Process to add or remove Active Directory groups to the "CloudAdminGroup" using the API explorer.

VMC on AWS

• The workflow for the organization requires AD groups to be added to the "CloudAdminGroup" using API. 
• The vSphere UI cannot be accessed or used to add AD groups to the role. 

• Navigate to the VMC vSphere API Explorer: https://Cloud_vCenter_FQDN/apiexplorer/
• Use the "[email protected]" credentials to login.
• Scroll to the "hvc/management/administrators" section and click Show/Hide to expand the section.
• To show the current AD group members of the "CloudAdminGroup", use the "GET hvc/management/administrators" API.
• Click "Execute" and the current AD group members will be shown in the response. 

• To add an AD group to the "CloudAdminGroup", use the "POST hvc/management/administrators?action=add" API
• In the "request_body" section, put the AD group name in the format {“group_name”: ”[email protected]”}. Only the "[email protected]" value needs to be modified. 

• Click Execute.
• The AD group has successfully been added to the "CloudAdminGroup" if either a code of 200 or 204 is seen. 

• To remove an AD group from the "CloudAdminGroup", use the "POST /hvc/management/administrators?action=remove" API.
• In the request_body section, put the AD group name in the format “group_name”: ”[email protected]”. Only the "[email protected]" value needs to be modified.
  {
    "group_name": "[email protected]"
}
• Click Execute.
• If the Response Code is 204 or 200, the AD group has been successfully removed. 

Note: The process outlined above can only be used to add Active Directory groups to the CloudAdminGroup in VMC on AWS. This process will not work to add Active Directory users or Users and Groups from an external vSphere domain. 

• vSphere Permissions and Privileges in VMware Cloud on AWS
• What Is vSphere API Explorer