•  Every logon attempt fails with "Your Single Sign-on attempt failed." message from Cloud Director Tenant Portal.
• The following error is shown in the Cloud Director debug logs: "OAuthFilter | Could not obtain user details from token ... org.springframework.security.authentication.BadCredentialsException: Audience does not match clientId"

VMware Cloud Director 10.5.1.1

This error appears to suggest that VCD could not get the User's details from the token that came back from the IDP (MS Entra).
The error given is that the Client IDs are not matching as expected.

To help solving the issue you will need to verify the Client ID within the VCD Tenant > OIDC Settings which should match the Client ID on Microsoft Entra ID side.

After that you will need to make sure that the user is part of the correct Group and configured correctly from the Microsoft Entra ID side.

This can be done by:

1) On the side of Entra ID > App registration > Token configuration > add groups claim (based on “Object ID” or “sAMAccountName”

2) On the side of VCD Tenant > Identity Providers > OIDC > turn off the slider at Configuration Disccovery

3) Take care that the “Prefer ID Token” is turned on as per following article: OIDC Group logins failing when using Microsoft Entra ID as the identity provider

4) Map the additional claim “Groups name” with the name from Entra ID

5) When not using the “Configuration Discovery” you can enter the claim names manually (not forced a dropdown list)

6) After that the users within Entra ID groups, will be able to login in Cloud Director.

Document used to Configure Your System to Use an OpenID Connect Identity Provider Using Your VMware Cloud Director Tenant Portal