After configuring Microsoft Entra ID Authentication users may receive an "Access denied. Unable to authenticate the user." error when attempting to authenticate using Microsoft Entra ID (formerly Azure AD). You may still be able to configure permissions on vCenter for the affected users despite the log in failure.

Symptoms:

You find a similar error in the federation-service.log

/var/log/vmware/vc-ws1a-broker/federation-service.log

2024-12-30T19:38:58,545 INFO  vcenter.yourdomain.com:federation (federation-business-pool-0) [CUSTOMER;-;IP.XX.XX.XX;XXXXXXXX-TASK-UUID-XXXXXXXXXXXX;-;XXXXXXXX-USER-LOGIN-UUID-XXXXXXXXXXXX] com.vmware.vidm.federation.utils.MetricsPublisherUtil - OIDC authentication successful
2024-12-30T19:38:58,560 INFO  vcenter.yourdomain.com:federation (federation-business-pool-0) [CUSTOMER;-;IP.XX.XX.XX;XXXXXXXX-TASK-UUID-XXXXXXXXXXXX;-;XXXXXXXX-USER-LOGIN-UUID-XXXXXXXXXXXX] com.vmware.vidm.federation.login.processor.AuthResponseUserResolver - Fetching user for jit login context: XXXXXXXX-USER-LOGIN-UUID-XXXXXXXXXXXX on attribute ExternalId=XXXXXXXX-EXTERNALID-XXXX-XXXXXXXXXXXX, domains: [yourdomain.com]
2024-12-30T19:38:58,602 WARN  vcenter.yourdomain.com:federation (ForkJoinPool-2-worker-145) [CUSTOMER;-;IP.XX.XX.XX;XXXXXXXX-TASK-UUID-XXXXXXXXXXXX;-;XXXXXXXX-USER-LOGIN-UUID-XXXXXXXXXXXX] com.vmware.vidm.federation.login.processor.AuthResponseUserResolver - User fetching exception with nameId XXXXXXXX-EXTERNALID-XXXX-XXXXXXXXXXXX, nameIdFormat ExternalId, and domains [yourdomain.com], user not found
2024-12-30T19:38:58,603 INFO  vcenter.yourdomain.com:federation (federation-business-pool-0) [CUSTOMER;-;IP.XX.XX.XX;XXXXXXXX-TASK-UUID-XXXXXXXXXXXX;-;XXXXXXXX-USER-LOGIN-UUID-XXXXXXXXXXXX] com.vmware.vidm.federation.login.LoginEventServiceAspect - Failing login. contextUuid: XXXXXXXX-USER-LOGIN-UUID-XXXXXXXXXXXX, exception: com.vmware.vidm.federation.login.AccessDeniedException: Access denied with reason code: USER_NOT_FOUND, isAuthenticationForced: false
2024-12-30T19:38:58,603 INFO  vcenter.yourdomain.com:federation (federation-business-pool-0) [CUSTOMER;-;IP.XX.XX.XX;XXXXXXXX-TASK-UUID-XXXXXXXXXXXX;-;XXXXXXXX-USER-LOGIN-UUID-XXXXXXXXXXXX] com.vmware.vidm.federation.utils.MetricsPublisherUtil - Login failed due to reason: USER_NOT_FOUND

• vSphere 8.0 or later
• Microsoft Entra ID configured for vCenter authentication
• Environment using Microsoft Entra Application Proxy
• Configuring a New Microsoft Entra ID for vCenter authentication

When Enabling Entra ID for vCenter Server the SCIM User attributes may be synced prior to them being mapped correctly.

We need to clear the Entra ID configuration, and re-add it to allow the authentication of the users.

1. Log into the vSphere Client using the local administrator account ([email protected])
2. Navigate to Administration > Single Sign On > Configuration
3. Click the "CHANGE PROVIDER" control
4. Select "Other Providers"
5. Select "Embedded" (This step effectively removes the existing provider configuration)
6. Re-add the Microsoft Entra ID provider with the following information:
   1. Microsoft identifier from the Azure portal
   2. Shared secret from Azure
   3. OpenID configuration URL
7. If using SCIM provisioning, generate a new SCIM token
8. Test the connection by:
   1. Opening an incognito/private browser window
   2. Accessing vCenter
   3. Selecting SSO authentication
   4. Verifying successful redirection to Entra ID

• This resolution preserves existing SCIM provisioning settings
• The procedure can be performed while SCIM provisioning remains active
• For detailed steps on initial Entra ID configuration, refer to:
  VMware vSphere 8.0 Documentation: Configure vCenter Server Identity Provider Federation for Microsoft Entra ID