Skip to main content
Himmelblau enables Linux systems to authenticate directly against Microsoft Azure Entra ID. It provides PAM and NSS integration for standard login flows, supports Windows Hello PIN and FIDO2 passwordless authentication, enforces Microsoft Intune compliance policies, and includes an SSO broker for desktop and browser applications. The project name comes from the German word for “azure” (sky blue).

Architecture overview

Himmelblau is composed of five main components that work together to deliver Entra ID identity on Linux:
ComponentDescription
himmelblaudThe core system daemon. PAM and NSS modules communicate with Entra ID through this daemon. It manages the local identity cache, handles token acquisition, and communicates with Intune.
himmelblaud-tasksA companion tasks daemon responsible for background operations such as home directory creation and policy enforcement.
pam_himmelblau.soThe PAM module. Plugs into the Linux authentication stack (/etc/pam.d/) to authenticate users against Entra ID via the daemon.
libnss_himmelblau.soThe NSS module. Allows standard tools like getent passwd and id to resolve Entra ID users and groups through the standard Name Service Switch interface.
aad-toolThe CLI management utility. Used to test authentication, manage the local cache, configure PAM, manage credentials, and interact with the idmap system.
SSO brokerA userspace broker (himmelblaud-broker) that lets browser and desktop applications — including Chrome and Firefox — acquire tokens silently using the device’s enrolled Entra ID credentials.
Communication flow:
  1. A user logs in. The PAM module (pam_himmelblau.so) receives the authentication request.
  2. The PAM module sends the request to himmelblaud over a Unix socket.
  3. himmelblaud contacts Azure Entra ID to authenticate the user, acquire tokens, and check Intune compliance.
  4. On success, the PAM module signals success. The NSS module resolves the user’s identity (UID, GID, home directory, shell) from the local cache maintained by himmelblaud.

Key features

PAM & NSS integration

Authenticate Linux users against Entra ID using standard PAM and NSS modules — no custom patches to system libraries required.

Windows Hello on Linux

Register and use a PIN or FIDO2 key as a Hello credential, so users don’t need to type their password at every login.

MFA support

Full support for TOTP, Microsoft Authenticator push notifications, and device-code flows during interactive login and SSH sessions.

Intune compliance

Enroll devices in Microsoft Intune and automatically enforce compliance policies required for Conditional Access.

SSO broker

A userspace broker lets browser and desktop applications acquire tokens silently using the device’s enrolled credentials.

Offline breakglass

Emergency offline login using cached credentials when Entra ID is unreachable, with a configurable TTL and automatic recovery when connectivity returns.

Prerequisites

Before installing Himmelblau, ensure you have:
  • A supported Linux distribution (openSUSE Tumbleweed/Leap, SUSE Linux Enterprise, Fedora, RHEL/Rocky Linux, Debian, Ubuntu, or NixOS)
  • An active Microsoft Azure Entra ID tenant with at least one user account
  • Network access from the Linux host to Microsoft identity endpoints (login.microsoftonline.com, graph.microsoft.com)
  • Root or sudo access on the Linux host

Next steps

Quickstart

Get your Linux system authenticating against Entra ID in minutes.

Build docs developers (and LLMs) love

Get started for freeTalk to us