![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(60.8, 6%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETM%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Entra | Microsoft Entra ID
A cloud-based identity and access management service for securing user authentication and resource access
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(220.8, 92%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(163.2, 93%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMJ%3C/text%3E%3C/svg%3E)
For Azure VMware Solution vCenter, SSO with an external identity source (Microsoft Entra ID or Windows Server AD/LDAP) depends on a few AVS‑specific pieces that must be correct on each vCenter. Even if two vCenters look “the same”, a small difference in identity source configuration or permissions can cause Access Denied.
Use the following checks on the failing vCenter and compare directly with the working one:
- Confirm the external identity source is actually registered and resolvable
- In AVS, external identity sources (Windows Server AD via LDAPS or Entra ID) are added through Run command packages, not directly with native vCenter admin rights.
- On the failing vCenter’s private cloud in the Azure portal, go to Run command → Packages → Microsoft.AVS.Identity and:
- Verify the identity source was created successfully (for LDAPS, via
New-LDAPSIdentitySource). - Use the command that lists all existing external identity sources and confirm the domain/identity provider entry matches the working vCenter (same
DomainName,DomainAlias, URLs, etc.).
- Verify the identity source was created successfully (for LDAPS, via
- Ensure DNS resolution from AVS to the identity source works (NSX/DNS forwarder configured and pointing to the correct AD DNS servers), as required in the identity source setup.
- If using Windows Server AD via LDAPS, validate all
New‑LDAPSIdentitySourceparameters On the failing vCenter, re‑open Microsoft.AVS.Identity → New‑LDAPSIdentitySource and compare each parameter to the working vCenter:
-
PrimaryUrl/SecondaryUrl: Correctldaps://hostnames and port (636) and reachable from AVS. -
DomainName: Correct AD FQDN. -
DomainAlias: Correct NetBIOS name (e.g.,DOMAIN), used in logon formatDOMAIN\user. -
BaseDNUsers/BaseDNGroups: Correct DNs that actually contain the users/groups being used. -
Credential: A valid domain account that can query the directory. -
SSLCertificatesSasUrl: If used, points to the correct LDAPS certificate(s); otherwise, ensure the certificate that vCenter downloads automatically is valid. Any mismatch here can cause successful SCIM sync but failed interactive sign‑in.
- If using Microsoft Entra ID as identity source, confirm vCenter privileges were granted via Run Command
For Entra ID federation (vSphere 8.0 U2+), AVS CloudAdmin does not natively have the
VcIdentityProviders.Manageprivilege. AVS provides a Run Command to grant this:
- Ensure
Add‑VCenterCloudAdminRoleVcIdentityProvidersManagePrivilegewas run on the failing vCenter before configuring the Entra ID identity provider. - If the identity provider was created without this step, remove and re‑add it using the documented Run Commands so that vCenter trusts Entra ID correctly.
- Verify group membership and role assignment in vCenter Even with a valid identity source, Access Denied occurs if the user’s group/role mapping differs:
- Sign in to vCenter on the failing instance as
CloudAdmin. - Navigate to an inventory object (for example, the vCenter root or a datacenter), then Actions → Add Permission.
- In Domain, select the external identity source (AD or Entra ID) and search for the same user/group that works on the other vCenter.
- Confirm:
- The user is a member of the group configured in
GroupName(for LDAPS) or the equivalent Entra group. - The group is assigned the expected role (for example, CloudAdmin or another vCenter role) and Propagate to children is set as needed.
- The user is a member of the group configured in
- Compare the Permissions tab on both vCenters to ensure identical domain, group, and role assignments.
- Check that the CloudAdmin emergency account is not being used for integration
- The built‑in
CloudAdminaccount is intended only for break‑glass access. - Ensure the external identity integration (LDAPS or Entra ID) is configured using directory accounts/groups, not by trying to extend or reuse
CloudAdminbeyond its supported scope.
- Re‑run the identity source Run Commands in order If any doubt remains about the configuration sequence on the failing vCenter:
- Follow the documented order of Run Commands for identity source setup (certificate export/upload if used, DNS,
New‑LDAPSIdentitySourceor Entra ID provider commands, then role assignment). - Run them one at a time and confirm each completes successfully.
If, after these checks, SCIM provisioning still works but interactive SSO fails only on one vCenter, focus on:
- Differences in
DomainAliasandBaseDNUsers/BaseDNGroupsbetween the two vCenters. - Missing or different vCenter role assignments for the same groups.
- Entra ID provider not created/managed via the AVS Run Commands on the failing instance.
References: