Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 26.1.0
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Admin Guide

    Configuring FIC as Microsoft Entra external authentication service provider

    Configuring FIC as Microsoft Entra external authentication service provider

    In May 2024, Microsoft introduced the Entra ID external authentication method provider feature. An external authentication provider can integrate with Entra ID tenants as an external authentication method (EAM) provider, which can satisfy the second factor of MFA requirement.

    An EAM must be implemented on top of Open ID Connect (OIDC). This implementation requires at least three public-facing endpoints:

    • An OIDC discovery endpoint

    • A valid OIDC authentication endpoint

    • The public certificates of the EAM provider

    The following diagram shows the network topology of the configuration:

    Step 1: Adding FIC app in Entra admin center

    1. Log into Microsoft Entra admin center.

    2. Select Applications >App registrations.

    3. Enter a unique name for the app.

    4. For Redirect URI (optional), select None. (Note: The redirect URI will be generated on the FIC portal later.)

    5. Click Register.

      Note

      Upon successful registration, you will receive an Application (client) ID that Microsoft generated. Be sure to save the Application (client) ID as you will need it later in the configuration.
    Step 2: Creating the Microsoft app on FIC portal

    1. Select Applications > SSO.

    2. Click Add SSO Application.

    3. Name the Microsoft app.

    4. For Realm, select the realm in which the end users of the Microsoft app reside.

    5. For Audience ID, enter the Application (client) ID that you have saved in Microsoft Entra admin center.

    6. For Redirect URI, enter the default Microsoft URI.

    7. Make the other entries and/or selections on the page.

    8. Click Next.

    9. Follow the prompts onscreen to complete the configuration.

    Note

    • Once the Microsoft app has been created, you will receive the FIC App ID, the discovery endpoint, and the authorization endpoint.

    • If no Signing Cert is provided, the application will use the default certificate for authentication.
    Step 3: Updating the FIC app in Entra admin center

    1. In Microsoft Entra admin center, select Applications > App registrations > All Applications.

    2. Locate the FIC app, click to open it, and make the desired updates to its Client credentials and Redirect URI.

    3. To add client credentials, go to Certificates and upload the public key downloaded from the FIC portal.

    4. To add Redirect URI, go to Redirect URI, click Add a platform, choose Web Applications, and enter the authorization endpoint generated from the FIC portal.

    Step 4: Registering FIC as Entra MFA external method provider

    1. In Microsoft Entra admin center, select Protection -> Authentication methods -> Policies -> Add external method(Preview).

    2. For Client ID, enter the Application ID generated from the FIC portal.

    3. For Discovery Endpoint, enter the discovery endpoint generated from the FIC portal.

    4. For App ID, enter the Application (client) ID generated from Microsoft.

    5. Upon securing the permission, enable Enable and target.

    Note

    • Up to this point, FIC should have been successfully set up as the EMA. With this configuration, all apps in your Microsoft account will use FIC for MFA.

    • If you prefer using MFA methods other than FIC for your different Microsoft apps, you can take advantage of Microsoft's custom authentication strengths feature. For more information, visit https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-strength-advanced-options. Keep in mind that "Password + Software AUTH token" is the MFA setting that you should pick when configuring custom authentication strength in Microsoft that corresponds to the type of MFA that Microsoft considers FIC to be in this case.
    Step 5: Setting Conditional Access policy to assign users to EMA

    1. Select Protection -> Conditional Access -> Policies.

    2. Create a new policy, and assign users or groups to it. For Target resources, select All resources (formerly 'All cloud apps') or Selected resources. (Note: If you choose Selected resources, you must select one, for example, Office 365.)

    3. For Access Controls, select Grant access > Require multifactor authentication.

    4. Set Enable policy to On.

    Note

    Make sure to create a new user in FIC with the same username as the preferred username for the target user in Microsoft Entra admin center for identification.
    Previous
    Next

    Configuring FIC as Microsoft Entra external authentication service provider

    Configuring FIC as Microsoft Entra external authentication service provider

    In May 2024, Microsoft introduced the Entra ID external authentication method provider feature. An external authentication provider can integrate with Entra ID tenants as an external authentication method (EAM) provider, which can satisfy the second factor of MFA requirement.

    An EAM must be implemented on top of Open ID Connect (OIDC). This implementation requires at least three public-facing endpoints:

    • An OIDC discovery endpoint

    • A valid OIDC authentication endpoint

    • The public certificates of the EAM provider

    The following diagram shows the network topology of the configuration:

    Step 1: Adding FIC app in Entra admin center

    1. Log into Microsoft Entra admin center.

    2. Select Applications >App registrations.

    3. Enter a unique name for the app.

    4. For Redirect URI (optional), select None. (Note: The redirect URI will be generated on the FIC portal later.)

    5. Click Register.

      Note

      Upon successful registration, you will receive an Application (client) ID that Microsoft generated. Be sure to save the Application (client) ID as you will need it later in the configuration.
    Step 2: Creating the Microsoft app on FIC portal

    1. Select Applications > SSO.

    2. Click Add SSO Application.

    3. Name the Microsoft app.

    4. For Realm, select the realm in which the end users of the Microsoft app reside.

    5. For Audience ID, enter the Application (client) ID that you have saved in Microsoft Entra admin center.

    6. For Redirect URI, enter the default Microsoft URI.

    7. Make the other entries and/or selections on the page.

    8. Click Next.

    9. Follow the prompts onscreen to complete the configuration.

    Note

    • Once the Microsoft app has been created, you will receive the FIC App ID, the discovery endpoint, and the authorization endpoint.

    • If no Signing Cert is provided, the application will use the default certificate for authentication.
    Step 3: Updating the FIC app in Entra admin center

    1. In Microsoft Entra admin center, select Applications > App registrations > All Applications.

    2. Locate the FIC app, click to open it, and make the desired updates to its Client credentials and Redirect URI.

    3. To add client credentials, go to Certificates and upload the public key downloaded from the FIC portal.

    4. To add Redirect URI, go to Redirect URI, click Add a platform, choose Web Applications, and enter the authorization endpoint generated from the FIC portal.

    Step 4: Registering FIC as Entra MFA external method provider

    1. In Microsoft Entra admin center, select Protection -> Authentication methods -> Policies -> Add external method(Preview).

    2. For Client ID, enter the Application ID generated from the FIC portal.

    3. For Discovery Endpoint, enter the discovery endpoint generated from the FIC portal.

    4. For App ID, enter the Application (client) ID generated from Microsoft.

    5. Upon securing the permission, enable Enable and target.

    Note

    • Up to this point, FIC should have been successfully set up as the EMA. With this configuration, all apps in your Microsoft account will use FIC for MFA.

    • If you prefer using MFA methods other than FIC for your different Microsoft apps, you can take advantage of Microsoft's custom authentication strengths feature. For more information, visit https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-strength-advanced-options. Keep in mind that "Password + Software AUTH token" is the MFA setting that you should pick when configuring custom authentication strength in Microsoft that corresponds to the type of MFA that Microsoft considers FIC to be in this case.
    Step 5: Setting Conditional Access policy to assign users to EMA

    1. Select Protection -> Conditional Access -> Policies.

    2. Create a new policy, and assign users or groups to it. For Target resources, select All resources (formerly 'All cloud apps') or Selected resources. (Note: If you choose Selected resources, you must select one, for example, Office 365.)

    3. For Access Controls, select Grant access > Require multifactor authentication.

    4. Set Enable policy to On.

    Note

    Make sure to create a new user in FIC with the same username as the preferred username for the target user in Microsoft Entra admin center for identification.
    Previous
    Next