Fortinet white logo
Fortinet white logo

EMS Administration Guide

Configuring user verification with Entra ID authentication

Configuring user verification with Entra ID authentication

The following provides an example of configuring user verification, using an Microsoft Entra ID (formerly known as Azure Active Directory (AD)) server for authentication. This configuration consists of the following steps:

  1. The EMS administrator adds the Entra ID server to EMS.
  2. The EMS administrator configures an invitation code, and send the invitation code to the desired user.
  3. The end user receives the invitation email, and uses it to download FortiClient.
  4. The end user connects to EMS using their Entra ID credentials.
To configure the Azure tenant app for initiating passthrough (domain):

This is necessary for registering an Entra ID endpoint to EMS using an invitation code. This only applies for Entra ID-joined endpoints.

  1. Configure the redirect URL:
    1. In the Azure portal, go to App registration. Copy the application/client ID of the application used to connect with EMS.
    2. Click the application, then click the Redirect URIs link.
    3. Click Add a Platform > Select Mobile and Desktop applications.
    4. Add the following URL: ms-appx-web://microsoft.aad.brokerplugin/<application client ID>.
    5. Under Allow public client flows, toggle to Yes for Enable the following mobile and desktop flows.
    6. Save the configuration.
  2. Go to Roles and administrators.
  3. Search for and select Directory Readers.
  4. Click Add assignments.
  5. Select the application used to connect with EMS.
  6. Add desired users to the application in Entra ID:
    1. Go to Enterprise applications, and select the application used to connect with EMS.
    2. Go to Users and groups.
    3. Click Add user/group, and select the users that you will invite to EMS using an invitation code.
To configure an Entra ID server in EMS:
  1. Configure the Entra ID server as an authentication server in EMS:
    1. In the Azure management console, collect your tenant ID, client ID, and client secret.
    2. Go to Administration > Authentication Servers.
    3. Click Add > Azure.
    4. In the Tenant ID and Client ID fields, enter the IDs that you collected from the Azure management console.
    5. For Authorization Type, select Client Secret.
    6. In the Client Secret field, enter the client secret that you collected from the Azure management console.
    7. Configure other fields as desired.
    8. Click Test.

    9. After the test succeeds, click Save.
To add endpoints using an Entra ID server:
  1. Go to Endpoints > Manage Domains.
  2. Click Add, then Azure.
  3. From the Azure Server dropdown list, select the desired server.
  4. In the Sync every field, enter the number of minutes after which EMS syncs with the Azure server.
  5. For Group Selection Behaviour, select Import Entire Azure Domain or Import Selected Azure Groups.
  6. Enable Import as Base Group for the desired groups, then click Save.

    Endpoints > Domains lists the Entra ID server domain groups and subgroups. It lists subgroups as a flat list and does not preserve the hierarchy from the Entra ID server.

To create an invitation code:
  1. Go to User Management > Invitations.
  2. Click Add.
  3. Configure the invitation:
    1. In the Name field, enter the desired invitation name.
    2. For Type, select Individual.
    3. Enable Send Email Notifications.
    4. In the Email Recipients field, enter the desired user email address.
    5. In the Include FortiClient Installer field, add a FortiClient deployment package. The email that the user receives includes a link to download this deployment package.
    6. If desired, use the Expiring and Expiry Date fields to set an expiry date for this invitation.
    7. For Verification Type, select LDAP.
    8. From the LDAP Domain User dropdown list, select the desired domain user. This option is available when configuring an invitation to send to an individual. When configuring a bulk invitation, you select an LDAP domain instead of a domain user.
  4. Click Save.
To register an Entra ID user's endpoint to EMS using an invitation code:
  1. Add an ivitation:
    1. In the EMS top banner, click Invitations.
    2. Click Add.
    3. For Verification Type, select Domain.
    4. From the LDAP Domain dropdown list, select the Entra ID server.
    5. Configure other settings as desired, then click Save.
  2. On the endpoint, go to Settings > Accounts.
  3. Click Join this device to Azure Active Directory.
  4. Under Access work or school, click Connect.
  5. Log in as an Entra ID user.
  6. In FortiClient, on the Zero Trust Telemetry tab, enter the invitation code to register to EMS. FortiClient register to EMS as the logged in Entra ID user without additional prompts.

Configuring user verification with Entra ID authentication

Configuring user verification with Entra ID authentication

The following provides an example of configuring user verification, using an Microsoft Entra ID (formerly known as Azure Active Directory (AD)) server for authentication. This configuration consists of the following steps:

  1. The EMS administrator adds the Entra ID server to EMS.
  2. The EMS administrator configures an invitation code, and send the invitation code to the desired user.
  3. The end user receives the invitation email, and uses it to download FortiClient.
  4. The end user connects to EMS using their Entra ID credentials.
To configure the Azure tenant app for initiating passthrough (domain):

This is necessary for registering an Entra ID endpoint to EMS using an invitation code. This only applies for Entra ID-joined endpoints.

  1. Configure the redirect URL:
    1. In the Azure portal, go to App registration. Copy the application/client ID of the application used to connect with EMS.
    2. Click the application, then click the Redirect URIs link.
    3. Click Add a Platform > Select Mobile and Desktop applications.
    4. Add the following URL: ms-appx-web://microsoft.aad.brokerplugin/<application client ID>.
    5. Under Allow public client flows, toggle to Yes for Enable the following mobile and desktop flows.
    6. Save the configuration.
  2. Go to Roles and administrators.
  3. Search for and select Directory Readers.
  4. Click Add assignments.
  5. Select the application used to connect with EMS.
  6. Add desired users to the application in Entra ID:
    1. Go to Enterprise applications, and select the application used to connect with EMS.
    2. Go to Users and groups.
    3. Click Add user/group, and select the users that you will invite to EMS using an invitation code.
To configure an Entra ID server in EMS:
  1. Configure the Entra ID server as an authentication server in EMS:
    1. In the Azure management console, collect your tenant ID, client ID, and client secret.
    2. Go to Administration > Authentication Servers.
    3. Click Add > Azure.
    4. In the Tenant ID and Client ID fields, enter the IDs that you collected from the Azure management console.
    5. For Authorization Type, select Client Secret.
    6. In the Client Secret field, enter the client secret that you collected from the Azure management console.
    7. Configure other fields as desired.
    8. Click Test.

    9. After the test succeeds, click Save.
To add endpoints using an Entra ID server:
  1. Go to Endpoints > Manage Domains.
  2. Click Add, then Azure.
  3. From the Azure Server dropdown list, select the desired server.
  4. In the Sync every field, enter the number of minutes after which EMS syncs with the Azure server.
  5. For Group Selection Behaviour, select Import Entire Azure Domain or Import Selected Azure Groups.
  6. Enable Import as Base Group for the desired groups, then click Save.

    Endpoints > Domains lists the Entra ID server domain groups and subgroups. It lists subgroups as a flat list and does not preserve the hierarchy from the Entra ID server.

To create an invitation code:
  1. Go to User Management > Invitations.
  2. Click Add.
  3. Configure the invitation:
    1. In the Name field, enter the desired invitation name.
    2. For Type, select Individual.
    3. Enable Send Email Notifications.
    4. In the Email Recipients field, enter the desired user email address.
    5. In the Include FortiClient Installer field, add a FortiClient deployment package. The email that the user receives includes a link to download this deployment package.
    6. If desired, use the Expiring and Expiry Date fields to set an expiry date for this invitation.
    7. For Verification Type, select LDAP.
    8. From the LDAP Domain User dropdown list, select the desired domain user. This option is available when configuring an invitation to send to an individual. When configuring a bulk invitation, you select an LDAP domain instead of a domain user.
  4. Click Save.
To register an Entra ID user's endpoint to EMS using an invitation code:
  1. Add an ivitation:
    1. In the EMS top banner, click Invitations.
    2. Click Add.
    3. For Verification Type, select Domain.
    4. From the LDAP Domain dropdown list, select the Entra ID server.
    5. Configure other settings as desired, then click Save.
  2. On the endpoint, go to Settings > Accounts.
  3. Click Join this device to Azure Active Directory.
  4. Under Access work or school, click Connect.
  5. Log in as an Entra ID user.
  6. In FortiClient, on the Zero Trust Telemetry tab, enter the invitation code to register to EMS. FortiClient register to EMS as the logged in Entra ID user without additional prompts.