Creating an Entra ID Application for Himmelblau GroupMember.Read.All Permissions
Himmelblau requires additional API permissions to read group names and extended attributes such as a groups' gidNumber (which is essential for RFC2307 attribute ID mapping). The following configuration is necessary in order for Himmelblau to read the names of groups, but user-group associations can still function without it. To achieve this, you must create an Azure Entra ID application and assign it GroupMember.Read.All permissions.
- Navigate to the Azure Entra ID portal.
- In the left-hand menu, select App registrations.
- Click New registration.
- Enter a Name for the application (e.g.,
Himmelblau). - Under Supported account types, choose Accounts in this organizational directory only.
- Under Redirect URI, choose Public client/native (mobile & desktop) for the platform and enter
himmelblau://Himmelblau.EntraId.BrokerPluginfor the URI. - Click Register.
- In the newly created application, navigate to API permissions.
- Click Add a permission.
- Select Microsoft Graph.
- Choose Delegated permissions.
- Search for
GroupMember.Read.Alland select it. - Click Add permissions.
- Click Grant admin consent for the tenant.
- Go to Overview in the application’s page.
- Copy the Application (client) ID. This value will be used in Himmelblau’s configuration.
Edit the /etc/himmelblau/himmelblau.conf file and add the following entry under the relevant domain:
[example.com]
app_id = 98fa618b-e5d2-4697-b0fd-fe3ec5eecdd3Replace 98fa618b-e5d2-4697-b0fd-fe3ec5eecdd3 with your actual Application ID from Azure Entra ID.
To apply changes, restart Himmelblau:
sudo systemctl restart himmelblaud
sudo systemctl restart himmelblaud-tasksBy following these steps, Himmelblau will be able to retrieve group information necessary for accurate ID mapping using Entra ID. Ensure that the application has the necessary permissions and is correctly configured in himmelblau.conf for seamless integration.