Fortinet white logo
Fortinet white logo

EMS Administration Guide

Autoconnect on logging in as an Entra ID user

Autoconnect on logging in as an Entra ID user

You can configure FortiClient to automatically connect to a specified VPN tunnel immediately after it installs and receives its configuration from EMS. In this example, FortiClient authenticates the connection using Microsoft Entra ID (formerly known as Azure Active Directory (AD)) credentials. When the user logs in to Windows using their Entra ID credentials, FortiClient silently and automatically connects to the specified VPN tunnel, without the user needing to reenter their credentials or open the FortiClient console.

The following instructions assume that you have already configured your Entra ID environment, that your FortiClient EMS and FortiGate are part of a Fortinet Security Fabric, and that the FortiGate has been configured in Azure as an enterprise application for SAML single sign on. See Tutorial: Azure AD SSO integration with FortiGate SSL VPN.

The following configuration requires FortiOS 7.2.1 or a later version.

The <use_gui_saml_auth> XML option affects how FortiClient presents SAML authentication in the GUI. See SSL VPN.

To create and configure app registration in Azure:
  1. In the Azure portal, go to Microsoft Entra ID > Enterprise applications.
  2. Select the FortiGate SSL VPN enterprise application.
  3. Note down the application ID and Azure domain.
  4. Go to Microsoft Entra ID > App registrations > All applications.
  5. Click the application that you selected in step 2.
  6. Go to Manage > Authentication > Add a platform > Mobile and desktop applications.
  7. In the Custom redirect URIs field, enter ms-appx-web://microsoft.aad.brokerplugin/, followed by the application ID that you noted. For example, if your application ID is 123456, enter ms-appx-web://microsoft.aad.brokerplugin/123456.
  8. Save the configuration.
To configure FortiOS:

conf user saml

edit "azure_saml"

set auth-url "https://graph.microsoft.com/v1.0/me"

next

end

To configure EMS:
  1. Go to Endpoint Profiles > Remote Access.
  2. Select the desired profile.
  3. In XML view, configure the following for the desired tunnel for FortiClient to automatically connect to. This example configures an SSL VPN tunnel as the tunnel that FortiClient automatically connects to. You can configure the autoconnect tunnel to be an IPsec VPN tunnel if desired. For details on how to find the tenant domain name and application ID from the Azure portal, see the following:

    <vpn>

    <sslvpn>

    <connections>

    <connection>

    <name>SSL VPN HQ</name>

    <sso_enabled>1</sso_enabled>

    <azure_auto_login>

    <enabled>1</enabled>

    <azure_app>

    <tenant_name>Domain name obtained from the Azure portal.</tenant_name>

    <client_id>Application ID obtained from the Azure portal</client_id>

    </azure_app>

    </azure_auto_login>

    <connection>

    <connections>

    <sslvpn>

    <vpn>

  4. In general VPN settings, specify the desired tunnel as the autoconnect tunnel:

    <vpn>

    <options>

    <autoconnect_tunnel>SSL VPN HQ</autoconnect_tunnel>

    <autoconnect_on_install>1</autoconnect_on_install>

    <options>

    <vpn>

To manage application permissions:
  1. As an end user, log in to an endpoint that has the profile configured in To configure EMS: applied.
  2. FortiClient automatically attempts to connect to the specified VPN tunnel. If this is the initial attempt to connect to this VPN tunnel, Windows displays a prompt to select the desired Entra ID account. Select the desired account.

    You should now configure one of the following permission options. These steps assume that you have already configured Azure SAML SSL/IPsec VPN autoconnect as this document describes and you are signed in as a global administrator of the same tenant.

  3. To have Need admin approval shown to users, do the following:
    1. In the Azure portal, go to Enterprise Application > <Your VPN application> > (sidebar) Manage > Properties.
    2. Set Assignment required? to Yes.
    3. Add the desired users to Users & Groups.
    4. Remove any permissions in App Registration.
    5. Go to Home > App Registration > <Your VPN application> > (sidebar) Manage > API permissions.
    6. Right-click and remove permission.
    7. To disallow user consent for all applications, you can disable this by doing the following:
      1. Go to Home > Enterprise Application > <Your VPN application> > (sidebar) Security > Consent and permissions > Manage > User consent settings.
      2. For User consent for applications, select Do not allow user consent.

  4. To have users consent per a permissions request but avoid admin approval, do the following:
    1. Go to Enterprise Application > <Your VPN application> > (sidebar) Manage > Properties.
    2. Set Assignment required? to No. This allows any valid user from this tenant to use the app. You no longer need to add users to Users and groups to have access to this app. As per Microsoft documentation, when an application requires assignment, user consent for that application is not allowed. This is true even if users consent for that app would have otherwise been allowed.
    3. Remove any permissions in App Registration.
    4. Go to Home > App Registration > <Your VPN application> > (sidebar) Manage > API permissions.
    5. Right-click and remove permission.
    6. Allow users to consent:
      1. Go to Home > Enterprise Application > <Your VPN application> > (sidebar) Security > Consent and permissions > Manage > User consent settings.
      2. Select User consent for applications > Allow user consent for apps from verified publishers for selected permissions.
      3. Go to Manage > Permission classifications.
      4. Ensure the following are listed under Low-risk permissions > Microsoft Graph:
        • email
        • User.Read
        • offline_access
        • profile
        • openid

    The next time that the Entra ID user signs in with FortiClient Entra ID autoconnect triggered, the user should see a popup requesting permissions.

  5. To grant admin consent to an enterprise application such that a user does not need to request consent, do one of the following:
    1. To grant this consent through the standard permission UI as a global administrator, do the following:
      1. Connect to the VPN. You are prompted as usual to grant permissions for your user account to the enterprise application.
      2. As a global administrator, there is an extra Consent on behalf of your organization checkbox. Select it to grant admin consent to the application. Other users do not need to grant consent.
    2. To grant this consent in the Azure portal, do the following:
      1. Go to Enterprise Application > <Your VPN application> > (sidebar) Security > Permissions.
      2. Click app registration in the sentence To configure requested permissions for apps you own, use the app registration.
      3. Go to API Permissions > Configured permissions > Add a permission > Request API permissions > Microsoft APIs > Microsoft Graph > Delegated Permissions.
      4. Select the following:
        • openID permissions:
          • offline_access
          • openid
          • profile
          • email
        • User > User.Read
      5. Add the permissions.
      6. After the permissions are added, they appear in the table on the same screen. Click Grant admin consent for <Tenant name>.
      7. Return to Enterprise Applications Permissions by clicking Enterprise applications in the sentence To view and manage consented permissions for individual apps, as well as your tenant's consent settings, try Enterprise applications.
      8. The Grant admin consent for <Tenant name> button is blue instead of being grayed out. Click the button. A popup opens that requires you to sign in as a global administrator and to allow the application permissions. The permissions that you used in App Permissions fill in the following table.

    After you complete either step, users no longer need to request consent and can autoconnect to VPN without having to give consent.

Note

The prompt to grant permissions does not appear if the Azure domain or tenant administrator has already granted permission on behalf of the organization.

Autoconnect on logging in as an Entra ID user

Autoconnect on logging in as an Entra ID user

You can configure FortiClient to automatically connect to a specified VPN tunnel immediately after it installs and receives its configuration from EMS. In this example, FortiClient authenticates the connection using Microsoft Entra ID (formerly known as Azure Active Directory (AD)) credentials. When the user logs in to Windows using their Entra ID credentials, FortiClient silently and automatically connects to the specified VPN tunnel, without the user needing to reenter their credentials or open the FortiClient console.

The following instructions assume that you have already configured your Entra ID environment, that your FortiClient EMS and FortiGate are part of a Fortinet Security Fabric, and that the FortiGate has been configured in Azure as an enterprise application for SAML single sign on. See Tutorial: Azure AD SSO integration with FortiGate SSL VPN.

The following configuration requires FortiOS 7.2.1 or a later version.

The <use_gui_saml_auth> XML option affects how FortiClient presents SAML authentication in the GUI. See SSL VPN.

To create and configure app registration in Azure:
  1. In the Azure portal, go to Microsoft Entra ID > Enterprise applications.
  2. Select the FortiGate SSL VPN enterprise application.
  3. Note down the application ID and Azure domain.
  4. Go to Microsoft Entra ID > App registrations > All applications.
  5. Click the application that you selected in step 2.
  6. Go to Manage > Authentication > Add a platform > Mobile and desktop applications.
  7. In the Custom redirect URIs field, enter ms-appx-web://microsoft.aad.brokerplugin/, followed by the application ID that you noted. For example, if your application ID is 123456, enter ms-appx-web://microsoft.aad.brokerplugin/123456.
  8. Save the configuration.
To configure FortiOS:

conf user saml

edit "azure_saml"

set auth-url "https://graph.microsoft.com/v1.0/me"

next

end

To configure EMS:
  1. Go to Endpoint Profiles > Remote Access.
  2. Select the desired profile.
  3. In XML view, configure the following for the desired tunnel for FortiClient to automatically connect to. This example configures an SSL VPN tunnel as the tunnel that FortiClient automatically connects to. You can configure the autoconnect tunnel to be an IPsec VPN tunnel if desired. For details on how to find the tenant domain name and application ID from the Azure portal, see the following:

    <vpn>

    <sslvpn>

    <connections>

    <connection>

    <name>SSL VPN HQ</name>

    <sso_enabled>1</sso_enabled>

    <azure_auto_login>

    <enabled>1</enabled>

    <azure_app>

    <tenant_name>Domain name obtained from the Azure portal.</tenant_name>

    <client_id>Application ID obtained from the Azure portal</client_id>

    </azure_app>

    </azure_auto_login>

    <connection>

    <connections>

    <sslvpn>

    <vpn>

  4. In general VPN settings, specify the desired tunnel as the autoconnect tunnel:

    <vpn>

    <options>

    <autoconnect_tunnel>SSL VPN HQ</autoconnect_tunnel>

    <autoconnect_on_install>1</autoconnect_on_install>

    <options>

    <vpn>

To manage application permissions:
  1. As an end user, log in to an endpoint that has the profile configured in To configure EMS: applied.
  2. FortiClient automatically attempts to connect to the specified VPN tunnel. If this is the initial attempt to connect to this VPN tunnel, Windows displays a prompt to select the desired Entra ID account. Select the desired account.

    You should now configure one of the following permission options. These steps assume that you have already configured Azure SAML SSL/IPsec VPN autoconnect as this document describes and you are signed in as a global administrator of the same tenant.

  3. To have Need admin approval shown to users, do the following:
    1. In the Azure portal, go to Enterprise Application > <Your VPN application> > (sidebar) Manage > Properties.
    2. Set Assignment required? to Yes.
    3. Add the desired users to Users & Groups.
    4. Remove any permissions in App Registration.
    5. Go to Home > App Registration > <Your VPN application> > (sidebar) Manage > API permissions.
    6. Right-click and remove permission.
    7. To disallow user consent for all applications, you can disable this by doing the following:
      1. Go to Home > Enterprise Application > <Your VPN application> > (sidebar) Security > Consent and permissions > Manage > User consent settings.
      2. For User consent for applications, select Do not allow user consent.

  4. To have users consent per a permissions request but avoid admin approval, do the following:
    1. Go to Enterprise Application > <Your VPN application> > (sidebar) Manage > Properties.
    2. Set Assignment required? to No. This allows any valid user from this tenant to use the app. You no longer need to add users to Users and groups to have access to this app. As per Microsoft documentation, when an application requires assignment, user consent for that application is not allowed. This is true even if users consent for that app would have otherwise been allowed.
    3. Remove any permissions in App Registration.
    4. Go to Home > App Registration > <Your VPN application> > (sidebar) Manage > API permissions.
    5. Right-click and remove permission.
    6. Allow users to consent:
      1. Go to Home > Enterprise Application > <Your VPN application> > (sidebar) Security > Consent and permissions > Manage > User consent settings.
      2. Select User consent for applications > Allow user consent for apps from verified publishers for selected permissions.
      3. Go to Manage > Permission classifications.
      4. Ensure the following are listed under Low-risk permissions > Microsoft Graph:
        • email
        • User.Read
        • offline_access
        • profile
        • openid

    The next time that the Entra ID user signs in with FortiClient Entra ID autoconnect triggered, the user should see a popup requesting permissions.

  5. To grant admin consent to an enterprise application such that a user does not need to request consent, do one of the following:
    1. To grant this consent through the standard permission UI as a global administrator, do the following:
      1. Connect to the VPN. You are prompted as usual to grant permissions for your user account to the enterprise application.
      2. As a global administrator, there is an extra Consent on behalf of your organization checkbox. Select it to grant admin consent to the application. Other users do not need to grant consent.
    2. To grant this consent in the Azure portal, do the following:
      1. Go to Enterprise Application > <Your VPN application> > (sidebar) Security > Permissions.
      2. Click app registration in the sentence To configure requested permissions for apps you own, use the app registration.
      3. Go to API Permissions > Configured permissions > Add a permission > Request API permissions > Microsoft APIs > Microsoft Graph > Delegated Permissions.
      4. Select the following:
        • openID permissions:
          • offline_access
          • openid
          • profile
          • email
        • User > User.Read
      5. Add the permissions.
      6. After the permissions are added, they appear in the table on the same screen. Click Grant admin consent for <Tenant name>.
      7. Return to Enterprise Applications Permissions by clicking Enterprise applications in the sentence To view and manage consented permissions for individual apps, as well as your tenant's consent settings, try Enterprise applications.
      8. The Grant admin consent for <Tenant name> button is blue instead of being grayed out. Click the button. A popup opens that requires you to sign in as a global administrator and to allow the application permissions. The permissions that you used in App Permissions fill in the following table.

    After you complete either step, users no longer need to request consent and can autoconnect to VPN without having to give consent.

Note

The prompt to grant permissions does not appear if the Azure domain or tenant administrator has already granted permission on behalf of the organization.