Configuring Microsoft Entra ID for vCenter Server
search cancel

Configuring Microsoft Entra ID for vCenter Server

book

Article ID: 322179

calendar_today

Updated On:

Products

VMware vCenter Server VMware vCenter Server 8.0

Issue/Introduction

To establish a relying party trust between vCenter Server and Microsoft Entra ID, configure identifying information and a shared secret between them.

Create an OpenID Connect application in Microsoft Entra ID. This application defines the redirect URIs used by vCenter Server during authorization code flows, along with the client identifier and shared secret that vCenter Server uses to communicate with Microsoft Entra ID.

To enable synchronization of Active Directory users and groups from Microsoft Entra ID to vCenter Server—allowing identity and access management for vCenter objects—also create a SCIM 2.0 application in Microsoft Entra ID.

Environment

VMware vCenter Server 8.0 Update 2 and later

Resolution

Refer to this KB article in conjunction with Configure vCenter Server Identity Provider Federation for Azure AD

Integrate Active Directory with Microsoft Entra ID

  • If the Active Directory and Microsoft Entra ID were integrated previously, or to the users and groups provided by Microsoft Entra ID, skip this step and go to the next Step - Create an OpenID Connect application in Microsoft Entra ID and assign groups and users to the OpenID Connect application.
  • To integrate the Active Directory with Microsoft Entra ID, refer Microsoft Entra ID documentation.

Create an OpenID Connect application

Log in to the Azure Admin console and follow the documentation to create an OpenID Connect application. When creating the OpenID Connect application in the Create a new app integration wizard:

  1. Select Home > App Registration > New Registration.

  2. Enter an appropriate name for the OpenID Connect application. For example: AzureAD-vCenter-app

  3. Leave Supported account types as default or select per requirement. Set Redirect URI as Web. No need to enter a redirect URI as this can be filled in later.

After creating the OpenID Connect application:

  1. Select the Certificates and Secret > New Client Secret.

  2. Enter a description for this client secret and select the validity in Expiry drop-down menu.

  3. Click Add.

  4. Once a secret is generated, copy the content under Value.

The Client Secret is generated.

  • To get client ID, click Overview from left side menu and get the value from Application (client) ID.

  • Copy to clipboard icon works as well.

OIDC Discovery Endpoint

  1. Select Overview of the Test App > Endpoints.

  2. Copy the Value Under OpenID Connect metadata document.

Password Grant Enablement

  • Go to App > Manage > Authentication and enable the slide for App collects plaintext password (Resource Owner Password Credential Flow) 
  • Grant Admin Consent for <the_tenant_name>

  • Note: This step is optional. Performing this step confirms that the application is verified by Azure AD.

Configuring vCenter

  • Use the client_id, secret, openid-configuration URL and AD domain details to configure Microsoft Entra ID as the identity provider inside vCenter Server.

vCenter Server Entra ID Identity Provider Creation

  • To add the identity provider in vCenter Server for Microsoft Entra ID, go to Configure vCenter Server Identity Provider Federation for Azure AD and start with Step 2.
  • After adding the Microsoft Entra ID identity provider in vCenter Server, return to this KB article and continue with the next Step -  Update the Entra Redirect URI.

Update the Entra ID Redirect URI

  • After creating the Microsoft Entra ID identity provider configuration on vCenter Server, update the Microsoft Entra ID OpenID Connect application with the Redirect URI the from the Microsoft Entra ID Identity Provider Configuration page in vCenter Server.
  • In the Azure Admin console:
    1. In the App Registrations screen for the OpenID Connect application created, click Authentication.

    2. Select Add a platform and then select Web.

    3. In the Redirect URIs text box, paste the copied Redirect URI from vCenter Server.

    4. Click Save.

Create the SCIM 2.0 Application and Push Users and Groups to vCenter Server.

  • Options to configure SCIM 2.0 users and groups provisioning:
    • Microsoft Entra ID provides a few options to configure SCIM 2.0 Push. The main difference is if vCenter is exposed to external traffic then the inbound traffic is not allowed.
    • If vCenter accepts inbound traffic, follow the guide for the VMware Identity Service app (the one below).
    • If vCenter does not accept inbound traffic, Microsoft Entra ID provides two options Provisioning Agent and Application Proxy. To read more about them in MicorsoftEntra ID documentation (Application and HR provisioning documentation and Microsoft Entra application proxy documentation).

Refer the attachments section at the bottom on this kb for Step by step procedure to configure Microsoft Entra Identity Federation with Provisioning Agent and Application Proxy on vCenter Server 8.0 U2.

Step by Step Guide with VMware Identity Service Application:

  1. Go to Microsoft Entra ID > Manage >  Enterprise Applications > New Application.

  2. Under the Browse Entra Gallery, search for VMware Identity Service.

  3. Enter an appropriate name for the Enterprise Application, such as vCenter Server SCIM 2.0 app.

  4. Click Create.

Provisioning

  1. Go to Microsoft Entra ID > Manage > Enterprise Applications.

  2. Select the previously created SCIM 2.0 App. 

  3. From the left side menu, select Provisioning > Manage.

  4. Provide the vCenter Server URL (publicly accessible vCenter Server URL).

  5. Provide Secret Token, generate a token by clicking on the Generate button in the VC View IDP Page under User Provisioning.

  6. Set the Provisioning Status to On.

  7. Click Test Connection.

The connection is successful. Details are visible under Mappings.

  1. See the Mappings sections as shown below:

  2. Click on Provision Microsoft Entra ID Users.

  3. Update the Attributes so that we send the username part and domain part separately.

  4. For Sending Domain, Add the following New Mapping Attributes

  5. The final list will look like this

Previously copied items from the vCenter Server Identity Provider page. vCenter Server calls the SCIM 2.0 Base Url the "Tenant URL," and the OAuth Bearer Token the "Secret Token."

Note: If the network is not publicly accessible, create a secure network tunnel between the vCenter Server system and Microsoft Entra ID. Then, use the appropriate publicly accessible URL as the Base URL

Assign Users and Groups 

  1. Go to the SCIM App > Users and Groups > Add user/group.

  2. Click on the selected Users and Groups.

  3. Click Start Provisioning.

  4. Take a backup of Provisioned users and Groups.

  5. Backup and Restore Users and Groups from WS1Broker.

Note:

  • Perform similar steps to assign users and groups to OIDC application. 
  • "Azure AD" is now referred as "Microsoft Entra ID".

Authorize Microsoft Entra ID Users:

To authorize Microsoft Entra ID users to log into vCenter Server, return to Configure vCenter Server Identity Provider Federation for Entra ID Step 5 and complete setting up the Microsoft Entra ID identity provider by assigning group membership. Then assign permissions (inventory-level and global) to the Microsoft Entra ID users.

Additional Information

Refer the attachment for Step by Step procedure to configure Azure AD Federation on vCenter server

Note:

  •  Environments with mismatched UPN and Domain Name is not a supported configuration for Microsoft Entra ID
  • The permissions set on the VC, including both Global and inventory-level permissions, will be preserved when migrating from a legacy IDP to any Federated IDPs (such as Okta, Entra ID, or PingFederate).  During the configuration change, a precheck phase will run to identify any permissions that may fail to transfer properly. 

Attachments

Step-by-step-procedure-to-configure-Azure-AD-Federation-on-vCenter-Server_v3 get_app