Fortinet white logo
Fortinet white logo

EMS Administration Guide

Adding an Azure AD server

Adding an Azure AD server

You can integrate Azure Active Directory (AD) with on-premise EMS and FortiClient Cloud.

To create an enterprise application for FortiClient:
  1. In the Azure portal, go to Azure Active Directory > Enterprise applications > New application.
  2. Click Create your own application.
  3. In the What's the name of your app? field, enter the desired name.
  4. Under What are you looking to do with your application?, select Register an application to integrate with Azure AD (App you're developing).
  5. Click Create.
To add Microsoft Graph API application permissions required for searching user groups:
  1. In the left menu, click App registrations, then click the All applications tab.
  2. Click your FortiClient enterprise application.
  3. In the left menu, click API permissions, and click Add a permission.
  4. In the Request API permissions slide-in, click Microsoft Graph.
  5. Select Application permissions.
  6. In the Select permissions section, search for and select the following permissions:
    • Application Access API
      • Application.ReadWrite.OwnedBy
      • Directory.ReadWrite.All
      • Domain.ReadWrite.All
      • Group.ReadWrite.All
      • User.ReadWrite.All
    • Delegate Access API
      • Directory.ReadWrite.All
      • User.ReadWrite.All
      • User.Read
      • Directory.AccessAsUser.All
    • Other API Permission
      • Application
        • AdministrativeUnit.ReadWrite.All
        • DelegatedPermissionGrant.ReadWrite.All
        • Device.ReadWrite.All
        • User.ManageIdentities.All
      • Delegate
        • User.ReadBasic.All
  7. Click Add permissions.
  8. In the API permissions page, click Grant admin consent for Default Directory. If this option is grayed out, you must log into an Azure admin account to perform this step.
To add a client secret string and determine its value:
  1. In the left menu, click App registrations, then click the All applications tab.
  2. Click your FortiClient enterprise application.
  3. In the left menu, click Certificates & secrets, and click New client secret.
  4. In the Add a Client Secret slide-in, add a Description and select the desired Expires option. Click Add.
  5. Observe that a new client secret has been created. Immediately after creation, copy the Value of the client secret string, which EMS uses as the Azure Client Secret. This value is not visible after this initial creation step and moving to another page.
To configure an Azure AD server in EMS:
  1. Configure the Azure AD server as an authentication server in EMS:
    1. In the Azure management console, collect your AD tenant ID, client ID, and client secret.
    2. Go to Administration > Authentication Servers.
    3. Click Add > Azure.
    4. In the Tenant ID and Client ID fields, enter the IDs that you collected from the Azure management console.
    5. For Authorization Type, select Client Secret.
    6. In the Client Secret field, enter the client secret that you collected from the Azure management console.
    7. Configure other fields as desired.
    8. Click Test.

    9. After the test succeeds, click Save.
  2. Go to Endpoints > Manage Domains.
  3. Click Add, then Azure.
  4. From the Azure Server dropdown list, select the desired server.
  5. In the Sync every field, enter the number of minutes after which EMS syncs with the Azure server.
  6. For Group Selection Behaviour, select Import Entire Azure Domain or Import Selected Azure Groups.
  7. Enable Import as Base Group for the desired groups, then click Save.

    Endpoints > Domains lists the Azure AD server domain groups and subgroups. It lists subgroups as a flat list and does not preserve the hierarchy from the AD server.

When using user management, Azure AD users can register their FortiClient to EMS using an invitation code or with SAML.

To configure the Azure tenant app for initiating passthrough (domain):

This is necessary for registering an Azure AD endpoint to EMS using an invitation code. This only applies for Azure AD-joined endpoints.

  1. Configure the redirect URL:
    1. In the Azure portal, go to App registration. Copy the application/client ID of the application used to connect with EMS.
    2. Click the application, then click the Redirect URIs link.
    3. Click Add a Platform > Select Mobile and Desktop applications.
    4. Add the following URL: ms-appx-web://microsoft.aad.brokerplugin/<application client ID>.
    5. Under Allow public client flows, toggle to Yes for Enable the following mobile and desktop flows.
    6. Save the configuration.
  2. Go to Roles and administrators.
  3. Search for and select Directory Readers.
  4. Click Add assignments.
  5. Select the application used to connect with EMS.
  6. Add desired users to the application in Azure AD:
    1. Go to Enterprise applications, and select the application used to connect with EMS.
    2. Go to Users and groups.
    3. Click Add user/group, and select the users that you will invite to EMS using an invitation code.
To register an Azure AD user's endpoint to EMS using an invitation code:
  1. In the EMS top banner, click Invitations.
  2. Click Add.
  3. For Verification Type, select Domain.
  4. From the LDAP Domain dropdown list, select the Azure AD server.
  5. Configure other settings as desired, then click Save.
  6. On the endpoint, go to Settings > Accounts.
  7. Under Access work or school, click Connect.
  8. Log in as an Azure AD user.

  9. In FortiClient, on the Zero Trust Telemetry tab, enter the invitation code to register to EMS. FortiClient register to EMS as the logged in Azure AD user without additional prompts.
To register an Azure AD user's endpoint to EMS using SAML:

You must copy some values from the Azure portal to EMS and other values from EMS to the Azure portal to complete the configuration.

  1. In EMS, create a SAML configuration:
    1. In EMS, go to User Management > SAML Configuration.
    2. Click Add.
    3. For Authorization Type, select LDAP.
    4. From the Domain dropdown list, select the Azure AD server.
    5. In this configuration, EMS acts as the service provider, while the Azure AD server is the identity provider. In the SP Address field, enter the EMS IP address or FQDN. You can also use the Use Current URL button to populate the field.
  2. In Azure, add and configure the Azure AD SAML Toolkit:
    1. Go to Enterprise applications, then click New application.
    2. Search for and select Azure AD SAML Toolkit.
    3. Configure a name for the toolkit as desired, then click Create.
    1. Click into the toolkit, select Single sign-on, then SAML.
    2. Under Basic SAML Configuration, click Edit.
    3. Copy the values from EMS in User Management > SAML Configuration > Service Provider Settings to the Azure portal. This table maps the EMS SAML fields that you must copy from EMS and configure in Azure AD. Configure as the table summarizes, then click Save.

      EMS SAML field

      Azure AD Basic SAML Configuration field

      SP Entity ID

      Identifier (Entity ID)

      SP ACS (login) URL

      Reply URL (Assertion Consumer Service URL)

      SP Address

      Sign on URL

    4. Under Attributes & Claims, click Edit.
    5. Click Unique User Identifier.
    6. From the Source attribute dropdown list, select user.localuserpricipalname. Click Save.
  3. In Azure, add a new claim:
    1. Click Add new claim.
    2. In the Name field, enter the domain identification value from EMS. You can find this value on EMS in User Management > SAML Configuration > Assertion Attributes > Domain Identification. This field is only visible when LDAP is selected as the Authorization Type and the Domain field is populated in SAML Configuration.
    3. Ensure that Namespace is empty.
    4. From the Source attribute field, select user.localprincipalname. Click Save.
    5. Under SAML Certificates, download the Certificate (Base64) file.
  4. Copy the URLs under Set up Tutorial SAML Toolkit to EMS:
    1. Copy the Azure AD Identifier value to the IdP Entity ID field in EMS.
    2. Copy the Login URL value to the IdP single sign-on URL field in EMS.
    3. In the IdP certificate field, upload the certificate that you downloaded in step 3. Save the SAML configuration in EMS.

  5. In Azure, go to Users and groups. Add users to the list as desired. Azure authorizes any user added to this list to connect to EMS.
  6. Configure the invitation in EMS:
    1. In the top banner, click Invitations.
    2. Click Add.
    3. For Verification Type, select SAML.
    4. From the SAML Config dropdown list, select the SAML configuration.
    5. Configure other settings as desired, then click Save.
  7. You can authenticate the endpoint using Azure AD by doing one of the following:
    1. To join the device to the Azure AD server, do the following:
      1. On the endpoint, go to Settings > Accounts.
      2. Under Access work or school, click Connect.
      3. Log in as an Azure AD user.

      4. In FortiClient, on the Zero Trust Telemetry tab, enter the invitation code to register to EMS. FortiClient register to EMS as the logged in Azure AD user without additional prompts.
    2. For a workgroup endpoint or an endpoint joined to an on-premise domain, in FortiClient, on the Zero Trust Telemetry tab, enter the invitation code to register to EMS. A Microsoft single sign on prompt displays. Enter the Azure AD user credentials to authenticate and connect FortiClient to EMS.

The EMS administrator can configure endpoint policies and deployment configurations for specific endpoint groups from an Azure AD server.

Adding an Azure AD server

Adding an Azure AD server

You can integrate Azure Active Directory (AD) with on-premise EMS and FortiClient Cloud.

To create an enterprise application for FortiClient:
  1. In the Azure portal, go to Azure Active Directory > Enterprise applications > New application.
  2. Click Create your own application.
  3. In the What's the name of your app? field, enter the desired name.
  4. Under What are you looking to do with your application?, select Register an application to integrate with Azure AD (App you're developing).
  5. Click Create.
To add Microsoft Graph API application permissions required for searching user groups:
  1. In the left menu, click App registrations, then click the All applications tab.
  2. Click your FortiClient enterprise application.
  3. In the left menu, click API permissions, and click Add a permission.
  4. In the Request API permissions slide-in, click Microsoft Graph.
  5. Select Application permissions.
  6. In the Select permissions section, search for and select the following permissions:
    • Application Access API
      • Application.ReadWrite.OwnedBy
      • Directory.ReadWrite.All
      • Domain.ReadWrite.All
      • Group.ReadWrite.All
      • User.ReadWrite.All
    • Delegate Access API
      • Directory.ReadWrite.All
      • User.ReadWrite.All
      • User.Read
      • Directory.AccessAsUser.All
    • Other API Permission
      • Application
        • AdministrativeUnit.ReadWrite.All
        • DelegatedPermissionGrant.ReadWrite.All
        • Device.ReadWrite.All
        • User.ManageIdentities.All
      • Delegate
        • User.ReadBasic.All
  7. Click Add permissions.
  8. In the API permissions page, click Grant admin consent for Default Directory. If this option is grayed out, you must log into an Azure admin account to perform this step.
To add a client secret string and determine its value:
  1. In the left menu, click App registrations, then click the All applications tab.
  2. Click your FortiClient enterprise application.
  3. In the left menu, click Certificates & secrets, and click New client secret.
  4. In the Add a Client Secret slide-in, add a Description and select the desired Expires option. Click Add.
  5. Observe that a new client secret has been created. Immediately after creation, copy the Value of the client secret string, which EMS uses as the Azure Client Secret. This value is not visible after this initial creation step and moving to another page.
To configure an Azure AD server in EMS:
  1. Configure the Azure AD server as an authentication server in EMS:
    1. In the Azure management console, collect your AD tenant ID, client ID, and client secret.
    2. Go to Administration > Authentication Servers.
    3. Click Add > Azure.
    4. In the Tenant ID and Client ID fields, enter the IDs that you collected from the Azure management console.
    5. For Authorization Type, select Client Secret.
    6. In the Client Secret field, enter the client secret that you collected from the Azure management console.
    7. Configure other fields as desired.
    8. Click Test.

    9. After the test succeeds, click Save.
  2. Go to Endpoints > Manage Domains.
  3. Click Add, then Azure.
  4. From the Azure Server dropdown list, select the desired server.
  5. In the Sync every field, enter the number of minutes after which EMS syncs with the Azure server.
  6. For Group Selection Behaviour, select Import Entire Azure Domain or Import Selected Azure Groups.
  7. Enable Import as Base Group for the desired groups, then click Save.

    Endpoints > Domains lists the Azure AD server domain groups and subgroups. It lists subgroups as a flat list and does not preserve the hierarchy from the AD server.

When using user management, Azure AD users can register their FortiClient to EMS using an invitation code or with SAML.

To configure the Azure tenant app for initiating passthrough (domain):

This is necessary for registering an Azure AD endpoint to EMS using an invitation code. This only applies for Azure AD-joined endpoints.

  1. Configure the redirect URL:
    1. In the Azure portal, go to App registration. Copy the application/client ID of the application used to connect with EMS.
    2. Click the application, then click the Redirect URIs link.
    3. Click Add a Platform > Select Mobile and Desktop applications.
    4. Add the following URL: ms-appx-web://microsoft.aad.brokerplugin/<application client ID>.
    5. Under Allow public client flows, toggle to Yes for Enable the following mobile and desktop flows.
    6. Save the configuration.
  2. Go to Roles and administrators.
  3. Search for and select Directory Readers.
  4. Click Add assignments.
  5. Select the application used to connect with EMS.
  6. Add desired users to the application in Azure AD:
    1. Go to Enterprise applications, and select the application used to connect with EMS.
    2. Go to Users and groups.
    3. Click Add user/group, and select the users that you will invite to EMS using an invitation code.
To register an Azure AD user's endpoint to EMS using an invitation code:
  1. In the EMS top banner, click Invitations.
  2. Click Add.
  3. For Verification Type, select Domain.
  4. From the LDAP Domain dropdown list, select the Azure AD server.
  5. Configure other settings as desired, then click Save.
  6. On the endpoint, go to Settings > Accounts.
  7. Under Access work or school, click Connect.
  8. Log in as an Azure AD user.

  9. In FortiClient, on the Zero Trust Telemetry tab, enter the invitation code to register to EMS. FortiClient register to EMS as the logged in Azure AD user without additional prompts.
To register an Azure AD user's endpoint to EMS using SAML:

You must copy some values from the Azure portal to EMS and other values from EMS to the Azure portal to complete the configuration.

  1. In EMS, create a SAML configuration:
    1. In EMS, go to User Management > SAML Configuration.
    2. Click Add.
    3. For Authorization Type, select LDAP.
    4. From the Domain dropdown list, select the Azure AD server.
    5. In this configuration, EMS acts as the service provider, while the Azure AD server is the identity provider. In the SP Address field, enter the EMS IP address or FQDN. You can also use the Use Current URL button to populate the field.
  2. In Azure, add and configure the Azure AD SAML Toolkit:
    1. Go to Enterprise applications, then click New application.
    2. Search for and select Azure AD SAML Toolkit.
    3. Configure a name for the toolkit as desired, then click Create.
    1. Click into the toolkit, select Single sign-on, then SAML.
    2. Under Basic SAML Configuration, click Edit.
    3. Copy the values from EMS in User Management > SAML Configuration > Service Provider Settings to the Azure portal. This table maps the EMS SAML fields that you must copy from EMS and configure in Azure AD. Configure as the table summarizes, then click Save.

      EMS SAML field

      Azure AD Basic SAML Configuration field

      SP Entity ID

      Identifier (Entity ID)

      SP ACS (login) URL

      Reply URL (Assertion Consumer Service URL)

      SP Address

      Sign on URL

    4. Under Attributes & Claims, click Edit.
    5. Click Unique User Identifier.
    6. From the Source attribute dropdown list, select user.localuserpricipalname. Click Save.
  3. In Azure, add a new claim:
    1. Click Add new claim.
    2. In the Name field, enter the domain identification value from EMS. You can find this value on EMS in User Management > SAML Configuration > Assertion Attributes > Domain Identification. This field is only visible when LDAP is selected as the Authorization Type and the Domain field is populated in SAML Configuration.
    3. Ensure that Namespace is empty.
    4. From the Source attribute field, select user.localprincipalname. Click Save.
    5. Under SAML Certificates, download the Certificate (Base64) file.
  4. Copy the URLs under Set up Tutorial SAML Toolkit to EMS:
    1. Copy the Azure AD Identifier value to the IdP Entity ID field in EMS.
    2. Copy the Login URL value to the IdP single sign-on URL field in EMS.
    3. In the IdP certificate field, upload the certificate that you downloaded in step 3. Save the SAML configuration in EMS.

  5. In Azure, go to Users and groups. Add users to the list as desired. Azure authorizes any user added to this list to connect to EMS.
  6. Configure the invitation in EMS:
    1. In the top banner, click Invitations.
    2. Click Add.
    3. For Verification Type, select SAML.
    4. From the SAML Config dropdown list, select the SAML configuration.
    5. Configure other settings as desired, then click Save.
  7. You can authenticate the endpoint using Azure AD by doing one of the following:
    1. To join the device to the Azure AD server, do the following:
      1. On the endpoint, go to Settings > Accounts.
      2. Under Access work or school, click Connect.
      3. Log in as an Azure AD user.

      4. In FortiClient, on the Zero Trust Telemetry tab, enter the invitation code to register to EMS. FortiClient register to EMS as the logged in Azure AD user without additional prompts.
    2. For a workgroup endpoint or an endpoint joined to an on-premise domain, in FortiClient, on the Zero Trust Telemetry tab, enter the invitation code to register to EMS. A Microsoft single sign on prompt displays. Enter the Azure AD user credentials to authenticate and connect FortiClient to EMS.

The EMS administrator can configure endpoint policies and deployment configurations for specific endpoint groups from an Azure AD server.