How to Configure vRA's Embedded vRO to Allow Domain Account Login

Two years ago, I wrote a similar article around vCAC’s embedded vCO but a lot has changed since then so those older steps no longer apply. This brief article will quickly walk you through the steps required to allow vRealize Automation 7.0/7.1/7.2’s embedded vRealize Orchestrator to allow Active Directory Domain accounts login to the vRO Client.


This article assumes the following:

  • vRealize Automation 7.0-7.2 is installed and configured (NOTE: This has not been tested with 7.3!)
  • vRealize Orchestrator (embedded) is configured to use vRealize Automation as Authentication source
  • At least one Active Directory domain has been configured in vRA (Administration -> Directories Management -> Directories)

Custom Group

Although the vRA vIDM instance already contains a vcoadmins group by default with the administrator@vsphere.local account as a member, there is not an obvious way (that I’ve found) to modify the group membership. As a result of this, we must first create a new group that we can manage. This can be done as follows:

  • Log in to vRA as a Tenant Admin (in this instances, we are using the cloudadmin account)
  • Go to Administration -> Users & Groups -> Custom Groups; Click on + New to create a New Group (not shown)
  • Give the group a name (here, we are using adminsvro) and optionally a Description
  • Click Next

Custom Group - Members

On the Members tab,

  1. Use the Search box to search for and select the desired group members. In this case, I want:
  2. Group Members
  • vcoadmins@vsphere.local
  • Domain Admins@corp.local
  1. Click Finish when done

Update vRO Configuration

  • Now, go to your vRO Control Center (NOTE: You may need to start the vco-configurator service on your vRA appliance if it is not already running)
  • Log in using root and the root password of your vRA appliance.
  • Click on the Configure Authentication Provider button
  • Set vsphere.local\adminsvro as the Admin group (or the Custom Group you created in the earlier step)
  • Click Save Changes
  • Now restart your vRO Server Service

vRO Client Log In

Launch the vRO Client and log in as a member of the group specified. In this case, I am using administrator@corp.local


As you can see, I am now able to log in to the vRO Client with a Domain Account rather than only the administrator@vsphere.local account !!

Thanks to @SteveSchofield for prompting me to look into this!