aad-tool is the command-line management interface for Himmelblau. Most subcommands communicate with the running himmelblaud daemon or directly with Entra ID. Commands that interact with Entra ID must be run from a device that has already been enrolled (joined) to Entra ID.
Global flags
| Flag | Description |
|---|
--debug / -d | Enable verbose debug logging. |
Commands
| Command | Description |
|---|
application list | List Entra ID application registrations in the current tenant. |
application create | Create a new Entra ID application registration. |
application list-schema-extensions | List POSIX schema extension attributes registered on an application. |
application add-schema-extensions | Register POSIX-related schema extensions on an existing application. |
auth-test | Test authentication for a user through the Himmelblau PAM channel. |
cache-clear | Mark cached user and group entries as stale, or fully wipe the cache. |
cache-invalidate | (Deprecated) Equivalent to cache-clear. Will be removed in a future release. |
configure-pam | Insert pam_himmelblau lines into the system PAM configuration files. |
cred secret | Store a client secret for confidential client authentication. |
cred cert | Generate an HSM-backed key pair and self-signed certificate for confidential client authentication. |
cred delete | Delete stored confidential client credentials. |
cred list | Check whether confidential client credentials are present for a domain. |
enumerate | Enumerate all Entra ID users and groups with rfc2307 attributes and cache them locally. |
user set-posix-attrs | Set POSIX attributes (uidNumber, gidNumber, etc.) on an Entra ID user. |
group set-posix-attrs | Set the gidNumber attribute on an Entra ID group. |
idmap user-add | Add a static UID/GID mapping for an Entra ID user to the idmap cache. |
idmap group-add | Add a static GID mapping for an Entra ID group to the idmap cache. |
idmap clear | Clear all entries from the static idmap cache. |
offline-breakglass | Activate or deactivate offline breakglass mode for emergency access. |
status | Check that himmelblaud is online and able to connect to Entra ID. |
tpm | Check whether Himmelblau is using the TPM for key storage. |
version | Show the version of this tool. |
Commands that interact with Entra ID (such as application, enumerate, user set-posix-attrs, and group set-posix-attrs) must be run from a device that has already been joined to Entra ID.
Reference pages
Authentication commands
auth-test, status, version, tpm, configure-pam, and offline-breakglass.
Cache management
cache-clear, cache-invalidate, and enumerate.
Credential management
cred secret, cred cert, cred delete, and cred list.
Identity mapping
idmap user-add, idmap group-add, idmap clear, user set-posix-attrs, group set-posix-attrs, and application commands.
