You must configure dual authentication in order to perform certain tasks, such as updating or rotating passwords and configuring NSX Manager backups.

You will use the vSphere Client to create a new SSO group (Sddc_Secured_Access), add a user to the group, and assign a password to that user. The user is called the privileged user and will be required, along with its password, to perform certain tasks from the SDDC Manager UI or the VMware Cloud Foundation API.

You can create a new SSO user as the privileged user, or use an existing SSO user. If you plan to invoke operations requiring the privileged user as part of an automation solution, you should create a separate SSO user for this purpose. The SSO users used by automation should also be assigned the No Access role.
Note: The administrator@vsphere.local user cannot be the privileged user.


To perform this operation, you need to log in to the management vCenter Server as the administrator@vsphere.local user or another user who has the administrator role.


  1. Log into management vCenter Server using the vSphere Client.
  2. Navigate to Administration > Single Sign On > Users and Groups.
  3. Click the Users tab and select the domain from the drop-down list.
  4. To create a new user in the selected domain, click Add User, enter the required information, and click Add.
  5. Click the Groups tab and click Add Group.
  6. Create a group named Sddc_Secured_Access, add the new or existing user to the group, and click Add.