{"id":2398,"date":"2026-05-18T15:34:52","date_gmt":"2026-05-18T19:34:52","guid":{"rendered":"https:\/\/enterpriseadmins.org\/blog\/?p=2398"},"modified":"2026-05-18T15:34:52","modified_gmt":"2026-05-18T19:34:52","slug":"using-powercli-with-federated-vcf-9-1-authentication","status":"publish","type":"post","link":"https:\/\/enterpriseadmins.org\/blog\/scripting\/using-powercli-with-federated-vcf-9-1-authentication\/","title":{"rendered":"Using PowerCLI with Federated VCF 9.1 Authentication"},"content":{"rendered":"\n

The VCF PowerCLI 9.1 release notes call out an interesting change to the Connect-VIServer<\/code> cmdlet (https:\/\/techdocs.broadcom.com\/us\/en\/vmware-cis\/vcf\/vcf-9-0-and-later\/9-1\/release-notes\/vmware-cloud-foundation-9-1-0-0-release-notes\/what-s-new\/whats-new-vcf-cli-api-sdk\/vcf-powercli-changelog\/vmware-vimautomation-core.html<\/a>)<\/p>\n\n\n\n

\n

Connect-VIServer
– <\/strong>Added parameter ‘VcfApiToken’
– Added parameter ‘VcfOAuthSecurityContext’<\/p>\n<\/blockquote>\n\n\n\n

This change introduces native support for API token authentication in federated VCF environments, making non-interactive automation significantly easier than previous SAML-based approaches.<\/p>\n\n\n\n

In a prior post (https:\/\/enterpriseadmins.org\/blog\/scripting\/how-to-use-powercli-with-federated-vcenter-logins\/<\/a>), I wrote about using a -SamlSecurityContext<\/code> parameter to login to a vCenter that had been configured with federated identity. That approach required additional setup using a non-federated user in PowerCLI and only supported interactive browser-based authentication.<\/p>\n\n\n\n

This post will focus on using the latest Connect-VIServer<\/code> cmdlet to connect to a VCF 9.1 vSphere instance. In this environment, an Identity Broker has already been configured using generic OIDC and the VCF Instance is configured to use the SSO provider. Here is a screenshot of the overview page confirming this configuration:<\/p>\n\n\n\n

\"\"<\/a><\/figure>\n\n\n\n

Creating an API Client and Token<\/h2>\n\n\n\n

In the screenshot above, we can see an ‘API Access’ tab. From here we can create API Clients and API Tokens. We’ll start by selecting create on the ‘API CLIENTS’ sub tab.<\/p>\n\n\n\n

\"\"<\/a><\/figure>\n\n\n\n

For Client Name, I’ll enter VCF_PowerCLI_Admin<\/code> and then select ‘CREATE API CLIENT’. In Roles, I’ll set the scope to be Components with vcf479-vidb-01<\/code> and for role will select VCF Administrator<\/code>. I’ll finally select SAVE on this page.<\/p>\n\n\n\n

\"\"<\/a><\/figure>\n\n\n\n

With the API Client created, I’ll select the vertical ellipsis and then ‘Generate API Token’.<\/p>\n\n\n\n

\"\"<\/a><\/figure>\n\n\n\n

For the ‘API Token Name’ I’ll provide Brian-PowerCLI-Admin<\/code> and click ‘Generate API Token’.<\/p>\n\n\n\n

\"\"<\/a><\/figure>\n\n\n\n

This will provide a summary of the token generated. I will not be able to continue until I’ve copied the token value.<\/p>\n\n\n\n

\"\"<\/a><\/figure>\n\n\n\n

Connecting with PowerCLI<\/h2>\n\n\n\n

The release notes called out two options for authentication. Here is where I believe each of these options would be appropriate.<\/p>\n\n\n\n

Method<\/strong><\/td>Use Case<\/strong><\/td><\/tr>
-VcfApiToken<\/code><\/td>Simple direct login to vCenter<\/td><\/tr>
-VcfOAuthSecurityContext<\/code><\/td>Reusing authentication across multiple VMware products<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

We will demo both of these options below.<\/p>\n\n\n\n

VcfApiToken parameter<\/h2>\n\n\n\n

This is a very straightforward option. When you pass the token, VCF PowerCLI automatically discovers the associated VCF SSO instance in the background and completes the login process. After connecting to vCenter, I’ll retrieve a list of VMs to confirm that the connection is working.<\/p>\n\n\n\n

PS C:\\> Connect-VIServer vcf479-vc-01.lab.enterpriseadmins.org -VcfApiToken 'vidb_MjkxYzNlZTctOWNhZS00MGZjLWE4ZDg<redacted>'\n\nName                           Port  User\n----                           ----  ----\nvcf479-vc-01.lab.enterprise... 443   CUSTOMER\\73c160a0-adcc-4259...\n\n\nPS C:\\> Get-VM\n\nName                 PowerState Num CPUs MemoryGB\n----                 ---------- -------- --------\nvcf479-license-01    PoweredOn  2        4.000\nvcf479-opscol-01     PoweredOn  4        16.000\nvcf479-ops-01        PoweredOn  4        16.000\nvcf479-nsx-01        PoweredOn  6        24.000\nvcf479-sddcm-01      PoweredOn  4        16.000\nvcf479-vsp-01-c8bmk  PoweredOn  12       24.000\nvcf479-vsp-01-rnn58  PoweredOn  12       24.000\nvcf479-vsp-01-7zdvf  PoweredOn  12       24.000\nvcf479-vsp-01-2dcws  PoweredOn  4        10.000\nvcf479-vc-01         PoweredOn  4        21.000<\/code><\/pre>\n\n\n\n
VcfOAuthSecurityContext parameter<\/h2>\n\n\n\n
When using the VcfOAuthSecurityContext<\/code> parameter, the IdentityBrokerHostname<\/code> is also required.  <\/p>\n\n\n\n
PS C:\\> $vcfOauthSec = New-VcfOAuthSecurityContext -IdentityBrokerHostname 'vcf479-vidb-01.lab.enterpriseadmins.org' -ApiToken 'vidb_MjkxYzNlZTctOWNhZS00MGZjLWE4ZDg<redacted>'\nPS C:\\>\nPS C:\\> Connect-VIServer vcf479-vc-01.lab.enterpriseadmins.org -VcfOAuthSecurityContext $vcfOauthSec\n\nName                           Port  User\n----                           ----  ----\nvcf479-vc-01.lab.enterprise... 443   CUSTOMER\\73c160a0-adcc-4259...\n\n\nPS C:\\> Get-VM\n\nName                 PowerState Num CPUs MemoryGB\n----                 ---------- -------- --------\nvcf479-license-01    PoweredOn  2        4.000\nvcf479-opscol-01     PoweredOn  4        16.000\nvcf479-ops-01        PoweredOn  4        16.000\nvcf479-nsx-01        PoweredOn  6        24.000\nvcf479-sddcm-01      PoweredOn  4        16.000\nvcf479-vsp-01-c8bmk  PoweredOn  12       24.000\nvcf479-vsp-01-rnn58  PoweredOn  12       24.000\nvcf479-vsp-01-7zdvf  PoweredOn  12       24.000\nvcf479-vsp-01-2dcws  PoweredOn  4        10.000\nvcf479-vc-01         PoweredOn  4        21.000<\/code><\/pre>\n\n\n\n
We can use this authenticated security context to connect to other products, such as VCF Operations, which do not provide direct VcfApiToken<\/code> properties.  For example, using the $vcfOauthSec<\/code> variable created above, I can also connect to the operations instance:<\/p>\n\n\n\n
Connect-VcfOpsServer vcf479-ops-01.lab.enterpriseadmins.org -VcfOAuthSecurityContext $vcfOauthSec<\/code><\/pre>\n\n\n\n
Conclusion<\/h2>\n\n\n\n
PowerCLI 9.1 significantly simplifies authentication to federated VCF 9.1 environments.<\/p>\n\n\n\n
Compared to previous SAML security context workflows, the new API token and OAuth security context capabilities reduce setup complexity while enabling fully non-interactive authentication. This makes PowerCLI automation easier to integrate with scheduled tasks, orchestration platforms, and CI\/CD pipelines.<\/p>\n\n\n\n
For simple vCenter connections, -VcfApiToken<\/code> provides the most straightforward experience. For broader multi-product workflows, -VcfOAuthSecurityContext<\/code> enables authentication reuse across the environment.<\/p>\n","protected":false},"excerpt":{"rendered":"
The VCF PowerCLI 9.1 release notes call out an interesting change to the Connect-VIServer cmdlet (https:\/\/techdocs.broadcom.com\/us\/en\/vmware-cis\/vcf\/vcf-9-0-and-later\/9-1\/release-notes\/vmware-cloud-foundation-9-1-0-0-release-notes\/what-s-new\/whats-new-vcf-cli-api-sdk\/vcf-powercli-changelog\/vmware-vimautomation-core.html) Connect-VIServer– Added parameter ‘VcfApiToken’– Added parameter ‘VcfOAuthSecurityContext’ This change introduces native support for API token authentication in federated VCF environments, making non-interactive automation significantly … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":6,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[9,3,4],"tags":[],"class_list":["post-2398","post","type-post","status-publish","format-standard","hentry","category-lab-infrastructure","category-scripting","category-virtualization"],"_links":{"self":[{"href":"https:\/\/enterpriseadmins.org\/blog\/wp-json\/wp\/v2\/posts\/2398","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/enterpriseadmins.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/enterpriseadmins.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/enterpriseadmins.org\/blog\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/enterpriseadmins.org\/blog\/wp-json\/wp\/v2\/comments?post=2398"}],"version-history":[{"count":6,"href":"https:\/\/enterpriseadmins.org\/blog\/wp-json\/wp\/v2\/posts\/2398\/revisions"}],"predecessor-version":[{"id":2410,"href":"https:\/\/enterpriseadmins.org\/blog\/wp-json\/wp\/v2\/posts\/2398\/revisions\/2410"}],"wp:attachment":[{"href":"https:\/\/enterpriseadmins.org\/blog\/wp-json\/wp\/v2\/media?parent=2398"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/enterpriseadmins.org\/blog\/wp-json\/wp\/v2\/categories?post=2398"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/enterpriseadmins.org\/blog\/wp-json\/wp\/v2\/tags?post=2398"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}