The in-direct connect option is through Microsoft Azure command line tool (az ssh) by way of the Azure Arc agent. Let's look at each method to understand pros and cons of each.
Himmelblau
Himmelblau is an open source project that operates as an identity broker to Entra ID via the himmelblaud daemon. This is the most comprehensive solution available thus far.
- Type: Password + PIN verification authentication or just Microsoft HELLO PIN
- Project: https://himmelblau-idm.org
- GitHub Repo: https://github.com/himmelblau-idm/himmelblau
- Walkthrough: https://www.youtube.com/watch?v=wCibnqVQ_bs
- Pros:
- Users and groups can be managed in Entra ID
- Users can use standard ssh/putty into Linux hosts with this integration
- Supports Entra ID MFA
- Directly integrated into SuSE Linux and works for SSH and GDM
- Cons:
- Does not provide native OAuth2 authentication with Entra ID
- Not officially supported by other major Linux vendors such as Red Hat and Oracle
- Not an officially vendor supported solution outside of SuSE Linux
- Already has a few security vulnerabilities (CVE-2025-54781, CVE-2026-31957, CVE-2026-31979, ...)
- It is not yet clear if this solution fully supports Entra ID conditional access policies
- May require additional cost for license and/or support
Red Hat IPA Federation To Entra ID
This option extends Red Hat's IPA (Identity, Policy and Audit) solution by way of OpenID Connect (OIDC) to Entra ID where Entra ID is an identity provider (IdP) to IPA. IPA is effectively an authentication and authorization broker to either internal or external identity providers. The method of authentication between the Linux host and IPA appears to be either Kerberos or LDAP BIND even though the authentication between the IPA server and Entra ID is OIDC.
- Type: Password, ssh key, and/or MFA
- Support solution pages:
- Login to RHEL using Microsoft Entra ID - https://access.redhat.com/solutions/7076188
- Configure IdM to use Entra ID (Azure AD) as external IdP - https://access.redhat.com/solutions/7073948
- Pros:
- Users and groups can be managed in Entra ID
- Users can use standard ssh/putty into Linux hosts with this integration
- Officially supported by Red Hat
- Enables use of identities in Entra ID
- Cons:
- Does not provide native OAuth2 authentication with Entra ID
- Not officially supported by other Linux vendors
- It is not yet clear if this solution fully supports Entra ID conditional access policies
- Is not yet clear if solution supports Entra ID MFA
- May require additional cost for license and/or support
Kerberos Domain Join With Microsoft Entra Domain Services
Microsoft's Entra Domain Services (e.g. managed AD Kerberos Domain Servers) can be used as an intermediary authentication to Entra ID via Kerberos authentication.
- Type: Kerberos ticket
- Kerberos Join to managed AD - https://learn.microsoft.com/en-us/entra/identity/domain-services/join-rhel-linux-vm?tabs=rhel
- Pros:
- Users and groups can be managed in Entra ID
- Users can use standard ssh/putty into Linux hosts with this integration
- Does not support Entra ID MFA
- Cons:
- Does not provide native OAuth2 authentication with Entra ID
- It is not yet clear if this solution fully supports Entra ID conditional access policies
- May require additional cost for license and/or support
Azure Arc Enabled SSH Authentication
Azure Arc is a Microsoft Azure cloud service that provides a variety of host management capabilities such as updating the operating system, collecting log data, and providing proxied ssh to the hose via the Azure command line tool (az). For example, once a Linux host is registered with Azure Arc, configured with Azure AD ssh Login software, specified the ssh port and the AADSSHLoginForLinux extension has been enabled, an Entra ID user can authenticate to the Linux host from the Azure console command prompt or any host running the Azure command line tool (e.g. az ssh arc ...). Here is the basic workflow:
1. Login to Entra ID via the Azure command line tool:
az login
2. Use the Azure command line tool to remotely login to a Linux host:
az ssh arc --resource-group <az_resource_group> --name <linux_host>
Note that this solution does not enable the standard ssh command to be able to authenticate using Entra ID integration. It only applies to authenticating through the Azure command line tool.
- Type: Whatever is prescribed by Entra ID password and conditional access policies
- SSH access to Azure Arc-enabled servers - https://learn.microsoft.com/en-us/azure/azure-arc/servers/ssh-arc-overview
- Arc-enabled servers: Configuration and remote access - https://learn.microsoft.com/en-us/azure/azure-arc/servers/security-machine-configuration
- Sign in to a Linux virtual machine in Azure by using Microsoft Entra ID and OpenSSH - https://learn.microsoft.com/en-us/entra/identity/devices/howto-vm-sign-in-azure-ad-linux
- Pros:
- Users and groups can be managed in Entra ID
- Provides native OAuth2 authentication with Entra ID
- Supports Entra ID MFA
- Supports Entra ID conditional access policies
- Can ssh to the host without need of direct or indirect (e.g. VPN) connection to the Linux host
- Cons:
- Can only ssh to Linux hosts via the Azure command line tool
- Users cannot use standard ssh/putty into Linux hosts
- Linux hosts must run an local agent to facilitate authentication to the host
- Azure agent will require additional resources and compute to facilitate connections to the host
System Security Services Daemon (SSSD) Entra ID Integration
The solution that most customers desire is native support of Entra ID integration by the SSSD service. This solution appears to be in progress with a tentative target for inclusion in Red Hat/Oracle Linux 10.
The SSSD 2.11.0 release notes announces the introductory of support of Entra ID integration through the sssd-idp package:
"New generic id and auth provider for Identity Providers (IdPs), as a start Keycloak and Entra ID are supported."
SSSD 2.11.0 Release Notes - https://sssd.io/release-notes/sssd-2.11.0.html
However, testing of this new capability indicates that the requisite libsss_idp.so library is not yet available. This is made evident by the following error in the /var/log/sssd/ssd_<domain>.log file:
Unable to load module [idp] with path [/usr/lib64/sssd/libsss_idp.so]: /usr/lib64/sssd/libsss_idp.so: cannot open shared object file: No such file or directory
Once SSSD finally and fully supports native OAuth2 integration with Entra ID, I expect that will support MFA and Entra ID Conditional Access Policies. However, time will tell. Here are references to this project:
- Type: Whatever is prescribed by Entra ID password and conditional access policies
- SSSD Identity Provider (IdP) Support - https://sssd.io/docs/idp/idp-introduction.html
- sssd-idp man page - https://www.mankier.com/5/sssd-idp
- Pros:
- Users and groups can be managed in Entra ID
- Provides native OAuth2 authentication with Entra ID
- Supports Entra ID MFA
- Supports Entra ID conditional access policies
- Can ssh to Linux hosts with standard ssh/putty tools
- Cons:
- Not yet fully implemented
I hope you find this information helpful and useful.
Blessings!
