After changing from IP-based access to DNS hostname or updating SSL certificates in vCenter Server, users may receive an "oauth2.request.invalid.redirecturl" error when attempting to authenticate using Microsoft Entra ID (formerly Azure AD). This occurs immediately upon selecting the SSO option, before reaching the Entra ID login page. SCIM provisioning may continue to work normally despite the authentication failure.

- vSphere 8.0 or later
- Microsoft Entra ID configured for vCenter authentication
- Environment using Microsoft Entra Application Proxy
- Recent changes to DNS configuration or SSL certificates

Changes to DNS settings or SSL certificates can cause corruption in the stored identity provider configuration. The standard UI does not provide a direct method to remove the corrupted configuration, requiring a specific workflow to reset and rebuild the identity provider settings.

1. Log into the vSphere Client using the local administrator account ([email protected])
2. Navigate to Administration > Single Sign On > Configuration
3. Click the "CHANGE PROVIDER" control
4. Select "Other Providers"
5. Select "Embedded" (This step effectively removes the existing provider configuration)
6. Re-add the Microsoft Entra ID provider with the following information:
   1. Microsoft identifier from the Azure portal
   2. Shared secret from Azure
   3. OpenID configuration URL
7. If using SCIM provisioning, generate a new SCIM token
8. Test the connection by:
   1. Opening an incognito/private browser window
   2. Accessing vCenter
   3. Selecting SSO authentication
   4. Verifying successful redirection to Entra ID

• This resolution preserves existing SCIM provisioning settings
• The procedure can be performed while SCIM provisioning remains active
• For detailed steps on initial Entra ID configuration, refer to:
• VMware vSphere 8.0 Documentation: Configure vCenter Server Identity Provider Federation for Microsoft Entra ID