Quickstart
Get your Linux system authenticating against Entra ID in minutes.
Installation
Packages for openSUSE, Fedora, RHEL, Debian, Ubuntu, and NixOS.
Configuration
Configure domains, PAM/NSS, and optional features via himmelblau.conf.
aad-tool CLI
Manage cache, credentials, idmap, and more from the command line.
What Himmelblau provides
PAM & NSS integration
Authenticate Linux users against Entra ID using standard PAM and NSS modules, with no custom patches to system libraries.
Windows Hello on Linux
Register and use a PIN (or FIDO2 key) as a Hello credential, eliminating the need to type your password at every login.
MFA support
Full support for TOTP, Microsoft Authenticator push, and device-code flows during interactive login and SSH sessions.
Intune compliance
Enroll devices in Microsoft Intune and automatically enforce compliance policies required for Conditional Access.
SSO broker
A userspace broker lets browser and desktop applications acquire tokens silently using the device’s enrolled credentials.
Offline breakglass
Emergency offline login using cached credentials when Entra ID is unreachable, with configurable TTL and automatic recovery.
Getting started
Install Himmelblau
Install the daemon, PAM module, NSS module, and SSO helper packages for your Linux distribution. See the Installation guide.
Configure your domain
Edit
/etc/himmelblau/himmelblau.conf and set domain = your-tenant.onmicrosoft.com (or your primary verified domain). See Configuration overview.Set up PAM and NSS
Run
aad-tool configure-pam --really or manually update /etc/nsswitch.conf and /etc/pam.d/ to wire in the Himmelblau modules. See PAM & NSS setup.Platform support
openSUSE & SLE
Tumbleweed, Leap 15.5/15.6, and SUSE Linux Enterprise 15 SP5/SP6.
Fedora & RHEL
Fedora 41/42/43, Rocky Linux 8/9/10, and RHEL-compatible distributions.
Debian & Ubuntu
Debian 12/13 and Ubuntu 22.04/24.04 via DEB packages.
NixOS
Flake-based, NPINS, and classic NixOS configurations with a native module.