• Entra ID users when attempting to login to the vCenter fails with  "Access Denied" error.
• In vCenter /var/log/vmware/vc-ws1a-broker/federation-service.log you see entries similar to:

[YYYY-MM-DDTHH:MM:SS] ERROR vCenter.domain.com:federation (vert.x-eventloop-thread-12) [-;-;-;-;-;-] com.vmware.vidm.federation.authenticator.oidc.OidcAuthenticationService - Token endpoint failed io.vertx.core.impl.NoStackTraceThrowable: invalid_client: AADSTS7000222: The provided client secret keys for app 'yyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy' are expired. Visit the Azure portal to create new keys for your app: https://aka.ms/NewClientSecret, or consider using certificate credentials for added security: https://aka.ms/certCreds. Trace ID: xxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx Correlation ID: xxxxxxxx-xxxx-xxxx-xxxxxxxxxxxxx Timestamp: [YYYY-MM-DDTHH:MM:SS]
[YYYY-MM-DDTHH:MM:SS] WARN  vCenter.domain.com:federation (federation-business-pool-0) [CUSTOMER;-;xx.xx.xx.xx;xxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx;-;xxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx] com.vmware.vidm.federation.authenticator.oidc.OidcAuthenticator - Exception occurred while retrieving oidc tokens com.vmware.vidm.federation.authenticator.oidc.OidcAuthenticationException: Unable to get ID token and access token  at com.vmware.vidm.federation.authenticator.oidc.OidcAuthenticationService.lambda$redeemOidcTokensWithAuthorizationCode$1(OidcAuthenticationService.java:129)

The client secret key on Microsoft Azure has expired.

To resolve the issue follow the below steps,

1. Log in to the Azure Portal:

• Navigate to https://portal.azure.com and log in with your credentials.

2. Locate Your App Registration:

• In the left-hand menu, select "Azure Active Directory."
• Under "Manage," select "App registrations."
• Find and select the app registration corresponding to the app ID 'yyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy'.

3. Add a New Client Secret:

• Under "Manage," select "Certificates & secrets."
• In the "Client secrets" section, click "New client secret."
• Add a description for the new client secret (e.g., "New client secret").
• Click "Add."

4. Update Your vCenter with the New Client Secret:

• After creating the new client secret, copy the value displayed. 
• Update your vCenter's configuration with the new client secret value.

Refer to the attached document for the step-by-step procedure to reconfigure the New Client Secret. See page 14, step 27 for detailed instructions.

For additional information refer to  How to Enable Entra ID for vCenter Server