Configuring Multi-Org Tenancy in vRA 8.x - Part 8: Integrating the Embedded Orchestrator

vRealize Automation vRealize Orchestrator vRA vRO Multi-Tenancy

Published on 4 November 2020 by Christopher Lewis. Words: 352. Reading Time: 2 mins.

In this post, we will walk through how to configure the integration for the embedded (shared) vRealize Orchestrator into the additional customer tenants.

In this series of posts, we will be taking a look at how to configure a Multi-Organization Tenancy (aka Multi-Tenancy) in vRealize Automation (vRA) 8.x.

For more information on the rest of the posts in this series, click here .

The “Problem”

Unfortunately, once vRA Multi-Tenancy has been enabled and a new tenant has been configured, the embedded vRO gets decoupled due to the changes to the platform (including the creation of a new vIDM tenant for each additional vRA tenant).

If you try to access the shared Orchestrator service from within any of the additional tenants, you should get the following error:

Don’t worry, there is an easy fix for this. We just need to configure a new vRO Integration endpoint for each of the vRA tenants (or at least each tenant where we want to do something with vRO). So let’s go ahead and do that.


  1. Navigate to https://tenant.vra.fqdn and click GO TO LOGIN PAGE.
  1. Enter the Username and Password for a Cloud Assembly Administrator and then click Sign in.
  1. Click Cloud Assembly.
  1. Click Infrastructure.
  1. Click Integrations.
  1. Click vRealize Orchestrator.
  1. At the Name field, type a friendly name for this integration.
  1. At the vRealize Orchestrator URL field, type https://tenant.vra.fqdn:443 and click VALIDATE.
  1. If prompted with an Untrusted Certificate Found dialog, click ACCEPT.
  1. Click ADD.

Now when we try and access the Orchestrator Service from within a tenant (assuming you have been given access through RBAC), you will be able to access it just like you did before.


In this post we have covered how to configure the embedded vRO instance on a per tenant basis. If we take atep back from the detail, we can see that the configuration of the integration for an external vRO is not any different. That is, assuming you have deployed the external vRO instance and configured vRO to use vRA as an authentication source (rather than vCenter Server). It is just a URL change after all.

Published on 4 November 2020 by Christopher Lewis. Words: 352. Reading Time: 2 mins.