Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 26.2.a
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Administration Guide

    Home 26.2.a Administration Guide

    Groups & AD Users

    Groups & AD Users

    To configure the Groups & AD Users tab:

    1. Create a new profile or edit an existing one:

      1. Go to Endpoint management > Endpoint profiles. By default, the Profiles tab is selected.

      2. Click Create or edit an existing profile.

      3. In the Name field, enter the desired name of the endpoint profile.

    2. On the Groups & AD Users tab, you can select Active Directory (AD) users, non-AD groups, or AD groups to assign the endpoint profile to.

    3. Click Add and select AD Users or Groups as per your requirements:

      • When selecting AD Users, a slide-in appears, which allows you to view the domains corresponding to configured AD servers. You can select AD users from the list of AD users.

      • When selecting Groups, do one of the following:

        Group type

        Description
        AD groups A slide-in appears that allows you to view the domains corresponding to configured AD servers and select AD groups. To select AD user groups, you can collapse the LDAP domain using the + button and select the required AD groups from a tree view of groups using the toggle.
        Non-AD groups

        A slide-in appears that allows you to create nested non-AD user groups under Non-AD Groups and assign endpoints to the group. To configure a non-AD user group and add endpoints to the newly created non-AD group, do the following:

        Collapse Non-AD Groups using the + button.

        Select the group under that you want to create a group under and click Create sub-group.

        Enter the Name of the group as desired.

        Select the available non-AD endpoints to add to the group.

        Click Add selected. Click OK.

        Only enable the toggle of the specific group to assign the profile to.

        Click OK.

        Click OK.

        Repeat step 3 to add more groups and AD users. If you add more groups to the list, the endpoint user must be a part of at least one group for FortiSASE-Sovereign to assign the profile to the endpoint.

        Click OK to save the endpoint profile.

        To view the endpoints that are assigned to a profile, click the profile and select View Endpoints from the toolbar.

    Prerequisites

    Viewing users and groups from an AD server requires configuring an AD connection in Endpoint Management > Domain. See Domain.

    Considerations

    • When the FortiSASE-Sovereign Endpoint Management Service uses AD servers with Groups & AD Users for endpoint profile assignments, these servers must use public IP addresses or publicly accessible FQDNs when configuring the Server address in the AD connection and may require some configuration or topology changes.

    • FortiSASE-Sovereign only supports Create sub-group for non-AD groups and local AD groups. FortiSASE-Sovereign does not support this operation for Entra ID groups.

    • FortiSASE-Sovereign cannot retrieve a user's Entra ID group membership information if the user belongs to more than 150 groups. As a workaround, you can apply an additional group filter in Entra ID to only send relevant groups in the SAML assertion to FortiSASE-Sovereign. See Technical Tip: Understanding the limitation of 150 assertions from Microsoft Azure as SAML IdP that may cause group mismatch in FortiGate. Although this article refers to FortiOS, the workaround applies to FortiSASE-Sovereign as well.

    Previous
    Next

    Groups & AD Users

    Groups & AD Users

    To configure the Groups & AD Users tab:

    1. Create a new profile or edit an existing one:

      1. Go to Endpoint management > Endpoint profiles. By default, the Profiles tab is selected.

      2. Click Create or edit an existing profile.

      3. In the Name field, enter the desired name of the endpoint profile.

    2. On the Groups & AD Users tab, you can select Active Directory (AD) users, non-AD groups, or AD groups to assign the endpoint profile to.

    3. Click Add and select AD Users or Groups as per your requirements:

      • When selecting AD Users, a slide-in appears, which allows you to view the domains corresponding to configured AD servers. You can select AD users from the list of AD users.

      • When selecting Groups, do one of the following:

        Group type

        Description
        AD groups A slide-in appears that allows you to view the domains corresponding to configured AD servers and select AD groups. To select AD user groups, you can collapse the LDAP domain using the + button and select the required AD groups from a tree view of groups using the toggle.
        Non-AD groups

        A slide-in appears that allows you to create nested non-AD user groups under Non-AD Groups and assign endpoints to the group. To configure a non-AD user group and add endpoints to the newly created non-AD group, do the following:

        Collapse Non-AD Groups using the + button.

        Select the group under that you want to create a group under and click Create sub-group.

        Enter the Name of the group as desired.

        Select the available non-AD endpoints to add to the group.

        Click Add selected. Click OK.

        Only enable the toggle of the specific group to assign the profile to.

        Click OK.

        Click OK.

        Repeat step 3 to add more groups and AD users. If you add more groups to the list, the endpoint user must be a part of at least one group for FortiSASE-Sovereign to assign the profile to the endpoint.

        Click OK to save the endpoint profile.

        To view the endpoints that are assigned to a profile, click the profile and select View Endpoints from the toolbar.

    Prerequisites

    Viewing users and groups from an AD server requires configuring an AD connection in Endpoint Management > Domain. See Domain.

    Considerations

    • When the FortiSASE-Sovereign Endpoint Management Service uses AD servers with Groups & AD Users for endpoint profile assignments, these servers must use public IP addresses or publicly accessible FQDNs when configuring the Server address in the AD connection and may require some configuration or topology changes.

    • FortiSASE-Sovereign only supports Create sub-group for non-AD groups and local AD groups. FortiSASE-Sovereign does not support this operation for Entra ID groups.

    • FortiSASE-Sovereign cannot retrieve a user's Entra ID group membership information if the user belongs to more than 150 groups. As a workaround, you can apply an additional group filter in Entra ID to only send relevant groups in the SAML assertion to FortiSASE-Sovereign. See Technical Tip: Understanding the limitation of 150 assertions from Microsoft Azure as SAML IdP that may cause group mismatch in FortiGate. Although this article refers to FortiOS, the workaround applies to FortiSASE-Sovereign as well.

    Previous
    Next