VMware vSphere

Hello

We need expert advice in setting up the EntraID (AzureAD) authentication provider on the vCenter server 8.0 U2, which has Internet access only through a proxy.

We have already configured all the points specified in the instructions:
- the AzureAD authentication provider is selected In the vCenter server

- Created Enterprise applications for OID and SCIM on AzureAD side

- With the help of AzureAD proxy application and AzureAD Enterprise application for SCIM, we can provision users from AzureAD to vCenter

But when we try to log in using AzureAD, you always see the error “Access Denied. Unable to authenticate the user.”

Upon closer analysis, we discovered that when we trying to log in through AzureAD from the vCenter server, traffic was sent to Microsoft IP addresses past the configured proxy.
Accordingly, the AzureAD authentication service ignores all proxy settings specified in the system.

Has anyone encountered the same issues?
I would be grateful for any advice that might help.

I hope this helps you. I ran into this today and my issue was I had to remove vcenter from local AD first. My local AD domain and Entra ID domain are the same so I imagine this caused some issue in vcenter on the backend. I used the two links combined to complete the setup. One response from reddit post has more detailed info on the attributes needed. Good Luck!

https://kb.vmware.com/s/article/94182

https://www.reddit.com/r/vmware/comments/16z5j7s/sso_in_vcenter_and_azure_ad_without_scim/

We have encountered the same issue where the auth service ignores the vCenter proxy settings and is therefore blocked. The 'workaround' to "allow outbound vCenter traffic with Azure Entra" isn't acceptable in our environment.  We're waiting for Broadcom to fix this issue, as well.

Reference KB Article ID: 371955
Unable to authenticate to vCenter with Azure AD users. Access fails with error "Access denied. Unable to authenticate the user"