diff --git a/README-pwpolicy.md b/README-pwpolicy.md
index f0b5d8853d508301fb1fb343efcef8376e77001b..94811596cf09492e1b7810c0689ae2e679f7b4b3 100644
--- a/README-pwpolicy.md
+++ b/README-pwpolicy.md
@@ -98,6 +98,7 @@ Variable | Description | Required
 -------- | ----------- | --------
 `ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
 `ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
+`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
 `name` \| `cn` | The list of pwpolicy name strings. If name is not given, `global_policy` will be used automatically. | no
 `maxlife` \| `krbmaxpwdlife` | Maximum password lifetime in days. (int) | no
 `minlife` \| `krbminpwdlife` | Minimum password lifetime in hours. (int) | no
diff --git a/tests/pwpolicy/test_pwpolicy.yml b/tests/pwpolicy/test_pwpolicy.yml
index 03f08e0fbce7021a675e52b8e881abe6f100e69e..5ac18d769cf66d3f8b5a65ce60331a16b81eb495 100644
--- a/tests/pwpolicy/test_pwpolicy.yml
+++ b/tests/pwpolicy/test_pwpolicy.yml
@@ -1,6 +1,6 @@
 ---
 - name: Test pwpolicy
-  hosts: ipaserver
+  hosts: "{{ ipa_test_host | default('ipaserver') }}"
   become: true
   gather_facts: false
 
@@ -8,23 +8,27 @@
   - name: Ensure maxlife of 90 for global_policy
     ipapwpolicy:
       ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
       maxlife: 90
 
   - name: Ensure absence of group ops
     ipagroup:
       ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
       name: ops
       state: absent
 
   - name: Ensure absence of pwpolicies for group ops
     ipapwpolicy:
       ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
       name: ops
       state: absent
 
   - name: Ensure presence of group ops
     ipagroup:
       ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
       name: ops
       state: present
     register: result
@@ -33,6 +37,7 @@
   - name: Ensure presence of pwpolicies for group ops
     ipapwpolicy:
       ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
       name: ops
       minlife: 7
       maxlife: 49
@@ -49,6 +54,7 @@
   - name: Ensure presence of pwpolicies for group ops again
     ipapwpolicy:
       ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
       name: ops
       minlife: 7
       maxlife: 49
@@ -65,6 +71,7 @@
   - name: Ensure maxlife of 49 for global_policy
     ipapwpolicy:
       ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
       maxlife: 49
     register: result
     failed_when: not result.changed or result.failed
@@ -72,6 +79,7 @@
   - name: Ensure maxlife of 49 for global_policy again
     ipapwpolicy:
       ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
       maxlife: 49
     register: result
     failed_when: result.changed or result.failed
@@ -79,6 +87,7 @@
   - name: Ensure absence of pwpoliciy global_policy will fail
     ipapwpolicy:
       ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
       state: absent
     register: result
     failed_when: not result.failed or "'global_policy' can not be made absent." not in result.msg
@@ -86,6 +95,7 @@
   - name: Ensure absence of pwpolicies for group ops
     ipapwpolicy:
       ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
       name: ops
       state: absent
     register: result
@@ -94,6 +104,7 @@
   - name: Ensure maxlife of 90 for global_policy
     ipapwpolicy:
       ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
       maxlife: 90
     register: result
     failed_when: not result.changed or result.failed
@@ -101,6 +112,7 @@
   - name: Ensure absence of pwpolicies for group ops
     ipapwpolicy:
       ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
       name: ops
       state: absent
     register: result
diff --git a/tests/pwpolicy/test_pwpolicy_client_context.yml b/tests/pwpolicy/test_pwpolicy_client_context.yml
new file mode 100644
index 0000000000000000000000000000000000000000..362f567fd82c744bfa59a546ae49771d8ae4c6a6
--- /dev/null
+++ b/tests/pwpolicy/test_pwpolicy_client_context.yml
@@ -0,0 +1,38 @@
+---
+- name: Test pwpolicy
+  hosts: ipaclients, ipaserver
+  become: no
+  gather_facts: no
+
+  tasks:
+  - name: Include FreeIPA facts.
+    include_tasks: ../env_freeipa_facts.yml
+
+  # Test will only be executed if host is not a server.
+  - name: Execute with server context in the client.
+    ipapwpolicy:
+      ipaadmin_password: SomeADMINpassword
+      ipaapi_context: server
+      name: ThisShouldNotWork
+    register: result
+    failed_when: not (result.failed and result.msg is regex("No module named '*ipaserver'*"))
+    when: ipa_host_is_client
+
+# Import basic module tests, and execute with ipa_context set to 'client'.
+# If ipaclients is set, it will be executed using the client, if not,
+# ipaserver will be used.
+#
+# With this setup, tests can be executed against an IPA client, against
+# an IPA server using "client" context, and ensure that tests are executed
+# in upstream CI.
+
+- name: Test pwpolicy using client context, in client host.
+  import_playbook: test_pwpolicy.yml
+  when: groups['ipaclients']
+  vars:
+    ipa_test_host: ipaclients
+
+- name: Test pwpolicy using client context, in server host.
+  import_playbook: test_pwpolicy.yml
+  when: groups['ipaclients'] is not defined or not groups['ipaclients']
+