In most companies, it looks like this: everyone signs in with a Microsoft account - for email, Teams, SharePoint, CRM. One account, one password, one place to manage everything. And then someone sets up a Linux server, or a developer gets a laptop with Ubuntu - and suddenly that one account is no longer enough. Linux lives next to the rest of the company, with its own passwords, its own accounts, outside the reach of the corporate security policy.
That was true until recently. The Himmelblau project changes that.
The problem Himmelblau solves
Microsoft Entra ID (formerly Azure Active Directory) is the system where companies using Microsoft 365 store their employees' identities. Accounts, groups, permissions, security policies - everything in one place. When an employee signs in to Windows, the system verifies their identity in Entra ID, enforces multi-factor authentication (MFA), checks device compliance with company policies, and grants access to resources.
Linux cannot do this. Or rather - it could not. Entra ID is a service designed for Windows. Linux has always been treated as an afterthought - either you create separate local accounts on every machine, or you build additional infrastructure (an Active Directory domain controller, cloud sync) so Linux can communicate with the corporate identity system at all.
Himmelblau closes this gap. After installing it on a Linux machine, users can sign in with the same Microsoft account they use for email and Teams. No additional infrastructure, no separate passwords, no security gaps.
How it looks in practice
An employee approaches a Linux computer - a laptop, workstation, or terminal - and enters their corporate email address and password on the sign-in screen. The system verifies identity in Entra ID, enforces MFA if required by company policy, and opens a session. For subsequent sign-ins, a device-bound PIN is enough - fast and secure, similar to Windows Hello.
For the user, the difference compared to signing in to Windows is minimal. For the IT department - huge.
What this means for the company
One account for everything - truly everything
Without Himmelblau, Linux is a separate island. Separate accounts, separate passwords, separate management. With Himmelblau, Linux machines become part of the same ecosystem as the rest of the company. An employee has one account - and uses it to sign in to Windows, Linux, email, everything.
This is not just convenience. It is security. The fewer passwords an employee has to remember, the lower the risk that they start reusing them, writing them on sticky notes, or using "Firma123!" everywhere.
Offboarding in one place
When an employee leaves the company, the administrator disables their account in Entra ID - and they lose access to everything. Email, Teams, SharePoint, VPN, and now Linux machines as well. Without Himmelblau, someone has to manually go through every Linux server and laptop to remove the local account. In practice, something is always missed - and the former employee still has access to a production server or a developer machine.
MFA where it did not exist before
Multi-factor authentication is a standard today - but on Linux, for years it was practically unavailable without complex integrations. Himmelblau makes the corporate MFA policy from Entra ID work on Linux the same way it works on Windows. If company policy says "require MFA at sign-in" - Himmelblau will enforce it, with no exceptions.
Compliance with security policies (Intune compliance)
Himmelblau can register a Linux machine in Microsoft Intune and report its compliance status against company policies. What does this mean? An administrator can set a rule: "sign-in allowed only on devices that meet security requirements". A machine without disk encryption? Access denied. This is a mechanism that has existed on Windows for years - on Linux, until now, it simply did not exist.
SSO in the browser
After signing in to the system, the user opens a browser, goes to Outlook, SharePoint, or other Microsoft 365 services - and is signed in automatically. No need to enter the password a second time. The same single sign-on mechanism we know from Windows now works on Linux thanks to Himmelblau integration with Firefox, Chrome, and Edge browsers.
Where this makes the most sense
Servers
This is the most obvious use case. Instead of creating local accounts on dozens of servers, administrators sign in with their corporate account using MFA. One control point, full sign-in visibility, immediate offboarding.
Developer workstations
Developers increasingly prefer Linux - and increasingly receive it as their working system. The problem is that until now, their laptops lived outside corporate identity management. Himmelblau changes that without forcing a move to Windows.
Kiosks, terminals, service stations
Stations where users rotate - customer service, warehouse, reception. Linux drastically reduces operating system licensing costs, and Himmelblau ensures sign-in and access control work the same way as on Windows.
Companies looking for an alternative to Windows
The end of support for Windows 10 in October 2025, growing hardware requirements of Windows 11, higher licensing costs - these are topics appearing in conversations with IT departments more and more often. Linux as an endpoint system is returning to the discussion. Until now, one of the main arguments against it was the lack of Entra ID integration. Himmelblau neutralizes that argument.
What Himmelblau will not solve
To be clear - Himmelblau is an authentication tool, not a magic wand that turns Linux into Windows.
Applications - if a company uses software that runs exclusively on Windows (specialized ERP, accounting software, CAD), the mere fact that sign-in works will not change the availability of those applications. A decision to migrate to Linux must be preceded by an analysis of which tools the company uses daily.
Management scope - Intune on Windows can do much more than on Linux - application management, update enforcement, BitLocker configuration. Himmelblau extends Intune presence on Linux, but full parity with Windows is not there yet.
Maturity - the project is 3 years old, sponsored by SUSE and actively developed, but it is still a younger tool than solutions with a decade of enterprise deployments behind them. For critical machines, this is worth including in risk assessment.
Operations - configuring and maintaining Himmelblau requires Linux administration skills. This is not a tool that configures itself - you need someone who understands PAM, systemd, and Entra ID.
How much it costs
Himmelblau is open source and free. No per-user or per-machine fees. The only cost is the time needed for implementation and maintenance - or the service of an IT company that does it.
Compare this with alternatives: maintaining on-premises Active Directory with Azure AD Connect (Windows Server licenses, administration time, hardware) or paying for commercial identity management tools on Linux. Himmelblau eliminates these costs.
Summary
For years, Linux on endpoints in companies using Microsoft 365 was a second-class citizen. Separate accounts, no MFA, no centralized management, no compliance. Himmelblau changes that - it gives Linux access to the same identity system used by the rest of the company.
This is not a Microsoft product - it is an open source project, developed by the community with SUSE support. It works on all major Linux distributions, supports MFA, Hello PIN, Intune compliance, and browser single sign-on. And it is free.
If your company has Linux machines - servers, developer laptops, terminals - and you use Microsoft 365, Himmelblau is a tool worth considering. Because centralized identity management should not end where Windows ends.
How this looks at Helpwise
At Helpwise, we treat identity management as a security foundation - not as a one-time project, but as a permanent element of client infrastructure operations.
When Linux machines appear in a client environment - whether servers or workstations - we analyze how to include them in centralized identity management based on Microsoft Entra ID. We select the solution for the specific situation: environment scale, security requirements, and how the company uses Microsoft 365 day to day.
We configure authentication, integration with MFA and access policies, and then verify that employee offboarding effectively cuts off access to all systems - not only Windows and email, but also Linux servers and terminals. This gives the client confidence that no device in the company operates outside the reach of the corporate security policy.