To establish a relying party trust between vCenter Server and an Entra ID server, establish identifying information and a shared secret between them. Create an OpenID Connect application in Entra ID. The OpenID Connect application specifies the vCenter Server redirect URIs that must be invoked during authorization code flows, and a client identifier and shared secret that vCenter Server uses to communicate with the Entra ID server. To push the Active Directory users and groups in the Entra ID domain to the vCenter Server that manages vCenter Server objects, also create a SCIM 2.0 application.
Refer to this KB article in conjunction with Configure vCenter Server Identity Provider Federation for Azure AD (vmware.com)
Log in to the Azure Admin console and follow the documentation to create an OpenID Connect application. When creating the OpenID Connect application in the Create a new app integration wizard:
Select Home > App Registration > New Registration.
Enter an appropriate name for the OpenID Connect application. For example: AzureAD-vCenter-app
Leave Supported account types as default or select per requirement. Set Redirect URI as Web. No need to enter a redirect URI as this can be filled in later.
Select the Certificates and Secret > New Client Secret.
Enter a description for this client secret and select the validity in Expiry drop-down menu.
Click Add.
Once a secret is generated, copy the content under Value.
To get client ID, click Overview from left side menu and get the value from Application (client) ID.
Copy to clipboard icon works as well.
Select Overview of the Test App > Endpoints.
Copy the Value Under OpenID Connect metadata document.
Grant Admin Consent for <the_tenant_name>
Use the client_id, secret, openid-configuration
URL and AD domain details to configure Entra ID as the identity provider inside vCenter Server.
In the App Registrations screen for the OpenID Connect application created, click Authentication.
Select Add a platform and then select Web.
In the Redirect URIs text box, paste the copied Redirect URI from vCenter Server.
Click Save.
Please refer the bottom of the KB in the attachments section for the Step by step procedure to configure Entra Identity Federation with Provisioning Agent and Application Proxy on vCenter Server 8.0 U2.
Go to Microsoft Entra ID > Manage > Enterprise Applications > New Application.
Under the Browse Entra Gallery, search for VMware Identity Service.
Enter an appropriate name for the Enterprise Application, such as vCenter Server SCIM 2.0 app.
Click Create.
Provisioning
Go to Microsoft Entra ID > Manage > Enterprise Applications.
Select the previously created SCIM 2.0 App.
From the left side menu, select Provisioning > Manage.
Provide the vCenter Server URL (publicly accessible vCenter Server URL).
Provide Secret Token, generate a token by clicking on the Generate button in the VC View IDP Page under User Provisioning.
Set the Provisioning Status to On.
Click Test Connection.
The connection is successful. Details are visible under Mappings.
See the Mappings sections as shown below:
Click on Provision Microsoft Entra ID Users.
Update the Attributes so that we send the username part and domain part separately.
For Sending Domain, Add the following New Mapping Attributes
Previously copied items from the vCenter Server Identity Provider page. vCenter Server calls the SCIM 2.0 Base Url the "Tenant URL," and the OAuth Bearer Token the "Secret Token."
Note: If the network is not publicly available, create a network tunnel between the vCenter Server system and the Entra ID server, then use the appropriate publicly accessible URL as the Base Uri.
Assign Users and Groups
Go to the SCIM App > Users and Groups > Add user/group.
Click on the selected Users and Groups.
Click Start Provisioning.
Take a backup of Provisioned users and Groups.
Backup and Restore Users and Groups from WS1Broker.
Note:
Authorize Entra ID Users
To authorize Entra ID users to log into vCenter Server, return to Configure vCenter Server Identity Provider Federation for Entra ID (vmware.com) Step 5 and complete setting up the Entra ID identity provider by assigning group membership. Then assign permissions (inventory-level and global) to the Entra ID users.
Please see attachment for Step by Step procedure to configure Azure AD Federation on vCenter server