Skip to main content
Before enrolling Linux devices with Himmelblau, complete these steps in the Microsoft Entra admin center.

Prerequisites

  • An Azure Entra ID tenant (formerly Azure Active Directory)
  • Global Administrator or Privileged Role Administrator access to configure device settings
  • Users who will log in must have licenses that include Entra ID (Microsoft 365, Azure AD Premium, etc.)

Step 1: Allow device registration or join

1

Open Entra admin center

Go to entra.microsoft.com and sign in.
2

Configure device settings

Navigate to IdentityDevicesDevice settings.
  • Users may join devices to Microsoft Entra ID — set to All or a specific group that includes the accounts that will enroll Linux devices.
  • If you only need device registration (not full join), set join_type = register in himmelblau.conf. Registration does not require device join permissions.
3

Note your tenant domain

Your primary domain is shown at the top of the Entra admin center. Use this as the domain value in himmelblau.conf. Example: contoso.onmicrosoft.com or a verified custom domain like contoso.com.

Step 2: Find group Object IDs for pam_allow_groups

The pam_allow_groups option controls which Entra ID users and groups are allowed to log in. Groups must be specified by their Object ID GUID — display names are not unique and are not accepted.
1

Open the group

Navigate to IdentityGroupsAll groups and open the group.
2

Copy the Object ID

On the group’s Overview page, copy the Object ID (a GUID like f3c9a7e4-7d5a-47e8-832f-3d2d92abcd12).
3

Add to config

pam_allow_groups = f3c9a7e4-7d5a-47e8-832f-3d2d92abcd12
Separate multiple groups or UPNs with commas.
You can also specify individual users by UPN (e.g. [email protected]) alongside group GUIDs.

Step 3: (Optional) App registration for RFC 2307 attributes

If you want to store POSIX attributes (uidNumber, gidNumber, unixHomeDirectory, loginShell) directly on Entra ID user objects — and have Himmelblau read them — you need an app registration with appropriate Graph API permissions.
1

Create an app registration

Navigate to IdentityApp registrationsNew registration. Give it a name like Himmelblau POSIX Schema.
2

Grant API permissions

Under API permissions, add:
  • User.Read.All (delegated or application)
  • Group.Read.All (delegated or application)
Grant admin consent.
3

Add schema extensions

Use aad-tool application add-schema-extensions to register the POSIX attributes on this app:
sudo aad-tool application add-schema-extensions \
  --client-id <YOUR_APP_CLIENT_ID> \
  --schema-app-object-id <YOUR_APP_OBJECT_ID>
4

Set the app_id in config

app_id = <YOUR_APP_CLIENT_ID>

Step 4: (Optional) Conditional Access and Intune compliance

If your tenant uses Conditional Access policies that require device compliance, Himmelblau supports Intune enrollment to satisfy those requirements.
  • Enrolled Linux devices appear in IntuneDevices as managed devices
  • The apply_policy = true (default) setting causes Himmelblau to download and enforce compliance policies
  • Devices that pass compliance checks are marked as compliant and can satisfy CA policies requiring a compliant device
See Intune compliance for details.

join_type: join vs register

ValueBehavior
join (default)Full device join — device appears as a joined device in Entra ID, required for most Conditional Access scenarios
registerDevice registration only — lighter weight, does not require device join permissions in tenant settings
Set this in himmelblau.conf: 
join_type = join

Build docs developers (and LLMs) love

Get started for freeTalk to us