Configuring Multi-Org Tenancy in vRA 8.x - Part 5: Configuring Directories



vRealize Automation vRA Multi-Tenancy

Published on 1 October 2020 by Christopher Lewis. Words: 1067. Reading Time: 6 mins.

In this series of posts, we will be taking a look at how to configure a Multi-Organization Tenancy (aka Multi-Tenancy) in vRealize Automation (vRA) 8.x. In this post, I will tackle the management of User Directories in a vRA 8.x Multi-Organizational Tenancy deployment. Specifically, we will look at:

  1. Migrating a User Directory from the Provider Tenant into the Customer Tenant.
  2. Adding a new User Directory to the Customer Tenant using VMware Identity Manager.
  3. Deleting a User Directory from the Customer Tenant using VMware Identitiy Manager.

For more information on the rest of the posts in this series, click here .

Adding User Directories to an Organization/Tenant

We’re going to be adding new User Directories to the MedTech Organization we created previously. This objective can be completed using vRSLCM. Obviously using vRSLCM potentially means that your provider tenant needs to have a number of customer Active Directories (based on your requirements) configured.

Migrating a User Directory from the Provider Tenant into the Customer Tenant

One thing to note before we start is hat whilst I have classed this as a migration, the User Directory is also still left in the Master/Provider Tenant after this procedure.


  1. Navigate to the vRSLCM homepage, https://vrslcm.fqdn .
  1. Enter the user credentials for an Admin user and click LOGIN.

Note: I’m using the admin@local account but you could also use any account with the appropriate privileges

  1. At the My Services screen, click Identity and Tenant Management.
  1. Click Tenant Management.
  1. At the Tenants screen, Click the MEDTECH Tenant.
  1. At the MEDTECH screen, click Directories.
  1. At the MEDTECH screen, click ADD DIRECTORIES.
  1. At the Add Directories to Tenant screen, click the checkbox next to the target Directory Name.
  1. At the Add Directories to Tenant screen, enter the Bind Password into the textbox and click VALIDATE.
  1. At the Add Directories to Tenant screen, click ADD DIRECTORIES.
  1. The directory has now been added to the Tenant!

Note: If you want to REMOVE a directory, you will need to go into VMware Identity Manager to do this - but that is covered later!

Adding a New User Directory to the Customer Tenant using VMware Identity Manager


  1. Navigate to the vIDM Administrator portal for the tenant, https://tenant.idm.fqdn/admin
  1. At the login screen, select the System Domain value from the Select your domain dropdown.
  1. At the login screen, untick the Remember this setting checkbox and click Next.
  1. Enter the Tenant Administrator credentials for an Admin user and click LOGIN.
  1. At the Identity Manager screen, click Identity & Access Management.
  1. At the Directories screen, click Add Directory.
  1. Select Add Active Directory over LDAP/IWA.
  1. At the Add Directory screen, enter the name of the new directory into the Directory Name textbox.
  1. At the Add Directory screen, select the Active Directory over LDAP option.
  1. At the Add Directory screen, under Directory Sync and Authentication, leave the defaults settings.
  1. At the Add Directory screen, under Server Location, ensure that The Directory supports DNS Service Location checkbox is checked.

Note: If your Active Directory Domain does not support this, uncheck the checkbox and provide the Server Host and Server Port for a AD Domain controller. Optionally you can check the This Directory has a Global Catalog checkbox. If you do that, you also need to change the Directory Search Attribute to UserPrincipleName.

  1. At the Add Directory screen, under Certificates, leave the default settings.

Note: If your Active Directory Domain does require STARTTLS, then check the This Directory requires all connections to use STARTTLS checkbox.

  1. At the Add Directory screen, under Bind User Details, enter the Base DN, Bind DN and Bind User Password and click Test Connection.
  1. At the Add Directory screen, click Save & Next.
  1. At the Select the Domains screen, click Save & Next.
  1. At the Map User Attributes screen, leave all the defaults and click Next.
  1. At the Select the groups (users) you want to sync screen, click +.
  1. At the Select the groups (users) you want to sync screen, enter the group DN (such as ou=groups,dc=domain,dc=local) into the textbox and click Find Groups.
  1. At the Select the groups (users) you want to sync screen, click Select.
  1. At the Select the groups (users) you want to sync screen, locate each group that needs to be synchronized and check the check box next to its name and then click Save.
  1. At the Select the groups (users) you want to sync screen, click Next.
  1. At the Select the Users you would like to sync screen, click Next.
  1. At the Review screen, click Sync Directory.

Let the Directory sync begin!

Again, we can switch back the vRSLCM and see the new User Directory in the MedTech Tenant.

Removing a New User Directory to the Customer Tenant using VMware Identity Manager


  1. Navigate to the vIDM Administrator portal for the tenant, https://tenant.idm.fqdn/admin
  1. At the login screen, select the System Domain value from the Select your domain dropdown.
  1. At the login screen, untick the Remember this setting checkbox and click Next.
  1. Enter the Tenant Administrator credentials for an Admin user and click LOGIN.
  1. At the Identity Manager screen, click Identity & Access Management.
  1. At the Directories screen, click the name of the directory to be removed.
  1. At the MEDTECH Directory screen, click Delete Directory.
  1. At the Delete Directory warning dialog, click Delete.
  1. Wait patiently for the Directory to be deleted!

You can check back into vRSLCM and see that the directory has been removed from the Tenant.

Bringing it all together!

In this post we have walked through the (hopefully successfully) steps required to add new and remove existing User Directories to an Organization/Tenant when the Multi-Organizational Tenancy is enabled. Hopefully you have noticed that this Day 2 action is relatively straight forward. Hopefully you also noticed that it is subtly different to adding User Directories in a deployment when Multi-Organizational Tenancy is not enabled.

Once you have configured one or more new Directories, remember to complete any necessary Role Based Access Control configuration at the Identity & Access Management screen within the tenant!

When I started to write this post, I was surprised to discover that you could not delete a User Directory from, or add a Directory directly to, a Customer Tenant from within vRSLCM. I believe this is a massive oversight and it is something I will be bringing up internally to see if there is a specific reason for this or whether we just didn’t enable the feature.

Hopefully you have found the walk through useful!

Published on 1 October 2020 by Christopher Lewis. Words: 1067. Reading Time: 6 mins.