In a VMware Cloud Foundation (VCF) 9.0 environment, users experience a login failure when authenticating via Entra ID (OIDC) through the VMware Identity Broker (VIDB).

Symptoms:

• Users receive a vim.fault.NoPermission error during the vCenter Server login process.

• In tokenservice.log, the groupNames and groupIds arrays appear empty [] during the Just-In-Time (JIT) user creation.

• The vpxd.log records a vim.fault.NoPermission error immediately after token validation.

VMware Cloud Foundation (VCF) 9.0

A mismatch in the provisioning lifecycle where User Provisioning is set to JIT while Group Provisioning is set to Manual/Pre-provisioning, causing the identity broker to ignore group claims in the Entra ID token.

To resolve this issue, align both User and Group provisioning to Just-In-Time (JIT) within the Identity Provider settings:

1. Log into the SDDC Manager UI or vCenter (VCF SSO) administration interface.

2. Navigate to Inventory > Administration > Identity Provider.

3. Edit the Entra ID (OIDC) configuration.

4. Locate the Provisioning Section.

5. Set User Provisioning to JIT.

6. Set Group Provisioning to JIT.

7. Verify that the Groups Claim name (e.g., groups) exactly matches the attribute name sent by Entra ID.

8. Save the configuration and perform a new login attempt.

Entra ID および JIT プロビジョニングを使用した VCF 9.0 ログインが vim.fault.NoPermission で失敗する