DocumentationRelease Notes
Documentation

Linux host authentication management

Suggest Edits

The Linux Host Authentication Management feature provides a dedicated interface to manage Linux-specific schema attributes (UID, GID, Home Directory, and Shell) for users and groups synchronized from Microsoft Entra ID (formerly Azure AD). This allows you to manage attributes that cannot be set directly in Microsoft Entra ID and basing policies on those users and groups.

Prerequisites: Directory Services connection

  • An Identity Bridge connection.

To create the connection:

  1. Navigate to Directory Services.
Directory Services tile in EPM-L
  1. Click Add a Connection.
  2. Select the Entra ID Identity Bridge connection type.
Required settings to create directory services connection
  1. Enter the required connection details:
    • Tenant ID
    • Client ID
    • Client Secret
      These values must be obtained from the Microsoft Entra ID where you configured the BeyondTrust Bridge.
  2. (Optional) Click Test to verify the connection.
  3. Click Save Directory Services Settings.

📘

Note:

The Directory Services section displays two Entra ID connection types: Entra ID (Policy Management) and Entra ID (Identity Bridge). Identity Bridge is used only with Linux host authentication.

Configure global settings

After saving the Identity Bridge connection, set global settings on the Configuration tab. This section is optional.

  1. Select the Entra Configuration tile.
Entra ID tile in Directory Services configuration
  1. Select the Entra Configuration tab.
  1. Enter values for the attributes.
SettingDescriptionDefault (If not set)Input Requirements
Starting GIDThe numerical ID where the system begins assigning new Group IDs.1000Numeric
Starting UIDThe numerical ID where the system begins assigning new User IDs.1000Numeric
Home Directory TemplateA template for generating a user's home directory path.N/AMust start with a /. Supports templating: %h (home), %u (user).
Shell TemplateA template for generating a user's default Linux shell (e.g., /bin/bash).N/AMust start with a /.
  1. Click Save.

Backup and Restore

Use Backup and Restore to export all custom schema attribute data (GID, UID, Shell, Home Directory) to a JSON file or import it, which is useful for backups or bulk modifications.

Manage groups

The Groups page lists all groups synchronized from Microsoft Entra ID. The GID column is the custom attribute managed here.

Select the Host Groups tile to set up groups.

The Host Groups tile

Single group

  1. Find the group and click Edit.
  2. In the GID field:
    • Manually enter a unique GID. The system fails to save if the GID is already in use.
    • Click Suggest GID to get the next available GID based on the Starting GID configuration or the next ID after 1000.
  1. Click Save Changes.

Bulk group

  1. Select multiple groups using the check boxes.
  2. Click Edit (Bulk Action).
  3. Enter a starting GID. The system will assign this ID to the first selected group and iterate downwards to assign unique, sequential GIDs to the remaining selected groups, skipping any IDs that are already in use.
  4. Click Save Changes.

Provision all group members

Provision Linux-specific attributes for all users who are members of the selected group in Entra ID.

  1. Find the group and click > Provision All Group Members.
Provision all group members for Entra ID groups
  1. The system will:
    • Assign the group's custom GID (set in step 4.A) to every member of the group as their Primary GID.
    • Assign a unique UID to all members of the group who do not already have one.

📘

Note:

This action will not overwrite existing UID values for users who have already been provisioned.

Manage users

The Users tab lists all users synchronized with Microsoft Entra ID. The UID, Primary GID, Home Directory, and Shell are the custom attributes managed here.

Single user

  1. Find the user name and click > Edit.
  1. UID:
    • Manually enter a unique UID.
    • Click Suggest UID to get the next available UID.
  2. Primary GID:
    • Select an available GID from the dropdown list.
    • CRITICAL CONSTRAINT: A GID can only be assigned if the user is a member of the corresponding group in Microsoft Entra ID. The dropdown is populated only with GIDs previously set in the Groups tab.
  3. Home Directory and Shell:
    • Select a template from the dropdown list defined in the Configuration tab (Section 3) or select (none).
  4. Click Save.

Bulk user

  1. Select multiple users using the checkboxes.
  2. Click Bulk Action > Edit.
Bulk Actions Edit menu
  1. Set the Primary GID, Home Directory, and/or Shell selections.
Settings to edit more than one user
  1. Click Save.

📘

Note

Bulk GID Assignment: If you select a GID, only users who are already members of the associated group in Entra ID will have the GID applied. Users who are not members of that group will be unaffected.

Refresh data

Updates to Linux host authentication settings are saved immediately via API calls but may take a few moments to propagate to the web application.

  • Click the Refresh button at the top of the Groups or Users tab to manually initiate a data pull and view the updated values.

Related information (policy management)

The custom attributes set using Linux host authentication (UID, GID, etc.) are used when the user logs into a Linux host via a Role-Based Policy.

  • Linux host authentication uses the Entra ID Identity Bridge connection.
  • Policy creation uses the Entra ID (Policy Management) connection.
  • In the Policy Management section, configure the Entra ID attribute to map to the Username Attribute and Group Name Attribute for use in policies. This section is being updated to allow truncation of the Fully Qualified Domain Name (FQDN) part (for example, removing @domain.com) to manage characters like #, @, and , in the username for policy application.

Updated about 6 hours ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.