How to Integrate VMware vSphere 7 SSO with Microsoft Entra ID (Azure AD)
- Written by:
- Hiten Vadaliya
- SSO
- No Comments
As IT infrastructure evolves to support hybrid and cloud-native environments, integrating identity providers becomes increasingly important. In this blog post, we’ll walk through how to integrate VMware vSphere 7 Single Sign-On (SSO) with Microsoft Entra ID (formerly Azure Active Directory) using Microsoft Entra Domain Services (LDAP).
This guide is tailored for VMware administrators, cloud architects, and security professionals aiming to enhance access control and authentication within their vSphere environment by leveraging Entra ID.
Why Integrate vSphere 7 with Microsoft Entra ID?
VMware vSphere 7 comes with a built-in SSO feature that simplifies access across vSphere components. While it traditionally supports Active Directory and other local identity sources, vSphere 7 also introduces support for OpenID Connect (OIDC), paving the way for integration with modern identity providers like Microsoft Entra ID.
Microsoft Entra ID, Microsoft’s cloud-based IAM platform, enables secure and seamless access to a wide range of services. It supports protocols such as OIDC and OAuth 2.0, making it an ideal choice for federated authentication.
However, direct integration between vSphere 7 and Entra ID isn’t natively supported—you’ll need to bridge the gap using either AD FS or Microsoft Entra Domain Services.
Federated Identity Options in vSphere 7
Here’s what vSphere 7 supports out of the box:
| vSphere Version | Supported Identity Providers |
|---|---|
| 7.0 and later | AD FS, AD over LDAP, OpenLDAP |
| 8.0 Update 1 | Adds support for Okta |
| 8.0 Update 2 | Adds Microsoft Entra ID support natively |
| 8.0 Update 3 | Adds PingFederate |
For vSphere 7, you have three main integration routes:
Active Directory Federation Services (AD FS)
Use this if you’re running a hybrid environment (on-prem AD + Entra ID). AD FS acts as a SAML IdP and can federate with Entra ID. It’s more complex to configure but offers features like MFA and claims-based access.Active Directory over LDAP (using Microsoft Entra Domain Services)
Best suited for cloud-first setups with no on-prem infrastructure. It allows vSphere to authenticate via LDAPS to Entra-hosted AD DS.OpenLDAP
Recommended for open-source or Linux-heavy environments. Not natively integrated with Entra ID and requires manual management.
Our Scenario:
We’re working with a cloud-only Microsoft Entra ID setup—no on-prem AD. That makes Microsoft Entra Domain Services (LDAP) the best fit for us.
Architecture Overview
By enabling Microsoft Entra Domain Services, we expose Azure-hosted directory services over LDAP/LDAPS, allowing vCenter to authenticate users without an on-prem AD.
Note: Microsoft Entra Domain Services provides a managed domain with support for Kerberos, NTLM, and LDAP/LDAPS without requiring domain controller VMs.
Prerequisites
Before diving into setup, ensure the following:
vCenter Server 7.0 is up and running.
A Microsoft Entra ID (Azure AD) tenant exists.
Microsoft Entra Domain Services is provisioned.
LDAPS is enabled.
Port TCP 636 (LDAPS) is open between vCenter and Entra DS.
Step-by-Step Integration Guide
1. Provision Microsoft Entra Domain Services
In the Azure portal:
Search for “Microsoft Entra Domain Services”.
Click Create, and fill in:
DNS domain name (e.g.,
litmusds.local)Region, subscription, resource group, and SKU tier
Choose a Virtual Network vCenter can reach
Provisioning typically takes 60–90 minutes.
💡 Pricing Snapshot (Central US):
Tier Auth Load Object Limit Cost (Monthly) Standard 0–3K 25K ~$109.50 Enterprise 3–10K 100K ~$292.00 Premium 10–70K 500K ~$1,168.00
2. Enable Secure LDAPS
From the Azure portal:
Go to your Entra Domain Service.
Click Secure LDAP under settings.
Toggle Enable Secure LDAP.
Upload a .PFX certificate.
(Optional) Enable internet access if vCenter is outside Azure.
Creating a Secure LDAPS CertificateOption 1 – Self-signed certificate (Quick & Free):
Option 2 – Let’s Encrypt (Wildcard certificate):
Use
certbot, generate a DNS-challenge wildcard cert, and convert it to.pfxusing:
Creating a Secure LDAPS Certificate3. Allow Port 636 in Azure NSG
To allow vCenter access over LDAPS:
Open the NSG tied to Entra DS’s subnet.
Add an inbound rule:
Port: 636
Protocol: TCP
Source: vCenter IP/Subnet
Action: Allow
4. Configure LDAPS Identity Source in vCenter
In vSphere Client:
Go to:
Menu > Administration > Single Sign-On > ConfigurationUnder Identity Sources, click Add
Choose: LDAP over SSL (LDAPS)
🔧 Sample configuration:
| Field | Value |
|---|---|
| Base DN for Users | DC=yourdomain,DC=com |
| Domain Name | yourdomain.com |
| Bind Username | ldapbind@yourdomain.com |
| Primary Server URL | ldaps://<entra-ip>:636 |
| Certificate | Upload fullchain.pem (if needed) |
✅ Click Test Connection and then OK to save.
5. Assign Roles to Entra Users
Now, assign roles so users can access vSphere:
Go to:
Menu > Administration > Access Control > Global PermissionsClick Add
Select your LDAP domain
Search for a user/group
Assign a role (e.g., Administrator)
Enable “Propagate to children”
💡 Tip: Assign permissions to groups instead of individuals to simplify management.
6. Test the Integration
Try logging in to vCenter using a user from Entra Domain Services:
Format:
user@yourdomain.comIf authentication works and permissions apply correctly—success! 🎉
Troubleshooting Tips
- Ensure port 636 is open and reachable.
- Verify the certificate is valid and trusted.
- Double-check Base DN and LDAP URLs.
- Use the vCenter logs for error tracing (
vpxdorssologs).
Conclusion
Integrating VMware vSphere 7 SSO with Microsoft Entra ID via Entra Domain Services (LDAP) provides a secure and scalable solution for centralized access control—especially in cloud-only or hybrid environments.
While native support improves in vSphere 8.x, this guide ensures you can still achieve smooth federation in vSphere 7 with confidence.