Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 26.1.b
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Administration Guide

    Home FortiEndpoint Administration Guide

    ZTNA automatic login using Microsoft Entra ID

    ZTNA automatic login using Microsoft Entra ID

    When a user is logged in to an Entra ID domain on an endpoint then attempts to access zero trust network access (ZTNA) TCP-forwarding traffic, FortiClient automatically authenticates with the FortiGate using the Entra ID credentials. This simplifies the user experience by eliminating the need for manual authenticate.

    This feature requires FortiOS 7.6.1 or a later version.

    The following instructions assume that you have configured a FortiClient enterprise application in the Entra ID portal.

    In this example, the application has the following values which you configure in the FortiClient ZTNA Destinations profile:

    Entra ID portal field

    Corresponding FortiClient XML profile element

    Value

    Application (client) ID

    <client_id>

    b87f1f1b...

    Directory (tenant) ID

    <tenant_name>

    f1a72219...
    To configure ZTNA automatic login using Entra ID:
    1. In FortiOS, run the following commands to configure support for this feature. Lines bolded in the CLI sample highlight key commands to support this feature:
      config user external-identity-provider
    edit "eip1"
        set type ms-graph
        set version v1.0
    next
end
config user group
    edit "Autologon"
        set member "eip1"
    next
end
config authentication scheme
    edit "Autologon"
        set method entra-sso
        set external-idp "eip1"
    next
end
config authentication rule
    edit "Auth"
        set srcintf "port1"
        set srcaddr "all"
        set ip-based disable
        set sso-auth-method "Autologon"
        set web-auth-cookie enable
    next
end
    2. In EMS, configure support for this feature:
      1. Go to Endpoint Profiles > ZTNA Destinations.
      2. Create a new profile or edit an existing one.
      3. Enable Enable Azure Auto Login and specify the tenant name and client ID of the application used to connect with EMS that you collected from the Azure management console.
      4. Configure other options as needed. See ZTNA Destinations for more details.
    3. Connect the endpoint to the Entra ID domain:
      1. Go to Settings > Access work or school > Join this device to Microsoft Entra ID.
      2. Log in with your Entra ID credentials.
      3. Confirm that the endpoint connected successfully.

    4. Log out, then log in to Windows using the Entra ID credentials.

    5. Connect FortiClient to EMS.
    6. Click the avatar. In the Domain field, confirm that the endpoint is joined to Entra ID (previously known as Azure Active Directory).
    7. Go to the ZTNA Destination tab to confirm that FortiClient received the desired ZTNA Destinations profile from EMS.
    8. Attempt to access a ZTNA destination. In this example, the user attempts to access an SSH TCP forwarding destination. The user can access the protected resource without authentication since FortiClient automatically authenticated with the FortiGate using the provided Entra ID credentials.

    Previous
    Next

    ZTNA automatic login using Microsoft Entra ID

    ZTNA automatic login using Microsoft Entra ID

    When a user is logged in to an Entra ID domain on an endpoint then attempts to access zero trust network access (ZTNA) TCP-forwarding traffic, FortiClient automatically authenticates with the FortiGate using the Entra ID credentials. This simplifies the user experience by eliminating the need for manual authenticate.

    This feature requires FortiOS 7.6.1 or a later version.

    The following instructions assume that you have configured a FortiClient enterprise application in the Entra ID portal.

    In this example, the application has the following values which you configure in the FortiClient ZTNA Destinations profile:

    Entra ID portal field

    Corresponding FortiClient XML profile element

    Value

    Application (client) ID

    <client_id>

    b87f1f1b...

    Directory (tenant) ID

    <tenant_name>

    f1a72219...
    To configure ZTNA automatic login using Entra ID:
    1. In FortiOS, run the following commands to configure support for this feature. Lines bolded in the CLI sample highlight key commands to support this feature:
      config user external-identity-provider
    edit "eip1"
        set type ms-graph
        set version v1.0
    next
end
config user group
    edit "Autologon"
        set member "eip1"
    next
end
config authentication scheme
    edit "Autologon"
        set method entra-sso
        set external-idp "eip1"
    next
end
config authentication rule
    edit "Auth"
        set srcintf "port1"
        set srcaddr "all"
        set ip-based disable
        set sso-auth-method "Autologon"
        set web-auth-cookie enable
    next
end
    2. In EMS, configure support for this feature:
      1. Go to Endpoint Profiles > ZTNA Destinations.
      2. Create a new profile or edit an existing one.
      3. Enable Enable Azure Auto Login and specify the tenant name and client ID of the application used to connect with EMS that you collected from the Azure management console.
      4. Configure other options as needed. See ZTNA Destinations for more details.
    3. Connect the endpoint to the Entra ID domain:
      1. Go to Settings > Access work or school > Join this device to Microsoft Entra ID.
      2. Log in with your Entra ID credentials.
      3. Confirm that the endpoint connected successfully.

    4. Log out, then log in to Windows using the Entra ID credentials.

    5. Connect FortiClient to EMS.
    6. Click the avatar. In the Domain field, confirm that the endpoint is joined to Entra ID (previously known as Azure Active Directory).
    7. Go to the ZTNA Destination tab to confirm that FortiClient received the desired ZTNA Destinations profile from EMS.
    8. Attempt to access a ZTNA destination. In this example, the user attempts to access an SSH TCP forwarding destination. The user can access the protected resource without authentication since FortiClient automatically authenticated with the FortiGate using the provided Entra ID credentials.

    Previous
    Next