To resolve this issue, delete the stale identity provider configuration by following the below steps:

Important: Before troubleshooting, take backup of the vCenter appliance. If the vCenter are in linked mode, take offline snapshot of all the vCenter Servers that are in the linked mode. Refer: Enhanced Linked Mode pre-changes snapshot best practice

1. Login to vCenter Server using SSH (eg. Putty).
   
   
2. Login to RestAPI to get a VC Session ID:
   
   curl -k --request POST --url https://<vCenter_FQDN>/rest/com/vmware/cis/session -u '[email protected]:<Admin Password>'
   
   Note: Replace the username <[email protected]> and password <Admin Password> based on the environment.
   
   
3. List the Authbroker IDPs and note down the UUID:
   
   curl -k --location --request GET 'https://<vCenter_FQDN>/api/vcenter/identity/authbrokeridp' --header 'vmware-api-session-id: <SESSION ID>'
   

   Note: Replace <SESSION ID> with the id from Step 2

   Sample Response:

   {
  "summary_list": [
    {
      "idp": "#####-####-####-####-#######",  --------------> IDP UUID
      "name": "Azure AD",
      "tenant_type": "CUSTOMER",
      "activation_state": "PRIMARY_ACTIVE",
      "primary_broker_discovery_endpoint": "https://<fqdn>:443/acs/t/customer/.well-known/openid-configuration"

       }
  ]
}

4. Delete the each Identity Provider object returned by Step 3:
   
   curl -k --request DELETE 'https://<vCenter_FQDN>/api/vcenter/identity/authbrokeridp/<IDP UUID>' --header 'vmware-api-session-id: <SESSION ID>'
   
   Note: Replace <IDP UUID> with the ID from Step 3 and <SESSION ID> with the session id from Step 2.
   
   
5. List the Authbroker IDPs again to verify all the objects are cleaned-up:
   
   curl -k --location --request GET 'https://<vCenter_FQDN>/api/vcenter/identity/authbrokeridp' --header 'vmware-api-session-id: <SESSION ID>'
   

   Note: Replace <SESSION ID> with the id from Step 2

6. Doing above steps will clean-up everything including the VIDB objects. Perform below steps to clean-up the relevant objects in SSO, if it exists.
   
   
7. List the VC Identity Providers:
   

   curl -k --request GET 'https://<vCenter_FQDN>/rest/vcenter/identity/providers' --header 'vmware-api-session-id: <SESSION ID>'
   

8. If the response is not empty, call DELETE on each of the provider objects returned using below command:
   

   curl -k --request DELETE 'https://<vCenter_FQDN>/rest/vcenter/identity/providers/<Provider ID>' --header 'vmware-api-session-id: <SESSION ID>'

   Note: Replace <Provider ID> with the Provider ID returned by Step 7.
   
   
9. Do a Identity Provider LIST again and verify all objects are deleted:
   
   curl -k --request GET 'https://<vCenter_FQDN>/rest/vcenter/identity/providers' --header 'vmware-api-session-id: <SESSION ID>'
   
   
10. To clean-up the VIDB objects, get an access token by calling below API:
    

    curl -k --location --request GET 'https://<vCenter_FQDN>/api/vcenter/identity/broker/tenants/CUSTOMER/admin-client' --header 'vmware-api-session-id: <SESSION ID>'

11. List VIDB Directories to obtain Directory ID:
    

    curl -kv --request GET 'https://<vCenter_FQDN>/usergroup/t/CUSTOMER/broker/directories' --header 'Authorization: Bearer <ACCESS TOKEN>' | jq

    Note: Replace <ACCESS TOKEN> using the token from Step 10.
    

    Sample Response:

    {
  "items": [
    {
      "_links": {},
      "id": "<Directory ID>",
      "name": "azure_dir",
      "domains": [
        "<domain name>"
      ],
      "source": "AZURE",
      "type": "PROVISIONED",
      "delete_in_progress": false
    }
  ],
  "_links": {}
}

12. Perform DELETE on each of the returned directories:
    

    curl -kv --request DELETE 'https://<vCenter_FQDN>/usergroup/t/CUSTOMER/broker/directories/<Directory ID from Step 11>' --header 'Authorization: Bearer <ACCESS TOKEN>'

13. List the directories again and verify all objects are deleted:
    

    curl -kv --request GET 'https://<vCenter_FQDN>/usergroup/t/CUSTOMER/broker/directories' --header 'Authorization: Bearer <ACCESS TOKEN>' | jq

    Note: Replace <ACCESS TOKEN> using the token from Step 10.
    
    
14. List VIDB Identity Provider to obtain Identity Provider ID:
    

    curl -kv --location --request GET 'https://<vCenter_FQDN>/federation/t/CUSTOMER/broker/identity-providers' --header 'Authorization: Bearer <Access Token>' | jq
    

    Sample Response :

    {
  "items": [
    {
      "_links": {},
      "id": "<Identity Provider ID>",
      "idp_name": "Azure",
      "idp_type": "OIDC",
      "directory_ids": []
    }
  ],
  "_links": {}
}

15. Perform DELETE on each of the returned directories:
    

    curl -kv --location --request DELETE 'https://<vCenter_FQDN>/federation/t/CUSTOMER/broker/identity-providers/<Identity Provider ID from Step 14>' --header 'Authorization: Bearer <ACCESS TOKEN>'
    

16. List the VIDB Identity Providers and verify all objects are deleted:
    

    curl -kv --location --request GET 'https://<vCenter_FQDN>/federation/t/CUSTOMER/broker/identity-providers' --header 'Authorization: Bearer <Access Token>' | jq

In certain circumstances, the curl commands in the resolution steps may not provide any results/values for the stale identity provider configuration. In such cases, the stale entries can be removed from the vSphere SSO domain using JXplorer.

To Connect to a vCenter with JXplorer, refer: How to Connect to a vCenter with JXplorer

Once connected to the SSO domain, delete the stale entry manually under the following location: Services -> IdentityManager -> Tenants -> vsphere.local -> IdentityProviders 

Next restart the vCenter services using command "service-control --stop --all && service-control --start --all" and try to configure EntraID again.