Customers require Multi-Factor Authentication (MFA) to secure access to the vSphere Client on vCenter Server 8.0. Currently, vCenter Server does not provide a native, local MFA toggle for users.This article explains the support model for Multi-Factor Authentication (MFA) in vCenter Server 8.0 and provides guidance on how to configure an external Identity Provider (IdP) to achieve Multi-Factor login.

To implement MFA, vCenter must be integrated with a supported external Identity Provider (IdP).

VMware vCenter Server

vCenter Server 8.0 offloads MFA responsibilities to external Identity Providers (IdP) via OIDC/OAuth2 protocols. Native MFA for local SSO users is not a supported architecture in this version.

Supported External Identity Providers (IdP): To implement MFA, you must configure vCenter federation with one of the following supported services:

• Microsoft Entra ID (formerly Azure AD)
• Active Directory Federation Services (AD FS)
• Okta
• PingFederate

Configuration Steps

To configure MFA for vCenter login:

1. Log in vCenter with an administrator account (e.g., [email protected]).
2. Navigate to Administration > Single Sign On > Configuration.
3. On the Identity Sources tab, click CHANGE PROVIDER.
4. Select a supported MFA-enabled IdP that is deployed in your environment (e.g., Microsoft Entra ID or AD FS).
5. Follow the wizard to complete the integration with the external IdP.
   • Note: Specific MFA policies (e.g., verification method, timeout) must be configured in the external IdP console.

For detailed step-by-step MOPs, refer to:

• Configure vCenter Server Identity Provider Federation

Reference KB:

• Steps to configure Multi-Factor Authentication (MFA) for vCenter Server using Microsoft Entra ID