Steps to configure Multi-Factor Authentication (MFA) for vCenter Server using Microsoft Entra ID
search cancel

Steps to configure Multi-Factor Authentication (MFA) for vCenter Server using Microsoft Entra ID

book

Article ID: 429082

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

When vCenter Server is integrated with Microsoft Entra ID (formerly Azure AD) for Identity Federation, administrators may need to enforce Multi-Factor Authentication (MFA).

As vCenter Server offloads the authentication process to the external Identity Provider via OpenID Connect (OIDC), MFA cannot be enabled directly within the vSphere Client. Instead, it must be configured at the external Identity Provider level using Conditional Access Policies.

Environment

  • VMware vCenter Server 8.0 Update 2 or later

Cause

vCenter Server relies on the external Identity Provider (Entra ID) to validate the user's identity. If the Identity Provider does not have a policy requiring MFA for the vCenter application, users will not be prompted for MFA authentication.

Resolution

MFA is enforced by creating a Conditional Access policy within the Microsoft Entra admin center for the vCenter App Registration.

vCenter Server must be successfully integrated with Microsoft Entra ID by following KB 322179 before following the below steps.

  1. Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator.
  2. Navigate to Entra ID > Conditional Access > Overview page.
  3. Select the "Create new policy" option.
  4. Name the policy: Enter a descriptive name (e.g., MFA-Enforcement-vCenter).
  5. Under "Assignments", select the current value under "Users or workload identities".
  6. Under "What does this policy apply to?", verify that "Users and groups" option is selected.
  7. Under "Include", choose "Select users and groups", and then check the "Users and groups" box.
  8. Browse for and select the specific users or groups requiring MFA.
  9. Choose "Select apps" and search for the vCenter Application Name used during the vCenter OIDC setup.
  10. Under Access controls > Grant, Select "Grant access" and check the "Require multifactor authentication" box.
  11. Then activate the policy by setting the "Enable policy" option to On.
  12. Then click on the "Create" option.

Additional Information

Check the below Microsoft link for more information regarding the MFA configuration:

Secure user sign-in events with Microsoft Entra multifactor authentication

Powered by Wolken Software