Enhance vSphere Security with Microsoft Entra ID Integration

Since the release of vSphere 8.0 Update 2, VMware introduced the ability to configure Microsoft Entra ID (formerly known as Azure Active Directory) as an external identity provider for vCenter Server. This integration provides centralised authentication for your vSphere environment, allowing you to use existing Azure Entra ID accounts to manage access securely and efficiently. Additionally, it allows you to leverage advanced security features like Multi-Factor Authentication (MFA) using Microsoft Authenticator to further enhance login security.

I decided to test this new feature in my lab and documented the steps, which I have included in this guide. Hopefully, this guide will help you get started if you would like to try this in your vSphere environment.

Prerequisites

1. vSphere and vCenter Server
   • Ensure you are running vSphere 8.0 Update 2 or later with a fully configured vCenter Server instance.
   • Verify that DNS resolution is properly set up to ensure smooth communication within your environment.
   • A valid SSL/TLS certificate must be installed and configured on vCenter Server to secure communication.
2. Azure Entra ID Tenant
   • Ensure you have an active Azure Entra ID tenant (formerly Azure Active Directory).
   • Administrative access is required to create App Registrations, configure API permissions, and assign user roles.
3. Network Requirements
   • Outbound: vCenter Server must have internet access to communicate with Azure Entra ID endpoints via HTTPS (port 443).
   • Inbound: Ensure HTTPS (port 443) is open to allow incoming traffic from Azure Entra ID endpoints for identity provider communication to vCenter.

Step 1: Access the vSphere Single Sign-On Configuration

1. Log in to the vSphere Client using an administrator account with sufficient privileges.
2. Navigate to Administration in the main menu.
3. Under Single Sign-On, select Configuration from the options.
4. Click the Change Provider button.
5. Choose Microsoft Entra ID as the new identity provider.

Step 2: Configure Microsoft Entra ID as the Identity Provider

1. Run the Pre-checks to ensure your vCenter Server meets the requirements for integrating with Microsoft Entra ID.
2. Once the pre-checks pass, click Next to proceed.

3. Enter a Directory Name for the identity provider configuration (e.g., “Azure Entra ID”).
4. Provide your Azure Domain Name (e.g., yourdomain.onmicrosoft.com) to establish the connection.

Step 3: Configure OpenID Authentication Information

To complete this step, you need to head over to your Azure Portal and create an App Registration First

1. Navigate to the Azure Portal.
2. Create a new App Registration for your application.
3. Take note of the Redirect URI here, as this will be required during the app registration setup.

This configuration is essential for enabling OpenID authentication and integrating Azure Entra ID with vCenter Server.

Step 4: Create a New App Registration in Azure

1. On the Azure Portal, navigate to App Registrations and select “New registration”.
2. Provide a friendly name for the app, e.g., vCenter-OIDC.
3. Select your Directory Type based on your setup.
4. Under Redirect URI:
   • Choose “Web” from the dropdown menu.
   • Paste the URI you noted in the previous step.
5. Click Register to complete the process.

Step 5: Create a New Client Secret

Once the app is registered, follow these steps to create a new client secret:

1. In the Azure Portal, navigate to the Manage section of your App Registration and select “Certificates & Secrets”.
2. Click on “New Client Secret”.
3. Provide a friendly name for the secret and select an expiration period that suits your requirements.
4. Click Add to generate the secret.

Important: Make sure to note down the secret value immediately, as it will no longer be visible once you navigate away from this page. You will need this secret in a later step.

Step 6: Complete the vCenter OpenID Connect Authentication Configuration

1. Navigate to the Overview page of your OpenID Connect (OIDC) App Registration in the Azure Portal.
2. Select Endpoints and copy the OpenID Connect metadata document URL.
3. Copy the Application (clientID) from the app registration.

You will need these values along with the secret you noted in Step 5 to complete the vCenter OpenID Connect Authentication configuration.

Steps in vCenter:

1. Head back to your vCenter Server and paste the following values into their respective fields:
   • Application (clientID): Paste this value into the “Client Identifier” field.
   • Client Secret (from Step 5): Paste this value into the “Shared Secret” field.
   • OpenID Connect Metadata Document: Paste this URL into the “OpenID Address” field.
2. Click Next, review the configuration, and click Finish to complete the setup.

Steps in vCenter:

1. Head back to your vCenter Server and paste the following values into their respective fields:
   • Application (clientID): Paste this value into the “Client Identifier” field.
   • Client Secret (from Step 5): Paste this value into the “Shared Secret” field.
   • OpenID Connect Metadata Document: Paste this URL into the “OpenID Address” field.
2. Click Next, review the configuration, and click Finish to complete the setup.

If successful, vCenter is now configured with Microsoft Entra ID as the identity provider. Take note of the Tenant URL, as you will need this in the next step when creating the Azure Enterprise SCIM application.

Note: In the next step, you will also be required to enter a secret that you generate here on this page.

Step 7: Create an Azure Enterprise Application for SCIM

1. In the Azure Portal, navigate to Enterprise Applications.
2. In the search bar, look for “VMware Identity Service” and select it from the gallery.
3. Provide a friendly name for the application, e.g., vCenter-SCIM.
4. Click Create to complete the setup.

This step prepares the Azure Enterprise Application for SCIM provisioning to integrate with vCenter Server.

Configure Provisioning:

5. After creating the SCIM Enterprise Application, navigate to Manage > Provisioning on the left-hand menu.
6. Change the Provisioning Mode to “Automatic”.
7. Paste the Tenant URL (noted from the Identity page of your vCenter Server) into the Tenant URL field.
8. Generate a token on the vCenter Server (via the Identity page) and paste it into the Secret Token field in the SCIM Enterprise Application.
9. Click Test Connection to ensure the SCIM Enterprise Application is correctly configured and can communicate with vCenter Server.

This step links Azure and vCenter Server for automatic user provisioning through SCIM.

Step 8: Assign Users to the SCIM Enterprise Application

1. In the Azure Entra ID portal, navigate to the Enterprise Applications section.
2. Select the SCIM application you created for vCenter Server.

3. Go to the Users and Groups tab.
4. Click Add User/Group.
5. Search for and assign the desired users or groups that you want to provision to vCenter Server.
6. Ensure that at least one user or group is assigned to the SCIM application before proceeding, as this is required for successful synchronization.
7. Click Assign to complete the process.

Step 9: Configure User Attribute Mappings

What Are Attribute Mappings and Why Are They Required?

Attribute mappings define how user properties in Azure Entra ID are synchronized to the target system—in this case, vCenter Server. They ensure that essential user information is properly transformed and transferred during the provisioning process.

For example:

• Item(Split([userPrincipalName], "@"), 1) extracts the username (the part before the @ in an email address) from the userPrincipalName attribute.
• Item(Split([userPrincipalName], "@"), 2) extracts the domain name (the part after the @ in an email address).

These mappings are crucial because vCenter Server uses these specific components to associate users with roles and permissions correctly. Without these mappings, user provisioning would fail or result in incorrect configurations.

1. Navigate to Provisioning in the Azure Entra ID Enterprise Application and under Mappings, click on Provision Azure Entra ID Users.

2. Modify an Existing Attribute Mapping:
   • Locate the attribute userPrincipalName in the list of attribute mappings.
   • Click Edit to modify this attribute.

• Change the Mapping Type to Expression.
  • In the Expression field, enter the following:

    Item(Split([userPrincipalName], "@"), 1)
    

  • Click OK to save the changes.

3. Create a New Attribute Mapping:
   • Scroll to the bottom of the mapping list and click Add New Mapping.

• For Mapping Type, select Expression.
• In the Expression field, enter the following:

  Item(Split([userPrincipalName], "@"), 2)
  

• For the Target Attribute, select:

  urn:ietf:params:scim:schemas:extension:ws1b:2.0:User.domain
  

• Click OK to save the new mapping.

4. Click Save to update the attribute mappings.

Step 10: Provision Users to Sync with vCenter Server

Provisioning in Azure Entra ID synchronises user and group information from your directory to the SCIM application (in this case, vCenter Server). This ensures that user accounts and access rights are created or updated as needed.

Azure Entra ID offers two provisioning methods:

1. Start Provisioning: Automatically synchronises assigned users and groups to the SCIM application on a scheduled cycle, ensuring ongoing updates to user information.
2. Provision on Demand: Manually provisions specific users or groups immediately without waiting for the next scheduled cycle.

For this example, we will use the Provision on Demand method to quickly sync a user or group to vCenter Server.

Steps to Use Provision on Demand:

1. Navigate to the Overview section of the SCIM Enterprise Application.
2. Click Provision on Demand.
3. In the dialog that appears:
   • Search for the user or group you want to provision.
   • Select the desired user or group from the search results.
4. Click Provision to immediately synchronise the selected user or group to vCenter Server.

Step 11: Add vCenter Permissions for Synced Users

After synchronising users or groups from Azure Entra ID to vCenter Server, you need to assign permissions to allow them access to the vSphere environment.

1. Log in to the vSphere Client and navigate to Administration.
2. Under Single Sign-On, select Users and Groups.
3. In the Domain dropdown menu, switch to the domain corresponding to your Azure Entra ID directory.
4. You should now see the users and/or groups that were provisioned via the Azure SCIM Enterprise Application.

For this example, we will add a permission to the vCenter Server object for the demo user provisioned in the previous step and assign them the Administrator role with propagation.

Steps to Add Permissions:

1. Navigate to the Menu and select Host and Clusters.
2. Right-click on the vCenter Server object and select Add Permissions.
3. In the Assign Permissions dialog:
   • Click Add and search for the demo user you provisioned.
   • Select the user from the results.
   • Choose the Administrator role from the dropdown.
   • Check Propagate to Child Objects to apply the permissions to all sub-objects.
4. Click OK to save the permissions.

This example demonstrates assigning full administrative access to a synced user. Adjust the role and scope based on your specific use case.

Step 12: Sign In to vCenter Using SSO

The final step is to test the configuration by signing into vCenter using Single Sign-On (SSO).

1. Log out of the vSphere Client and close the browser.
2. Reopen the vSphere Client URL.
3. You should now see the Sign in with SSO option on the login page.
   • At the bottom of the page, the option to log in with your local vCenter SSO account is still available as a fallback.
4. Select Sign in with SSO and log in using the Azure Entra ID account you provisioned and assigned permissions to in the previous steps.

And that’s it! You’ve successfully configured Microsoft Entra ID as an identity provider for your vSphere environment.

Conclusion

I hope this guide has been informative and helped you successfully configure Microsoft Entra ID as an identity provider for your vSphere environment. By integrating Azure Entra ID, you’ve not only enhanced security but also simplified user management with centralised authentication.

If you found this post helpful, feel free to share it with others who might benefit. I’d also love to hear your thoughts, whether you have questions, suggestions, or insights from your own implementation, drop a comment below.