To establish a relying party trust between vCenter Server and an Azure AD server, establish identifying information and a shared secret between them. Create an OpenID Connect application in Azure AD. The OpenID Connect application specifies the vCenter Server redirect URIs that must be invoked during authorization code flows; and a client identifier and shared secret that vCenter Server uses to communicate with the Azure AD server. To push the Active Directory users and groups in the Azure AD domain to the vCenter Server that manages vCenter Server objects, also create a SCIM 2.0 application.

Please follow the below mentioned steps to:

1. Integrate your Active Directory with Azure AD.

2. Create an OIDC application in Azure AD and assign groups and users to that application.

3. Create a SCIM 2.0 application in Azure AD.

4. Push Azure AD users and groups to vCenter Server.

Refer to the  KB article in conjunction with Configure vCenter Server Identity Provider Federation for Azure AD (vmware.com)

Integrate your Active Directory with Azure AD

If the Active Directory and Azure AD were integrated previously, or to the users and groups provided by Azure AD, skip this step and go to Create the OpenID Connect Application.

To integrate the Active Directory with Azure AD, please refer to Azure AD documentation.

Create the OpenID Connect Application

Log in to the Azure AD Admin console and follow the Azure AD documentation, to create an OpenID Connect application. When creating the OpenID Connect application in the Create a new app integration wizard:

1. Select Home > Azure AD Directory > App Registration > New Registration.

2. Enter an appropriate name for the OpenID Connect application, for example, AzureAD-vCenter-app.

3. Leave Supported account types as default or select per requirement. Set Redirect URI as Web, no need to enter a redirect URI, this can be filled in later.

After creating the OpenID Connect application:

1. Select the Certificates and Secret > New Client Secret.

2. Enter a description for this client secret and select the validity in Expiry drop-down menu.

3. Click Add.

4. Once a secret is generated, copy the content under Value.

The Client Secret is generated.

• To get client ID, click Overview from left side menu and get the value from Application (client) ID.

You can use the Copy to clipboard icon.

OIDC Discovery Endpoint

1. Select Overview of the Test App > Endpoints.

2. Copy the Value Under OpenID Connect metadata document.

Password Grant Enablement

Go to App > Manage > Authentication and enable the slide for App collects plaintext password (Resource Owner Password Credential Flow) 

• Grant Admin Consent for <your tenant_name>

Note: This step is optional. Performing this step confirms that the application is verified by Azure AD.

Configuring vCenter

• Use the client_id, secret, openid-configuration URL and AD domain details to configure Azure AD as the identity provider inside vCenter Server.

vCenter Server Azure AD Identity Provider Creation

To add the identity provider in vCenter Server for Azure AD, go to Configure vCenter Server Identity Provider Federation for Azure AD (vmware.com) and start with Step 2.

Update the Azure AD Redirect URI

After you create the Azure AD identity provider configuration on vCenter Server, you update the Azure AD OpenID Connect application with the Redirect URI that you copy from the Azure AD Identity Provider Configuration page in vCenter Server.

In the Azure AD Admin console:

1. In the App Registrations screen for the OpenID Connect application created, click Authentication.

2. Select Add a platform and then select Web.

3. In the Redirect URIs text box, paste the copied Redirect URI from vCenter Server.

4. Click Save.

Create the SCIM 2.0 Application and Push Users and Groups to vCenter Server.

Options to configure SCIM 2.0 users and groups provisioning:

Azure AD provides a few options to configure SCIM 2.0 Push. The main difference is if vCenter is exposed to external traffic then the inbound traffic is not allowed.

• If vCenter accepts inbound traffic, follow the guide for the VMware Identity Service app (the one below).
• If vCenter do not accept inbound traffic Azure AD provides two options Provisioning Agent and Application Proxy. You can read more about them in Azure AD documentation (Application and HR provisioning documentation and Microsoft Entra application proxy documentation).

Please refer to Step by step procedure to configure Azure AD Identity Federation with Provisioning Agent and Application Proxy on vCenter Server 8.0 U2.

Step by Step Guide with VMware Identity Service Application:

1. Go to Azure AD Directory > Enterprise Applications > New Application.

2. Under the Browse Azure AD Gallery, search for VMware Identity Service.

3. Enter an appropriate name for the Enterprise Application, such as vCenter Server SCIM 2.0 app.

4. Click Create.

Provisioning

1. Go to Azure AD Directory > Enterprise Applications.

2. Select the SCIM 2.0 App you created.

3. From the left side menu, select Provisioning > Manage.

4. Provide the vCenter Server URL (publicly accessible vCenter Server URL).

5. Provide Secret Token, generate a token by clicking on the Generate button in the VC View IDP Page under User Provisioning.

6. Set the Provisioning Status to On.

7. Click Test Connection.

The connection is successful. You can see the details under Mappings.

1. See the Mappings sections as shown below:

2. Click on Provision Azure Active Directory Users.

3. The below  vCenter so that , we send the username part and domain part separately.

4. For Sending Domain 

5. Add the following New Mapping Attributes 

You previously copied items from the vCenter Server Identity Provider page. vCenter Server calls the SCIM 2.0 Base Url the "Tenant URL," and the OAuth Bearer Token the "Secret Token."

Note: If the network is not publicly available, create a network tunnel between the vCenter Server system and the Azure AD server, then use the appropriate publicly accessible URL as the Base Uri.

Assign Users and Groups 

1. Go to the SCIM App > Users and Groups > Add user/group.

2. Click on the selected Users and Groups.

3. Click Start Provisioning.

4. Take a backup of Provisioned users and Groups.

5. Backup and Restore Users and Groups from WS1Broker.

Note:

• Perform similar steps to assign users and groups to OIDC application. 
• "Azure AD" is now referred as "Entra ID".

Authorize Azure AD Users
To authorize Azure AD users to log into vCenter Server, return to Configure vCenter Server Identity Provider Federation for Azure AD (vmware.com) Step 5 and complete setting up the Azure AD identity provider by assigning group membership. You can then assign and permissions (inventory-level and global) to the Azure AD users.