Himmelblau 2.0: Azure Entra ID for Linux – and not from Microsoft
The free software Himmelblau reaches version 2.0 and fully integrates Linux systems into Azure Entra ID – now with offline mode and SELinux support.
(Image: heise medien)
Himmelblau has released version 2.0: The open-source software allows Linux systems to be fully integrated into Microsoft's identity management service Azure Entra ID (formerly Azure Active Directory) – an increasingly important function for hybrid IT environments with Microsoft 365 and Linux servers.
The free project positions itself as an alternative to Microsoft's own offerings such as Intune for Linux, offering more flexibility for pure Linux infrastructures. The software is licensed under GPLv3 and is maintained by David Mulder as the lead developer.
Offline emergency access for MFA users
The central new feature in version 2.0 is the so-called Breakglass mode: It allows administrators and users with multi-factor authentication to access their systems even if Azure Entra ID is not reachable. This resolves a common problem in enterprise environments where outages or maintenance on Microsoft services would otherwise lead to complete system lockouts. The mechanism works with locally stored credentials and is used exclusively in emergencies when the cloud connection is interrupted.
In addition, Himmelblau has significantly expanded distribution support: In addition to the previous platforms, Fedora 43, Debian 13 and SUSE Linux Enterprise 16 now also run with the new release. This means the software covers virtually all enterprise Linux systems relevant to businesses.
Videos by heise
SELinux integration and systemd improvements
For security-critical environments, version 2.0 brings full SELinux support for the first time. The software provides dedicated SELinux policies for all Himmelblau daemons, significantly simplifying integration into hardened Linux systems. Previously, administrators often had to switch SELinux to permissive mode or write their own policies.
The systemd integration has been fundamentally revised: The system now generates service units automatically and supports systemd-creds for HSM PIN encryption. This allows Himmelblau to be seamlessly integrated into the Linux boot process preferred by most distributions. Local user mapping allows existing Linux accounts to be linked with Entra ID identities without having to migrate the entire user management.
M365 and Microsoft Edge on the Linux desktop
For desktop users, Himmelblau 2.0 now automatically generates desktop entries for M365 web applications. These integrate cleanly into Gnome, KDE, and other desktop environments. Integration of Microsoft Edge has also been added, allowing users to use the browser with their Entra ID credentials.
In the area of supply chain security, version 2.0 also includes several changes: Builds now generate Software Bill of Materials (SBOM), are evaluated with the OpenSSF Scorecard, and undergo license vetting. Dependencies are updated in groups to improve maintainability. New fuzzing tools and ARM64 build support are available for developers.
Himmelblau 2.0 is now available from the official package repositories. All new features and changes can be found in the Release Notes.
(fo)
