How to Enable Entra ID for vCenter Server
search cancel

How to Enable Entra ID for vCenter Server

book

Article ID: 322179

calendar_today

Updated On:

Products

VMware vCenter Server VMware vCenter Server 8.0

Issue/Introduction

To establish a relying party trust between vCenter Server and an Entra ID server, establish identifying information and a shared secret between them. Create an OpenID Connect application in Entra ID. The OpenID Connect application specifies the vCenter Server redirect URIs that must be invoked during authorization code flows, and a client identifier and shared secret that vCenter Server uses to communicate with the Entra ID server. To push the Active Directory users and groups in the Entra ID domain to the vCenter Server that manages vCenter Server objects, also create a SCIM 2.0 application.

Resolution

Please follow the below mentioned steps to:

  1. Integrate Active Directory with Entra ID.
  2. Create an OIDC application in Entra ID and assign groups and users to that application.
  3. Create a SCIM 2.0 application in Entra ID.
  4. Push Entra ID users and groups to vCenter Server.

Refer to this KB article in conjunction with Configure vCenter Server Identity Provider Federation for Azure AD (vmware.com)

Integrate Active Directory with Entra ID

  • If the Active Directory and Entra ID were integrated previously, or to the users and groups provided by Entra ID, skip this step and go to the next Step - Create the OpenID Connect Application.
  • To integrate the Active Directory with Entra ID, please refer to Entra ID documentation.

Create the OpenID Connect Application

Log in to the Azure Admin console and follow the documentation to create an OpenID Connect application. When creating the OpenID Connect application in the Create a new app integration wizard:

  1. Select Home > App Registration > New Registration.

  2. Enter an appropriate name for the OpenID Connect application. For example: AzureAD-vCenter-app

  3. Leave Supported account types as default or select per requirement. Set Redirect URI as Web. No need to enter a redirect URI as this can be filled in later.

After creating the OpenID Connect application:

  1. Select the Certificates and Secret > New Client Secret.

  2. Enter a description for this client secret and select the validity in Expiry drop-down menu.

  3. Click Add.

  4. Once a secret is generated, copy the content under Value.

The Client Secret is generated.

  • To get client ID, click Overview from left side menu and get the value from Application (client) ID.

  • Copy to clipboard icon works as well.

OIDC Discovery Endpoint

  1. Select Overview of the Test App > Endpoints.

  2. Copy the Value Under OpenID Connect metadata document.

Password Grant Enablement

  • Go to App > Manage > Authentication and enable the slide for App collects plaintext password (Resource Owner Password Credential Flow) 
  • Grant Admin Consent for <the_tenant_name>

  • Note: This step is optional. Performing this step confirms that the application is verified by Azure AD.

Configuring vCenter

  • Use the client_id, secret, openid-configuration URL and AD domain details to configure Entra ID as the identity provider inside vCenter Server.

vCenter Server Entra ID Identity Provider Creation

Update the Entra ID Redirect URI

  • After creating the Entra ID identity provider configuration on vCenter Server, update the Entra ID OpenID Connect application with the Redirect URI the from the Entra ID Identity Provider Configuration page in vCenter Server.
  • In the Azure Admin console:
    1. In the App Registrations screen for the OpenID Connect application created, click Authentication.

    2. Select Add a platform and then select Web.

    3. In the Redirect URIs text box, paste the copied Redirect URI from vCenter Server.

    4. Click Save.

Create the SCIM 2.0 Application and Push Users and Groups to vCenter Server.

  • Options to configure SCIM 2.0 users and groups provisioning:
    • Entra ID provides a few options to configure SCIM 2.0 Push. The main difference is if vCenter is exposed to external traffic then the inbound traffic is not allowed.
    • If vCenter accepts inbound traffic, follow the guide for the VMware Identity Service app (the one below).
    • If vCenter does not accept inbound traffic, Entra ID provides two options Provisioning Agent and Application Proxy. To read more about them in Entra ID documentation (Application and HR provisioning documentation and Microsoft Entra application proxy documentation).

Please refer the bottom of the KB in the attachments section for the Step by step procedure to configure Entra Identity Federation with Provisioning Agent and Application Proxy on vCenter Server 8.0 U2.

Step by Step Guide with VMware Identity Service Application:

  1. Go to Microsoft Entra ID > Manage >  Enterprise Applications > New Application.

  2. Under the Browse Entra Gallery, search for VMware Identity Service.

  3. Enter an appropriate name for the Enterprise Application, such as vCenter Server SCIM 2.0 app.

  4. Click Create.

Provisioning

  1. Go to Microsoft Entra ID > Manage > Enterprise Applications.

  2. Select the previously created SCIM 2.0 App. 

  3. From the left side menu, select Provisioning > Manage.

  4. Provide the vCenter Server URL (publicly accessible vCenter Server URL).

  5. Provide Secret Token, generate a token by clicking on the Generate button in the VC View IDP Page under User Provisioning.

  6. Set the Provisioning Status to On.

  7. Click Test Connection.

The connection is successful. Details are visible under Mappings.

  1. See the Mappings sections as shown below:

  2. Click on Provision Microsoft Entra ID Users.

  3. Update the Attributes so that we send the username part and domain part separately.

  4. For Sending Domain, Add the following New Mapping Attributes

  5. The final list will look like this

Previously copied items from the vCenter Server Identity Provider page. vCenter Server calls the SCIM 2.0 Base Url the "Tenant URL," and the OAuth Bearer Token the "Secret Token."

Note: If the network is not publicly available, create a network tunnel between the vCenter Server system and the Entra ID server, then use the appropriate publicly accessible URL as the Base Uri.

Assign Users and Groups 

  1. Go to the SCIM App > Users and Groups > Add user/group.

  2. Click on the selected Users and Groups.

  3. Click Start Provisioning.

  4. Take a backup of Provisioned users and Groups.

  5. Backup and Restore Users and Groups from WS1Broker.

Note:

  • Perform similar steps to assign users and groups to OIDC application. 
  • "Azure AD" is now referred as "Entra ID".

Authorize Entra ID Users
To authorize Entra ID users to log into vCenter Server, return to Configure vCenter Server Identity Provider Federation for Entra ID (vmware.com) Step 5 and complete setting up the Entra ID identity provider by assigning group membership. Then assign permissions (inventory-level and global) to the Entra ID users.

Additional Information

Please see attachment for Step by Step procedure to configure Azure AD Federation on vCenter server

Attachments

Step-by-step-procedure-to-configure-Azure-AD-Federation-on-vCenter-Server_v3 get_app