• When attempting to log in to vCenter Server using Entra ID (formerly Azure AD) credentials via OIDC, the user is redirected to Microsoft for authentication.
• After successful authentication with Microsoft, the user is redirected back to vCenter.
• vCenter displays an "Access Denied" error message.
• Reviewing the /var/log/vmware/vc-ws1a-broker/usergroup-service.log on the vCenter Server appliance (VCSA) reveals log entries similar to:
  2025-10-03T22:27:23,976 INFO  vcenter.example.com:usergroup (usergroup-business-pool-0) [CUSTOMER;uuiduuid-uuid-uuid-uuid-uuiduuiduui4;##.##.##.##;uuiduuid-uuid-uuid-uuid-uuiduuiduui5;-] com.vmware.vidm.usergroup.model.business.User - User with Id uuiduuid-uuid-uuid-uuid-uuiduuiduui6 has an update for externalId which will be ignored
• Reviewing the /var/log/vmware/vc-ws1a-broker/federation-service.log shows an error message similar to:
  2025-10-03T22:20:45,961 WARN  vcenter.example.com:federation (ForkJoinPool-2-worker-125) [CUSTOMER;-;##.##.##.##;uuiduuid-uuid-uuid-uuid-uuiduuiduui1;-;uuiduuid-uuid-uuid-uuid-uuiduuiduui2] com.vmware.vidm.federation.login.processor.AuthResponseUserResolver - User fetching exception with nameId uuiduuid-uuid-uuid-uuid-uuiduuiduui3, nameIdFormat ExternalId, and domains [domain.example.com], user not found

vCenter 8.x
Microsoft Entra ID

This issue is caused by an incorrect attribute mapping in the Entra ID Enterprise Application configuration for the vCenter OIDC provider.

When vCenter Server attempts to map the incoming claims from Entra ID, the user's externalId is being ignored. This typically happens if the "Unique User Identifier" (Name ID) claim, which vCenter expects to map to externalId, is not configured correctly. The vCenter OIDC provider requires a unique, immutable identifier from the token.

In some configurations, mapping the user's objectId is attempted per Configuring Microsoft Entra ID for vCenter Server (KB 322179), but the correct attribute to map to the externalId attribute for persistent and unique identification is the oid (Object ID) claim.

To resolve this issue, you must modify the token configuration claims in your Entra ID Enterprise Application to correctly map the user's oid to the externalId attribute expected by vCenter instead of the objectID as advised by KB 322179.

If updating the externalId attribute does not resolve it, it can also be resolved by verifying the entire configuration matches the PDF document attached to KB 322179 (See the PDF attached at bottom of KB).