you must create a group in AD and in the vcenter you give the right of access to the group, instead of in the whole AD.
users who are part of this group in AD, log into the vCenter.
Did you understand what I meant?
I want to prevent anyone from logging in.
Here is what I mean:
Thats not possible and was a design flaw from the early days of SSO and changed later. But i dont see the problem because without vCenter permissions the user which logged into doesnt see anything.
Solution is quite simple and you should just update your vcenter.