/etc/himmelblau/himmelblau.conf. Most settings live in the [global] section; some options can be overridden per-domain in a [domain.example.com] section.
Minimal working configuration
The only strictly required option isdomain. A minimal configuration looks like this:
/etc/himmelblau/himmelblau.conf
| Option | What it does |
|---|---|
domain | Your Entra ID tenant domain (the part after @ in UPNs) |
pam_allow_groups | Comma-separated list of Entra ID group Object ID GUIDs (or UPNs) that can log in |
local_groups | Local Linux groups that enrolled Entra ID users are added to |
After changing
himmelblau.conf, restart both services for the change to take effect:Configuration sections
[global]
All core settings. See the full configuration reference for every available option. Key options at a glance:| Option | Default | Description |
|---|---|---|
domain | (from first UPN) | Entra ID domain name |
pam_allow_groups | (all users) | Groups/users allowed to authenticate |
local_groups | — | Local groups added to all Entra ID users |
enable_hello | true | Windows Hello PIN enrollment |
enable_passwordless | true | Passwordless auth via Microsoft Authenticator |
apply_policy | true | Enforce Intune compliance policies |
join_type | join | join (full device join) or register |
debug | false | Enable verbose daemon logging |
[offline_breakglass]
Optional section to allow cached password authentication when Entra ID is unreachable. See Offline breakglass configuration.Per-domain overrides
Options marked asdomain_specific in the reference can be overridden for a specific domain by adding a section named after the domain:
Applying changes
Further reading
Full config reference
Every option in [global] with descriptions and defaults.
Entra ID setup
What to configure in the Azure portal before deploying.
PAM & NSS setup
Wire Himmelblau into Linux authentication.
Intune compliance
Device enrollment and policy enforcement.