{"id":2258,"date":"2025-04-30T20:42:44","date_gmt":"2025-05-01T00:42:44","guid":{"rendered":"https:\/\/enterpriseadmins.org\/blog\/?p=2258"},"modified":"2025-04-30T20:42:44","modified_gmt":"2025-05-01T00:42:44","slug":"how-to-use-powercli-with-entra-id-federated-vcenter-logins","status":"publish","type":"post","link":"https:\/\/enterpriseadmins.org\/blog\/scripting\/how-to-use-powercli-with-entra-id-federated-vcenter-logins\/","title":{"rendered":"How to Use PowerCLI with Entra ID Federated vCenter Logins"},"content":{"rendered":"\n

vCenter Server 8.0 allows administrators to federate identity with Entra ID (formerly Azure AD), enabling seamless SSO and MFA. However, integrating this setup with automation tools like PowerCLI introduces a few challenges. This guide walks through enabling and using PowerCLI with federated logins.<\/p>\n\n\n\n

After enabling this federated identity feature, a few additional considerations are required when connecting using PowerCLI. In most Entra ID environments multifactor authentication is enforced, for example via conditional access policy. As such, attempting to login with just a username and password will fail. Here is a sample error response:<\/p>\n\n\n\n

> Connect-VIServer vc3.example.com -User h163-user2@lab.enterpriseadmins.org -Password VMware1!\n\nConnect-VIServer : 4\/29\/2025 6:29:26 PM Connect-VIServer                Cannot complete login due to an incorrect user name or password.\nAt line:1 char:1\n+ Connect-VIServer vc3.example.com -User h163-user2@lab.enterpriseadmin ...\n+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n    + CategoryInfo          : NotSpecified: (:) [Connect-VIServer], InvalidLogin\n    + FullyQualifiedErrorId : Client20_ConnectivityServiceImpl_Reconnect_SoapException,VMware.VimAutomation.ViCore.Cmdlets.Command\n   s.ConnectVIServer<\/code><\/pre>\n\n\n\n
The good news is we can still allow clients\/end users to login via their federated identities with a little setup.<\/p>\n\n\n\n
Administrator \/ Grant access to PowerCLI User<\/h2>\n\n\n\n
As an administrator, we’ll create a new OAuth2 client. We will share this client details with the client who wishes to use PowerCLI.  In the codeblock below we’ll use splatting to make the code a bit more readable.  <\/p>\n\n\n\n
$newOAuthArguments = @{\n  ClientID     = 'h366-powercli-native-Brian'\n  Name         = 'h366-PowerCLI Client2'\n  Scope        = @(\"openid\", \"user\", \"group\")\n  GrantTypes   = @(\"authorization_code\", \"refresh_token\")\n  RedirectUris = @(\"http:\/\/localhost:8844\/authcode\")\n  PkceEnforced = $true\n  AccessTokenTimeToLiveMinutes      = 30\n  RefreshTokenTimeToLiveMinutes     = 43200\n  RefreshTokenIdleTimeToLiveMinutes = 28800\n}\n$newClient = New-VIOAuth2Client @newOAuthArguments<\/code><\/pre>\n\n\n\n
In the above example, we assigned the output of New-VIOAuth2Client<\/code> to a variable and did not specify a Secret<\/code> parameter.  With this configuration, a secret will be automatically generated, but that value is not returned in the default output of the cmdlet. We’ll use $newClient.secret<\/code>  to view the new secret of: s1A9RxZ0FbBEGoMplD0HcbQITBODtX85<\/code>.  We’ll need to share the ClientID and Secret value with the person wishing to authenticate.<\/p>\n\n\n\n
Client \/ PowerCLI User<\/h2>\n\n\n\n
In the step above, our administrator created a New-VIOAuth2Client<\/code> for us and shared the following details:<\/p>\n\n\n\n