Using Microsoft Entra ID as the identity provider for the management domain vCenter Server allows for identity federation across SDDC Manager, vCenter Server, and NSX Manager.

Configuring identity federation with Microsoft Entra ID involves performing tasks in the Microsoft Entra Admin Console and the SDDC Manager UI. After the users and groups are synced, you can assign permissions in SDDC Manager, vCenter Server, and NSX Manager.
  1. Create an OpenID Connect application for VMware Cloud Foundation in Microsoft Entra ID.
  2. Configure Microsoft Entra ID as the Identity Provider in the SDDC Manager UI.
  3. Update the Microsoft Entra ID OpenID Connect application with the Redirect URI from SDDC Manager.
  4. Create a SCIM 2.0 Application for VMware Cloud Foundation.
  5. Assign Permissions for Microsoft Entra ID Users and Groups in SDDC Manager, vCenter Server, and NSX Manager.
Note: If you created isolated VI workload domains that use different SSO domains, you must use the vSphere Client to configure Microsoft Entra ID as the identity provider for those SSO domains. When you configure Microsoft Entra ID as the identity provider for an isolated workload domain in the vSphere Client, NSX Manager is automatically registered as a relying party. This means that once an Microsoft Entra ID user with the necessary permissions has logged in to the isolated VI workload domain vCenter Server, they can directly access the VI workload domain's NSX Manager from the SDDC Manager UI without having to log in again.

Prerequisites

Integrate Active Directory (AD) with Microsoft Entra ID. See the Microsoft documentation for more information.
Note: This is not required if you do not want to integrate with AD or have previously integrated AD and Microsoft Entra ID.

Create an OpenID Connect application for VMware Cloud Foundation in Microsoft Entra ID

Before you can use Microsoft Entra ID as the identity provider in VMware Cloud Foundation, you need to create an OpenID Connect application in Microsoft Entra ID and assign users and groups to the OpenID Connect application.

Procedure

  1. Log in to the Microsoft Entra Admin console and follow the Microsoft documentation, to create an OpenID Connect application.
    When creating the OpenID Connect application in the Create a new app integration wizard:
    • Select Home > Azure AD Directory > App Registration > New Registration.
    • Enter an appropriate name for the OpenID Connect application, for example, EntraID-vCenter-app.
    • Leave Supported account types as default or select per requirement.
    • Set Redirect URI as Web. There is no need to enter a redirect URI, this can be filled in later.
  2. After the OpenID Connect application is created, generate the Client Secret.
    1. Click Certificates & secrets > Client secrets > New client secret.
    2. Enter a description for the client secret and select the validity in Expiry drop-down menu.
    3. Click Add.
    4. Once a secret is generated, copy the content under Value and save it for use in creating the Microsoft Entra ID identity provider in SDDC Manager.
      Note: SDDC Manager uses the term Shared Secret for the Client Secret.
  3. Retrieve the Client ID.
    1. Click Overview.
    2. Copy the value from Application (client) ID.
      Note: SDDC Manager uses SDDC Manager uses the term Client Identifier for the Client ID.
  4. Click Overview > Endpoints and copy the value for the OpenID Connect metadata document.
  5. Click Manage > Authentication, scroll to the Advanced settings section, slide the toggle to Yes for Enable the following mobile and desktop flows and click Save.
    Advanced settings screen, showing the option to enable mobile and desktop flows.
  6. Click Manage > API permissions and click Grant admin consent for <tenant_organization_name>. For example, Grant admin consent for vcenter auth services.
    Screen that shows the Grant admin consent for vcenter auth services option. vcenter auth services is an example tenant organization name.

What to do next

Configure Microsoft Entra ID as the identity provider in the SDDC Manager UI using the Client Secret, Client ID, and OpenID Connect information you copied.

Configure Microsoft Entra ID as the Identity Provider in the SDDC Manager UI

You can configure VMware Cloud Foundation to use Microsoft Entra ID as an external identity provider, instead of using vCenter Single Sign-On. In this configuration, the external identity provider interacts with the identity source on behalf of vCenter Server.

You can only add one external identity provider to VMware Cloud Foundation.

This procedure configures Microsoft Entra ID as the identity provider for the management domain vCenter Server. The VMware Identity Services information endpoint is replicated to all other vCenter Server nodes that are part of the management domain vCenter Server enhanced linked mode (ELM) group. This means that when a user logs into and is authorized by the management domain vCenter Server, the user is also authorized on any VI workload domain vCenter Server that is part of the same ELM group. If the user logs in to a VI workload domain vCenter Server first, the same holds true.
Note: The Microsoft Entra ID configuration information and user/group information is not replicated between vCenter Server nodes in enhanced linked mode. Do not use the vSphere Client to configure Microsoft Entra ID as the identity provider for any VI workload domain vCenter Server that is part of the ELM group.

Prerequisites

Microsoft Entra ID requirements:
  • You are customer of Microsoft Entra ID and have an Azure AD account.
  • To perform OIDC logins and manage user and group permissions, you must create the following Microsoft Entra ID applications.
    • A Microsoft Entra ID native application with OpenID Connect as the sign-on method. The native application must include the grant types of authorization code, refresh token, and resource owner password.
    • A System for Cross-domain Identity Management (SCIM) 2.0 application with an OAuth 2.0 Bearer Token to perform user and group synchronization between the Microsoft Entra ID server and the vCenter Server.
Networking requirements:
  • If your network is not publicly available, you must create a network tunnel between your vCenter Server system and your Microsoft Entra ID server, then use the appropriate publicly accessible URL as the SCIM 2.0 Tenant URL.
vSphere and NSX requirements:
  • vSphere 8.0 Update 2 or later.
  • NSX 4.1.2 or later.
Note: If you added vCenter group memberships for any remote AD/LDAP users or groups, vCenter Server attempts to prepare these memberships so that the are compatible with the new identity provider configuration. This preparation process happens automatically at service startup, but it must complete in order to continue with Microsoft Entra ID configuration. Click Run Prechecks to check the status of this process before proceeding.

Procedure

  1. Log in to the SDDC Manager UI as a user with the ADMIN role
  2. In the navigation pane, click Administration > Single Sign On.
  3. Click Identity Provider.
  4. Click Change Identity Provider and select Microsoft Entra ID.
    External Providers menu, showing Microsoft Entra ID.
  5. Click Next.
  6. In the Prerequisites panel review and confirm the prerequisites.
  7. Click Run Prechecks to ensure that the system is ready to change identity providers.
    If the precheck finds errors, click View Details and take steps to resolve the errors as indicated.
  8. In the Directory Info panel, enter the following information.
    Directory information section of the Connect Identity Provider wizard.
    • Directory Name: Name of the local directory to create on vCenter Server that stores the users and groups pushed from Microsoft Entra ID. For example, vcenter-entra-directory.
    • Domain Name(s): Enter the domain names that contain the Microsoft Entra ID users and groups you want to synchronize with vCenter Server.

      After you enter a domain name, click the Plus icon (+) to add it. If you enter multiple domain names, specify the default domain.

  9. Click Next.
  10. In the OpenID Connect Configuration panel, enter the following information.
    OpenID Connection Configuration section of the Connect Identity Provider wizard.
    • Redirect URIs: Filled in automatically. You give the redirect URI to your Microsoft Entra ID administrator for use in creating the OpenID Connect application.
    • Identity Provider Name: Filled in automatically as Entra.
    • Client Identifier: Obtained when you created the OpenID Connect application in Microsoft Entra ID. (Microsoft Entra ID refers to Client Identifier as the Client ID.)
    • Shared Secret: Obtained when you created the OpenID Connect application in Microsoft Entra ID. (Microsoft Entra ID refers to Shared Secret as the Client Secret.)
    • OpenID Address: Obtained when you created the OpenID Connect application in Microsoft Entra ID. (Microsoft Entra ID refers to OpenID Address as the OpenID Connect metadata document).
  11. Click Next.
  12. Review the information and click Finish.

Update the Microsoft Entra ID OpenID Connect application with the Redirect URI from SDDC Manager

After you create the Microsoft Entra ID identity provider configuration in the SDDC Manager UI, update the Microsoft Entra ID OpenID Connect application with the Redirect URI from SDDC Manager.

Prerequisites

Copy the Redirect URI from the SDDC Manager UI.
  1. Log in to the SDDC Manager UI.
  2. In the navigation pane, click Administration > Single Sign On.
  3. Click Identity Provider.
  4. In the OpenID Connect section, copy and save the Redirect URI.
    OpenID Connect section for a Microsoft Entra ID identity provider, showing the redirect URI.

Procedure

  1. Log in to the Microsoft Entra Admin Console.
  2. In the App Registrations screen for your OpenID Connect application, click Authentication.
  3. Select Add a platform and then select Web.
  4. In the Redirect URIs text box, paste the copied Redirect URI from SDDC Manager.
  5. Click Configure.

Create a SCIM 2.0 Application for Using Microsoft Entra ID with VMware Cloud Foundation

Creating a SCIM 2.0 application for Microsoft Entra ID enables you to specify which Active Directory users and groups to push to vCenter Server.

If your vCenter Server accepts inbound traffic, follow the procedure below to create a SCIM 2.0 application. If your vCenter Server does not accept inbound traffic, see the Microsoft Entra ID documentation for alternative methods:
  • Microsoft Entra Connect Provisioning Agent
  • Microsoft Entra Application Proxy Agent

Prerequisites

Copy the Tenant URL and Secret Token from the SDDC Manager UI.
  1. Log in to the SDDC Manager UI.
  2. In the navigation pane, click Administration > Single Sign On.
  3. Click Identity Provider.
  4. In the User Provisioning section, click Generate and then copy and save the Secret Token and Tenant URL.
    User Provisioning section for a Microsoft Entra ID identity provider, showing the tenant URL and secret token.

You will use this information to configure the Provisioning settings below.

Procedure

  1. Log in to the Microsoft Entra Admin Console.
  2. Navigate to Applications > Enterprise Applications and click New application.
  3. Search for "VMware Identity Service" and select it in the search results.
  4. Enter an appropriate name for the SCIM 2.0 application, for example, VCF SCIM 2.0 app.
  5. Click Create.
  6. After the SCIM 2.0 application is created, click Manage > Provisioning and specify the Provisioning settings.
    1. Select Automatic as the Provisioning Mode.
    2. Enter the Tenant URL and Secret Token that you copied from the SDDC Manager UI and click Test Connection.
      Note: If you have a network tunnel between the vCenter Server system and the Microsoft Entra ID server, then use the appropriate publicly accessible URL as the Tenant URL.
    3. Click Save.
    4. Expand the Mappings section and click Provision Azure Active Directory Users.
    5. On the Attribute Mapping screen, click userPrincipalName.
    6. On the Edit Attribute screen, update the settings and then click OK.
      Option Description
      Mapping type Select Expression.
      Expression Enter the following text:
      Item(Split[userPrincipalName], "@"), 1)
    7. Click Add New Mapping.
    8. On the Edit Attribute screen, update the settings and then click OK.
      Option Description
      Mapping type Select Expression.
      Expression Enter the following text:
      Item(Split[userPrincipalName], "@"), 2)
      Target attribute Select urn:ietf:params:scim:schemas:extension:ws1b:2.0:User:domain.
    9. Click Save.
    10. Set the Provisioning Status to On.
  7. Provision users.
    1. Click Manage > Users and groups.
    2. Click Add user/group.
    3. Search for users and groups and click Select.
    4. Click Assign.
    5. Click Manage > Provisioning.
    6. Click Start provisioning.

Assign Microsoft Entra ID Users and Groups as Administrators in SDDC Manager, vCenter Server, and NSX Manager

After you have successfully configured Microsoft Entra ID and synced its users and groups, you can add users and groups as administrators in SDDC Manager, vCenter Server , and NSX Manager. This enables admin users to sign in to one product UI (for example, SDDC Manager) and not be prompted for credentials again when signing in to another product UI (for example, NSX Manager).

Procedure

  1. Add Microsoft Entra ID users/groups as administrators in SDDC Manager.
    1. In the SDDC Manager UI, click Administration > Single Sign On.
    2. Click Users and Groups and then click + User or Group.
      An image showing the add user or group button.
    3. Select one or more users or group by clicking the check box next to the user or group.
      You can either search for a user or group by name, or filter by user type or domain.
      Note: Microsoft Entra ID users and groups appear in the domain(s) that you specified when you configured Microsoft Entra ID as the identity provider in the SDDC Manager UI.
    4. Select the ADMIN role for each user and group.
      The Choose Role drop-down menu.
    5. Scroll down to the bottom of the page and click Add.
  2. Add Microsoft Entra ID users/groups as administrators in vCenter Server.
    1. Log in to the vSphere Client as a local administrator.
    2. Select Administration and click Global Permissions in the Access Control area.
      The Global Permissions menu.
    3. Click Add.
    4. From the Domain drop-down menu, select the domain for the user or group.
    5. Enter a name in the Search box.
      The system searches user names and group names.
    6. Select a user or group.
    7. Select Administrator from the Role drop-down menu.
    8. Select the Propagate to children check box.
      The Add Permission dialog box.
    9. Click OK.
  3. Verify logging in to SDDC Manager with an Microsoft Entra ID user.
    1. Log out of the SDDC Manager UI.
    2. Click Sign in with SSO.
      The Sign In With SSO button.
    3. Enter a username and password and click Sign In.
  4. Verify logging in to vCenter Server with an Microsoft Entra ID user.
    1. Log out of the vSphere Client.
    2. Click Sign in with SSO.
      The Sign In With SSO button.
  5. Add Microsoft Entra ID users/groups as administrators in NSX Manager.
    1. Log in to NSX Manager.
    2. Navigate to System > User Management .
      The User Management menu.
    3. On the User Role Assignment tab, click Add Role for OpenID Connect User.
      User Role Assignment for User Management.
    4. Select vcenter-idp-federation from the drop-down menu and then enter text to search for and select a Microsoft Entra ID user or group.
    5. Click Set in the Roles column.
    6. Click Add Role.
    7. Select Enterprise Admin from the drop-down menu and click Add.
      The Set Roles/Scope dialog box.
    8. Click Apply.
    9. Click Save.
  6. Verify logging in to NSX Manager with an Microsoft Entra ID user.
    1. Log out of NSX Manager.
    2. Click Sign in with vCenter-IPD-Federation.
      The Sign In With vCenter-IDP-Federation button.