"Could not create indirect identity provider: Identity provider with ID <Provider ID> and name Azure AD already exists for tenant CUSTOMER
Article ID: 370574
Updated On: 05-26-2025
Products
Issue/Introduction
- Configuring External Identity Provider on vCenter Server fails with error "
already exists for tenant CUSTOMER". - vSphere Client will show below error message:
Could not create indirect identity provider: Identity provider with ID ##-##-##-##-## and name <Identity Provider Type Name> already exists for tenant <tenant name>Failed to delete usergroup directory with ID ##-##-##-##-## for tenant customer on host <vCenter FQDN> - This issue is observed due to stale identity provider configuration on vCenter Server can generally happen while recreating the Identity Provider after switching back from External Identity Provider to Embedded SSO.
- This KB can be followed to to clean-up stale Identity Provider Configuration such as "Okta", "Azure AD", "PingFederate" on vCenter Server.
Resolution
To resolve this issue, delete the stale identity provider configurations by following the below steps:
- Login to vCenter Server using SSH (eg. Putty)
- Login to RestAPI to get a VC Session ID
curl -k --request POST --url https://vCenter_FQDN/rest/com/vmware/cis/session -u 'administrator@vsphere.local:<Admin Password>'
Note: Update the username and password based on the environment. - List the Authbroker IDPs and note down the UUID
curl -k --location --request GET 'https://vCenter_FQDN/api/vcenter/identity/authbrokeridp' --header 'vmware-api-session-id: <SESSION ID>'
Note: Replace
<SESSION ID>with the id from Step 2Sample Response:
{"summary_list": [{"idp": "#####-####-####-####-#######", --------------> IDP UUID"name": "Azure AD","tenant_type": "CUSTOMER","activation_state": "PRIMARY_ACTIVE","primary_broker_discovery_endpoint": "https://<fqdn>:443/acs/t/customer/.well-known/openid-configuration"}]} - Delete the each Identity Provider object returned by Step 3:
curl -k --request DELETE 'https://vCenter_FQDN/api/vcenter/identity/authbrokeridp/<IDP UUID>' --header 'vmware-api-session-id: <SESSION ID>'
Note: Replace<IDP UUID>with the ID from Step 3 and<SESSION ID>with the session id from Step 2. - List the Authbroker IDPs again to verify all the objects are cleaned-up
curl -k --location --request GET 'https://vCenter_FQDN/api/vcenter/identity/authbrokeridp' --header 'vmware-api-session-id: <SESSION ID>'
Note: Replace
<SESSION ID>with the id from Step 2 - Doing above steps will clean-up everything including the VIDB objects. Perform below steps to clean-up the relevant objects in SSO, if it exists.
- List the VC Identity Providers
curl -k --request GET 'https://vCenter_FQDN/rest/vcenter/identity/providers' --header 'vmware-api-session-id: <SESSION ID>' - If the response is not empty, call DELETE on each of the provider objects returned using below command :
Note: Replacecurl -k --request DELETE 'https://vCenter_FQDN/rest/vcenter/identity/providers/<Provider ID>' --header 'vmware-api-session-id: <SESSION ID>'<Provider ID>with the Provider ID returned by Step 7 - Do a Identity Provider LIST again and verify all objects are deleted.
curl -k --request GET 'https://vCenter_FQDN/rest/vcenter/identity/providers' --header 'vmware-api-session-id: <SESSION ID>' - To clean-up the VIDB objects, get an access token by calling below API:
curl -k --location --request GET 'https://vCenter_FQDN/api/vcenter/identity/broker/tenants/CUSTOMER/admin-client' --header 'vmware-api-session-id: <SESSION ID>' - Perform VIDB Directories LIST
curl -kv --request GET 'https://vCenter_FQDN/usergroup/t/CUSTOMER/broker/directories' \
Note: Replace--header 'Authorization: Bearer <ACCESS TOKEN>' | jq<ACCESS TOKEN>using the token from Step 10.
Sample Response:
{"items": [{"_links": {},"id": "<Directory ID>","name": "azure_dir","domains": ["<domain name>"],"source": "AZURE","type": "PROVISIONED","delete_in_progress": false}],"_links": {}} - Perform DELETE on each of the returned directories.
curl -kv --request DELETE 'https://vCenter_FQDN/usergroup/t/CUSTOMER/broker/directories/<Directory ID from Step 11>' \--header 'Authorization: Bearer <ACCESS TOKEN>' - List the directories again and verify all objects are deleted
Note: Replacecurl -kv --request GET 'https://vCenter_FQDN/usergroup/t/CUSTOMER/broker/directories' \--header 'Authorization: Bearer <ACCESS TOKEN>' | jq<ACCESS TOKEN>using the token from Step 10. - Perform VIDB Identity Provider list
curl -kv --location --request GET 'https://vCenter_FQDN/federation/t/CUSTOMER/broker/identity-providers' \ --header 'Authorization: Bearer <Access Token>' | jqSample Response :
{"items": [{"_links": {},"id": "<Identity Provider ID>","idp_name": "Azure","idp_type": "OIDC","directory_ids": []}],"_links": {}} - Perform DELETE on each of the returned directories
curl -kv --location --request DELETE 'https://vCenter_FQDN/federation/t/CUSTOMER/broker/identity-providers/<Identity Provider ID from Step 14>' \ --header 'Authorization: Bearer <ACCESS TOKEN>' - List the VIDB Identity Providers again and verify all objects are deleted
curl -kv --location --request GET 'https://vCenter_FQDN/federation/t/CUSTOMER/broker/identity-providers' \ --header 'Authorization: Bearer <Access Token>' | jq
Additional Information
In certain circumstances, the outputs above may not return anything so you cannot remove the required values
In cases like this, the stale entries can be removed by connecting to the vCenter with a tool like JXplorer
How to Connect to a vCenter with JXplorer
Once connected, you can delete the stale entry manually
It is be located at: Services -> IdentityManager -> Tenants -> vsphere.local -> IdentityProviders
Then restart the vCenter services and try to configure EntraID once more
Feedback
