After installing or upgrading to vSphere 8.0 Update 2 or later, you can configure vCenter Server Identity Provider Federation for Microsoft Entra ID (formerly called Azure AD) as an external identity provider.

vCenter Server supports only one configured external identity provider (one source), and the vsphere.local identity source (local source). You cannot use multiple external identity providers. vCenter Server Identity Provider Federation uses OpenID Connect (OIDC) for user login to vCenter Server.

You can configure privileges using Microsoft Entra ID groups and users through global or object permissions in vCenter Server. See the vSphere Security documentation for details about adding permissions.

For a walk-through of the configuration process, see the following video:

vCenter Authentication: AzureAD/Entra ID integration | vSphere 8 Update 2

Prerequisites

Microsoft Entra ID requirements:
  • You are customer of Microsoft and have a Microsoft Entra ID account.
Microsoft Entra ID Connectivity requirements:
  • You have created an enterprise (non-gallery) application with OpenID Connect as a sign-on method.
  • Add authorization code, refresh token and resource owner password as grant types in the created application.
  • For user and group sync, you need to configure VMware Identity Services Gallery Application for SCIM 2.0 provisioning in Microsoft Entra ID with OAuth 2.0 Bearer Token.
vCenter Server requirements:
  • vSphere 8.0 Update 2 or later, with the VMware Identity Services activated (they are activated by default).
  • On the vCenter Server where you want to create the Microsoft Entra ID identity source, verify that the VMware Identity services are activated.
  • The users and groups from the identity provider are provisioned in your vCenter Server.
vSphere privileges requirements:
  • You must have the VcIdentityProviders.Manage privilege to create, update, or delete a vCenter Server Identity Provider that is required for federated authentication. To limit a user to view the Identity Provider configuration information only, assign the VcIdentityProviders.Read privilege.
Enhanced Linked Mode requirements:
  • You can configure vCenter Server Identity Provider Federation for Microsoft Entra ID in an Enhanced Linked Mode configuration. When you configure Microsoft Entra ID in an Enhanced Link Mode configuration, you configure the Microsoft Entra ID identity provider to use VMware Identity Services on a single vCenter Server system. For example, if your Enhanced Mode Link configuration consists of two vCenter Server systems, only one vCenter Server and its instance of VMware Identity Services is used to communicate with the Microsoft Entra ID server. If this vCenter Server system becomes unavailable, you can configure VMware Identity Services on other vCenter Server systems in the ELM configuration to interact with your Microsoft Entra ID server. For more information, see Activation Process for External Identity Providers in Enhanced Linked Mode Configurations.
  • When configuring Microsoft Entra ID as an external identity provider, all the vCenter Server systems in an Enhanced Linked Mode configuration must run at least vSphere 8.0 Update 2.
Networking requirements:
  • If your network is not publicly available, you must create a network tunnel between your vCenter Server system and your Microsoft Entra ID server, then use the appropriate publicly accessible URL as the Base Uri.

Procedure

  1. Create an OpenID Connect application in Microsoft Entra ID and assign groups and users to the OpenID Connect application.
    To create the OpenID Connect application and assign groups and users, see the VMware knowledge base article at https://kb.vmware.com/s/article/94182. Follow the steps in the section titled "Create the OpenID Connect Application." After you create the OpenID Connect application, copy the following information from the Microsoft Entra ID OpenID Connect application to a file for use when configuring the vCenter Server identity provider in the next step.
    • Client Identifier
    • Client secret (shown as Shared secret in the vSphere Client).
    • Active Directory domain information, or Microsoft Entra ID domain information if you are not running Active Directory.
  2. To create the identity provider on vCenter Server:
    1. Use the vSphere Client to log in as an administrator to vCenter Server.
    2. Navigate to Home > Administration > Single Sign On > Configuration.
    3. Click Change Provider and select Microsoft Entra ID.
      The Configure Main Identity Provider wizard opens.
    4. In the Prerequisites panel, review the Microsoft Entra ID and the vCenter Server requirements.
    5. Click Run Prechecks.
      If the precheck finds errors, click View Details and take steps to resolve the errors as indicated.
    6. When the Precheck passes, click the confirmation check box then click Next.
    7. In the Directory Information panel, enter the following information.
      • Directory Name: Name of the local directory to create on vCenter Server that stores the users and groups pushed from Microsoft Entra ID. For example, vcenter-entraid-directory.
      • Domain Names: Enter the Microsoft Entra ID domain names that contain the Microsoft Entra ID users and groups you want to synchronize with vCenter Server.

        After you enter your Microsoft Entra ID domain name, click the Plus icon (+) to add it. If you enter multiple domain names, specify the default domain.

    8. Click Next.
    9. In the OpenID Connect panel, enter the following information.
      • Redirect UI: Filled in automatically. You give the redirect UI to your Microsoft Entra ID administrator for use in creating the OpenID Connect application.
      • Identity Provider Name: Filled in automatically as Microsoft Entra ID.
      • Client Identifier: Obtained when you created the OpenID Connect application in Microsoft Entra ID in step 1. (Microsoft Entra ID refers to Client Identifier as the Client ID.)
      • Shared Secret: Obtained when you created the OpenID Connect application in Microsoft Entra ID in step 1. (Microsoft Entra ID refers to Shared Secret as the Client Secret.)
      • OpenID Address: Takes the form https://Microsoft Entra ID domain space/oauth2/default/.well-known/openid-configuration.

        For example, if your Microsoft Entra ID domain space is example.EntraID.com, then the OpenID Address is: https://example.EntraID.com/oauth2/default/.well-known/openid-configuration

    10. Click Next.
    11. Review the information and click Finish.
      vCenter Server creates the Microsoft Entra ID identity provider and displays the configuration information.
    12. If necessary, scroll down and click the Copy icon for the Redirect URI and save it to a file.
      You use the Redirect URI in the Microsoft Entra ID OpenID Connection application.
    13. Click the Copy icon for the Tenant URL and save it to a file.
      Note: If your network is not publicly available, you must create a network tunnel between your vCenter Server system and your Microsoft Entra ID server. After creating the network tunnel, use the appropriate publicly accessible URL as the Base Uri.
    14. Under User Provisioning, click Generate to create the secret token, select the token lifespan from the drop-down, then click Copy to Clipboard. Save the token to a secure location.
      You use the Tenant URL and the token in the Microsoft Entra ID SCIM 2.0 application. The Microsoft Entra ID SCIM 2.0 application uses the token to synchronize the Microsoft Entra ID users and groups into VMware Identity Services. This information is necessary to push Microsoft Entra ID users and groups from Microsoft Entra ID to vCenter Server.
  3. Return to the VMware knowledge base article at https://kb.vmware.com/s/article/94182 to update the Microsoft Entra ID Redirect URI.
    Follow the steps in the section titled "Update the Azure AD Redirect URI."
  4. To create the SCIM 2.0 application, remain in the VMware knowledge base article at https://kb.vmware.com/s/article/94182.
    Follow the steps in the section titled "Create the SCIM 2.0 Application and Push Users and Groups to vCenter Server."
    When done creating the SCIM 2.0 application as described in the knowledge base article, continue with the next step.
  5. Configure the group membership in vCenter Server for Microsoft Entra ID Authorization.
    You must configure group membership before Microsoft Entra ID users can log in to vCenter Server.
    1. In the vSphere Client, while logged in as a local administrator, go to Administration > Single Sign On > Users and Groups.
    2. Click the Groups tab.
    3. Click the Administrators group and click Add Members.
    4. Select the domain name of the Microsoft Entra ID group that you want to add from the drop-down menu.
    5. In the text box below the drop-down menu, enter the first few characters of Microsoft Entra ID group that you want to add then wait for the drop-down selection to appear.
    6. Select the Microsoft Entra ID group and add it to the Administrators group.
    7. Click Save.
  6. Verify logging in to vCenter Server with a Microsoft Entra ID user.
  7. To assign inventory-level and global permissions to Microsoft Entra ID users, see the topic about managing permissions for vCenter Server components in the vSphere Security documentation.