Identity mapping commands

idmap user-add

Add a static user mapping to the idmap cache. Maps an Entra ID user (by UPN or SAM-compatible name) to a fixed UID and primary group GID. This is useful when migrating from on-premises AD to Entra ID and you need to preserve existing UID/GID assignments.

sudo aad-tool idmap user-add --name [email protected] --uid 10001 --gid 10001

Flag	Short	Description
`--name`	`-D`	(Required) The user’s UPN or SAM-compatible account name.
`--uid`	`-u`	(Required) The UID to assign to this user.
`--gid`	`-g`	(Required) The primary group GID to assign to this user.
`--debug`	`-d`	Enable verbose debug logging.

idmap group-add

Add a static group mapping to the idmap cache. Maps an Entra ID group (identified by its Object ID GUID) to a fixed GID. This maintains group identity and membership compatibility when moving groups from on-premises AD to Entra ID.

sudo aad-tool idmap group-add \
  --object_id "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" \
  --gid 10050

Flag	Short	Description
`--object_id`	`-D`	(Required) The Entra ID group Object ID (GUID).
`--gid`	`-g`	(Required) The GID to assign to this group.
`--debug`	`-d`	Enable verbose debug logging.

idmap clear

Clear all entries from the static idmap cache.

sudo aad-tool idmap clear

Flag	Short	Description
`--debug`	`-d`	Enable verbose debug logging.

user set-posix-attrs

Set POSIX-related attributes on an Entra ID user object. This updates the uidNumber, gidNumber, unixHomeDirectory, loginShell, and gecos extension attributes stored on the user in Entra ID via Microsoft Graph. You must provide --schema-client-id, which identifies the application where the extension properties were registered. That application must have User.ReadWrite.All permissions. If --name is omitted, the command authenticates as the currently logged-in user via the Himmelblau SSO broker. If --name is provided, the command must be run as root to impersonate another user. This command must be run from a device that has already been joined to Entra ID.

sudo aad-tool user set-posix-attrs \
  --schema-client-id <SCHEMA_APP_CLIENT_ID> \
  --user-id [email protected] \
  --uid 10001 --gid 10001 --shell /bin/bash

Flag	Short	Description
`--name`	`-D`	Authenticating account (UPN). If omitted, uses the SSO broker with the currently logged-in user. Requires root if specified.
`--schema-client-id`		(Required) Client ID of the application where POSIX extension properties were registered.
`--user-id`		(Required) The target user’s Object ID or UPN.
`--uid`		`uidNumber` value to set.
`--gid`		`gidNumber` value to set.
`--home`		`unixHomeDirectory` value to set.
`--shell`		`loginShell` value to set.
`--gecos`		`gecos` value to set.
`--debug`	`-d`	Enable verbose debug logging.

All POSIX attribute flags are optional. Only the attributes you specify will be updated.

group set-posix-attrs

Set the gidNumber POSIX attribute on an Entra ID group object via Microsoft Graph. You must provide --schema-client-id, which identifies the application where the extension properties were registered. That application must have Group.ReadWrite.All permissions. The --group-id must be the group’s Object ID (GUID). This command must be run from a device that has already been joined to Entra ID.

sudo aad-tool group set-posix-attrs \
  --schema-client-id <SCHEMA_APP_CLIENT_ID> \
  --group-id "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" \
  --gid 10050

Flag	Short	Description
`--name`	`-D`	Authenticating account (UPN). If omitted, uses the SSO broker. Requires root if specified.
`--schema-client-id`		(Required) Client ID of the application where POSIX extension properties were registered.
`--group-id`		(Required) The target group’s Object ID (GUID).
`--gid`		(Required) `gidNumber` value to set.
`--debug`	`-d`	Enable verbose debug logging.

application list

List Entra ID application registrations in the current tenant. Uses a delegated Microsoft Graph request with Application.Read.All permissions via the specified client application.

aad-tool application list --client-id <CLIENT_ID>
aad-tool application list --client-id <CLIENT_ID> --name [email protected]

Flag	Short	Description
`--client-id`		(Required) Client ID of an application with `Application.Read.All` permissions.
`--name`	`-D`	Authenticating account. If omitted, uses the SSO broker. Requires root if specified.
`--debug`	`-d`	Enable verbose debug logging.

application create

Create a new Entra ID application registration in the current tenant. Requires Application.ReadWrite.All permissions via the specified client application.

aad-tool application create \
  --client-id <CLIENT_ID> \
  --display-name "My App" \
  --user-read-write

Flag	Short	Description
`--client-id`		(Required) Client ID of an application with `Application.ReadWrite.All` permissions.
`--display-name`		(Required) Display name for the new application.
`--redirect-uri`		Redirect URI for public client authentication. Can be specified multiple times.
`--user-read-write`		Grant `User.ReadWrite.All` permission to the new application.
`--group-read-write`		Grant `Group.ReadWrite.All` permission to the new application.
`--name`	`-D`	Authenticating account. If omitted, uses the SSO broker. Requires root if specified.
`--debug`	`-d`	Enable verbose debug logging.

If you grant --user-read-write or --group-read-write, restrict access to the application in the Entra portal: set Assignment required? to Yes under Enterprise applications → Properties, then assign only the specific users or groups that need access.

application list-schema-extensions

List the POSIX-related schema extension attributes registered on an existing Entra ID application. The --schema-app-object-id must be the application’s Object ID (not the Client ID), as shown in the Entra Admin Center.

aad-tool application list-schema-extensions \
  --client-id <CLIENT_ID> \
  --schema-app-object-id <OBJECT_ID>

Flag	Short	Description
`--client-id`		(Required) Client ID of an application with `Application.Read.All` or `Application.ReadWrite.All` permissions.
`--schema-app-object-id`		(Required) Object ID of the application whose extension attributes you want to list.
`--name`	`-D`	Authenticating account. If omitted, uses the SSO broker. Requires root if specified.
`--debug`	`-d`	Enable verbose debug logging.

application add-schema-extensions

Register the standard set of POSIX-related schema extensions (uidNumber, gidNumber, unixHomeDirectory, loginShell, gecos) on an existing Entra ID application. Requires Application.ReadWrite.All permissions. The --schema-app-object-id must be the Object ID of the target application (not the Client ID).

aad-tool application add-schema-extensions \
  --client-id <CLIENT_ID> \
  --schema-app-object-id <OBJECT_ID>

Flag	Short	Description
`--client-id`		(Required) Client ID of an application with `Application.ReadWrite.All` permissions.
`--schema-app-object-id`		(Required) Object ID of the application to add extensions to.
`--name`	`-D`	Authenticating account. If omitted, uses the SSO broker. Requires root if specified.
`--debug`	`-d`	Enable verbose debug logging.

aad-tool CLI

Configuration Reference

Identity mapping commands

idmap user-add

idmap group-add

idmap clear

user set-posix-attrs

group set-posix-attrs

application list

application create

application list-schema-extensions

application add-schema-extensions

Build docs developers (and LLMs) love

aad-tool CLI

Configuration Reference

​idmap user-add

​idmap group-add

​idmap clear

​user set-posix-attrs

​group set-posix-attrs

​application list

​application create

​application list-schema-extensions

​application add-schema-extensions

Build docs developers (and LLMs) love

idmap user-add

idmap group-add

idmap clear

user set-posix-attrs

group set-posix-attrs

application list

application create

application list-schema-extensions

application add-schema-extensions