Configuring Microsoft Entra ID for vCenter Server
search cancel

Configuring Microsoft Entra ID for vCenter Server

book

Article ID: 322179

calendar_today

Updated On:

Products

VMware vCenter Server VMware vCenter Server 8.0

Issue/Introduction

To establish a relying party trust between vCenter Server and Microsoft Entra ID (formerly called Azure AD), it is required to configure identifying information and a shared secret between them.

Create an OpenID Connect application in Microsoft Entra ID. This application defines the redirect URLs used by vCenter Server during authorization code flows, along with the client identifier and shared secret that vCenter Server uses to communicate with Microsoft Entra ID.

To enable synchronization of Active Directory users and groups from Microsoft Entra ID to vCenter Server—allowing identity and access management for vCenter objects— you must create a SCIM 2.0 application in Microsoft Entra ID.

Environment

VMware vCenter Server 8.0 Update 2 and later

Resolution

Note: If you use VMware Cloud Foundation, VCF 9.x, refer here instead.

Follow these steps to configure Microsoft Entra ID for vCenter

Refer to this KB article in conjunction with Configure vCenter Server Identity Provider Federation for Azure AD.

Integrate Active Directory with Microsoft Entra ID

  • If you previously integrated the Active Directory and Microsoft Entra ID, or to the users and groups provided by Microsoft Entra ID, skip this step and go to the next Step - Create an OpenID Connect application in Microsoft Entra ID and assign groups and users to the OpenID Connect application.
  • To integrate the Active Directory with Microsoft Entra ID, refer to the Microsoft Entra ID documentation.

Create an OpenID Connect application

Log in to the Azure Admin console and follow the documentation to create an OpenID Connect application. When you create the OpenID Connect application in the Create a new app integration wizard:

  1. Select Home > App Registration > New Registration.
  2. Enter an appropriate name for the OpenID Connect application. For example: AzureAD-vCenter-app.
  3. Leave Supported account types as default or select per your requirement. Set Redirect URL as Web. You do not need to enter a redirect URL at this point, as you can fill this in later.

After you create the OpenID Connect application:

  1. Select Certificates and Secret > New Client Secret.
  2. Enter a description for this client secret and select the validity in the Expiry drop-down menu.
  3. Click Add.
  4. Once the system generates a secret, copy the content under Value.

Once you have generated the Client Secret:

  • To get the client ID, click Overview from the left side menu and get the value from Application (client) ID.
  • You can also use the copy to clipboard icon.

OIDC Discovery Endpoint

  1. Select Overview of the Test App > Endpoints.
  2. Copy the Value Under OpenID Connect metadata document.

Password Grant Enablement

  • Go to App > Manage > Authentication and enable the slide for App collects plaintext password (Resource Owner Password Credential Flow).
  • Select Grant Admin Consent for <the_tenant_name>.
Note: This step is optional. Performing this step confirms that the application is verified by Azure AD.

Configuring vCenter

  • Use the client_id, secret, openid-configuration URL, and AD domain details to configure Microsoft Entra ID as the identity provider inside vCenter Server.

vCenter Server Entra ID Identity Provider Creation

  • To add the identity provider in vCenter Server for Microsoft Entra ID, go to Configure vCenter Server Identity Provider Federation for Azure AD and start with Step 2.
  • After you add the Microsoft Entra ID identity provider in vCenter Server, return to this KB article and continue with the next Step - Update the Entra ID Redirect URI.

Update the Entra ID Redirect URI

  • After you create the Microsoft Entra ID identity provider configuration on vCenter Server, update the Microsoft Entra ID OpenID Connect application with the Redirect URI from the Microsoft Entra ID Identity Provider Configuration page in vCenter Server.
  • In the Azure Admin console:
  1. In the App Registrations screen for the OpenID Connect application you created, click Authentication.
  2. Select Add a platform and then select Web.
  3. In the Redirect URLs text box, paste the copied Redirect URI from vCenter Server.
  4. Click Save.

Create the SCIM 2.0 Application and Push Users and Groups to vCenter Server (Required)

  • Configure SCIM 2.0 users and groups provisioning with Microsoft Entra ID. Microsoft Entra ID provides a few options to configure the SCIM 2.0 Push. The main difference is whether vCenter is exposed to external traffic, as inbound traffic is not allowed.
    1. If vCenter accepts inbound traffic, follow the guide for the VMware Identity Service app. See "Step by Step Guide with VMware Identity Service Application" below.
    2. If vCenter does not accept inbound traffic, Microsoft Entra ID provides two options: Provisioning Agent and Application Proxy. See the Microsoft Entra ID documentation: Application and HR provisioning documentation and Microsoft Entra application proxy documentation.

Refer to the attachments section at the bottom of this KB for the Step-by-step procedure to configure Microsoft Entra Identity Federation with Provisioning Agent and Application Proxy on vCenter Server 8.0 U2.

Step by Step Guide with VMware Identity Service Application:

  1. Go to Microsoft Entra ID > Manage > Enterprise Applications > New Application.
  2. Under Browse Entra Gallery, search for On-premises SCIM App 2.0.
  3. Enter an appropriate name for the Enterprise Application, such as vCenter Server SCIM 2.0 app.
  4. Click Create.

Provisioning

  1. Go to Microsoft Entra ID > Manage > Enterprise Applications.
  2. Select the previously created SCIM 2.0 App.
  3. From the left side menu, select Provisioning > Manage.
  4. Provide the vCenter Server URL (publicly accessible vCenter Server URL).
  5. Provide the Secret Token by generating a token. Click the Generate button in the VC View IDP Page under User Provisioning.
  6. Set the Provisioning Status to On.
  7. Click Test Connection.

Once the connection is successful, details are visible under Mappings.

  1. See the Mappings sections as shown below:
  2. Click Provision Microsoft Entra ID Users.
  3. Update the Attributes so that you send the username part and domain part separately.

    In the default scenario, attribute mapping uses the following settings:
    • Mapping type: Expression
    • Value: Item(Split([userPrincipalName], "@"),1)
    This configuration is suitable when different users exist across separate domains, as it splits the userPrincipalName into username and domain parts. In scenarios where the same user exists across multiple domains, this default mapping causes authentication issues.

    Correction Applied:
    • Mapping type: Direct
    • Value: userPrincipalName
    With this adjustment, users belonging to multiple domains successfully authenticate.
  4. For Sending Domain, add the following New Mapping Attributes.
  5. The final list will look like this:

Use the previously copied items from the vCenter Server Identity Provider page. vCenter Server calls the SCIM 2.0 Base Url the "Tenant URL," and the OAuth Bearer Token the "Secret Token."

Note: If the network is not publicly accessible, create a secure network tunnel between the vCenter Server system and Microsoft Entra ID. Then, use the appropriate publicly accessible URL as the Base URL.

Assign Users and Groups

  1. Go to the SCIM App > Users and Groups > Add user/group.
  2. Click on the selected Users and Groups.
  3. Click Start Provisioning.
  4. Take a backup of Provisioned users and Groups.
  5. Backup and Restore Users and Groups from WS1Broker.
Note:
  • Perform similar steps to assign users and groups to the OIDC application.
  • "Azure AD" is now referred to as "Microsoft Entra ID".

Authorize Microsoft Entra ID Users:

To authorize Microsoft Entra ID users to log into vCenter Server, return to Configure vCenter Server Identity Provider Federation for Entra ID Step 5 and complete setting up the Microsoft Entra ID identity provider by assigning group membership. Then, assign permissions (inventory-level and global) to the Microsoft Entra ID users.

Additional Information

Refer to the attachment for Step by Step procedure to configure Azure AD Federation on vCenter server.

Note

  •  Environments with mismatched UPN and Domain Name is not a supported configuration for Microsoft Entra ID
  • The permissions set on the VC, including both Global and inventory-level permissions, will be preserved when migrating from a legacy IDP to any Federated IDPs (such as Okta, Entra ID, or PingFederate).  During the configuration change, a precheck phase will run to identify any permissions that may fail to transfer properly. 

Attachments

Step-by-step-procedure-to-configure-Azure-AD-Federation-on-vCenter-Server_v3 get_app
Powered by Wolken Software