After installing or upgrading to vSphere 8.0 Update 2, you can configure vCenter Server Identity Provider Federation for Azure AD as an external identity provider.
vCenter Server supports only one configured external identity provider (one source), and the vsphere.local identity source (local source). You cannot use multiple external identity providers. vCenter Server Identity Provider Federation uses OpenID Connect (OIDC) for user login to vCenter Server.
You can configure privileges using Azure AD groups and users through global or object permissions in vCenter Server. See the vSphere Security documentation for details about adding permissions.
For a walk-through of the configuration process, see the following video:
- You are customer of Microsoft and have an Azure AD account.
- You have created enterprise (non-gallery) application with OpenID Connect as a sign-on method.
- Add authorization code, refresh token and resource owner password as grant types in the created application.
- For user and group sync, you need to configure VMware Identity Services Gallery Application for SCIM 2.0 provisioning in Azure AD with OAuth 2.0 Bearer Token.
- vSphere 8.0 Update 2 or later, with the VMware Identity Services activated (they are activated by default).
- On the vCenter Server where you want to create the Azure AD identity source, verify that the VMware Identity services are activated.
- The users and groups from the identity provider are provisioned in your vCenter Server.
- You must have the VcIdentityProviders.Manage privilege to create, update, or delete a vCenter Server Identity Provider that is required for federated authentication. To limit a user to view the Identity Provider configuration information only, assign the VcIdentityProviders.Read privilege.
- You can configure vCenter Server Identity Provider Federation for Azure AD in an Enhanced Linked Mode configuration. When you configure Azure AD in an Enhanced Link Mode configuration, you configure the Azure AD identity provider to use VMware Identity Services on a single vCenter Server system. For example, if your Enhanced Mode Link configuration consists of two vCenter Server systems, only one vCenter Server and its instance of VMware Identity Services is used to communicate with the Azure AD server. If this vCenter Server system becomes unavailable, you can configure VMware Identity Services on other vCenter Server in the ELM configuration to interact with your Azure AD server. For more information, see Activation Process for Okta and Azure AD in Enhanced Linked Mode Configurations.
- When configuring Azure AD as an external identity provider, all the vCenter Serversystems in an Enhanced Linked Mode configuration must run at least vSphere 8.0 Update 2.
- If your network is not publicly available, you must create a network tunnel between your vCenter Server system and your Azure AD server, then use the appropriate publicly accessible URL as the Base Uri.
- Create an OpenID Connect application in Azure AD and assign groups and users to the OpenID Connect application.
To create the OpenID Connect application and assign groups and users, see the VMware knowledge base article at https://kb.vmware.com/s/article/94182. Follow the steps in the section titled "Create the OpenID Connect Application." After you create the Azure AD OpenID Connect application, copy the following information from the Azure AD OpenID Connect application to a file for use when configuring the vCenter Server identity provider in the next step.
- Client Identifier
- Client secret (shown as Shared secret in the vSphere Client).
- Active Directory domain information, or Azure AD domain information if you are not running Active Directory.
- To create the identity provider on vCenter Server:
- Use the vSphere Client to log in as an administrator to vCenter Server.
- Navigate to .
- Click Change Provider and select Azure AD.
The Configure Main Identity Provider wizard opens.
- In the Prerequisites panel, review the Azure AD and the vCenter Server requirements.
- Click Run Prechecks.
If the precheck finds errors, click View Details and take steps to resolve the errors as indicated.
- When the Precheck passes, click the confirmation check box then click Next.
- In the Directory Information panel, enter the following information.
- Directory Name: Name of the local directory to create on vCenter Server that stores the users and groups pushed from Azure AD. For example, vcenter-azuread-directory.
- Domain Names: Enter the Azure AD domain names that contain the Azure AD users and groups you want to synchronize with vCenter Server.
After you enter your Azure AD domain name, click the Plus icon (+) to add it. If you enter multiple domain names, specify the default domain.
- Click Next.
- In the User Provisioning panel, select the duration of the token lifespan and click Next.
The Azure AD SCIM 2.0 application uses the token to synchronize the Azure AD users and groups into VMware Identity Services.
- In the OpenID Connect panel, enter the following information.
- Redirect UI: Filled in automatically. You give the redirect UI to your Azure AD administrator for use in creating the OpenID Connect application.
- Identity Provider Name: Filled in automatically as Azure AD.
- Client Identifier: Obtained when you created the OpenID Connect application in Azure AD in step 1. (Azure AD refers to Client Identifier as the Client ID.)
- Shared Secret: Obtained when you created the OpenID Connect application in Azure AD in step 1. (Azure AD refers to Shared Secret as the Client Secret.)
- OpenID Address: Takes the form https://Azure AD domain space/oauth2/default/.well-known/openid-configuration.
For example, if your Azure AD domain space is example.AzureAD.com, then the OpenID Address is:
- Click Next.
- Review the information and click Finish.
vCenter Server creates the Azure AD identity provider and displays the configuration information.
- If necessary, scroll down and click the Copy icon for the Redirect URI and save it to a file.
You use the Redirect URI in the Azure AD OpenID Connection application.
- Click the Copy icon for the Tenant URL and save it to a file.
Note: If your network is not publicly available, you must create a network tunnel between your vCenter Server system and your Azure AD server. After creating the network tunnel, use the appropriate publicly accessible URL as the Base Uri.
- Click Generate Token, then click the Copy icon to copy the token and save it to a file.
You use the Tenant URL and the token in the Azure AD SCIM 2.0 application. This information is necessary to push Azure AD users and groups from Azure AD to vCenter Server.
- Return to the VMware knowledge base article at https://kb.vmware.com/s/article/94182 to update the Azure AD Redirect URI.
Follow the steps in the section titled "Update the Azure AD Redirect URI."
- To create the SCIM 2.0 application, remain in the VMware knowledge base article at https://kb.vmware.com/s/article/94182.
Follow the steps in the section titled "Create the SCIM 2.0 Application and Push Users and Groups to vCenter Server."When done creating the SCIM 2.0 application as described in the knowledge base article, continue with the next step.
- Configure the group membership in vCenter Server for Azure AD Authorization.
You must configure group membership before Azure AD users can log in to vCenter Server.
- In the vSphere Client, while logged in as a local administrator, go to .
- Click the Groups tab.
- Click the Administrators group and click Add Members.
- Select the domain name of the Azure AD group that you want to add from the drop-down menu.
- In the text box below the drop-down menu, enter the first few characters of Azure AD group that you want to add then wait for the drop-down selection to appear.
- Select the Azure AD group and add it to the Administrators group.
- Click Save.
- Verify logging in to vCenter Server with an Azure AD user.
- To assign inventory-level and global permissions to Azure AD users, see the topic about managing permissions for vCenter Server components in the vSphere Security documentation.