outside our organization?
Update: we found that we can set SOCIAL_AUTH_USER_FIELDS to [] to completely prevent login from unknown users but ideally it should still be possible to log in from our domain. Trying to set it up with various variants of regexes, e-mail addresses and domain names but did not find a way to use this mechanism to achieve what we want.
Update 2: we have also tried updating the "Collaboration restrictions" in Azure AD to only list our domains but it didn't make any difference to AWX.
