Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    EMS Administration Guide

    Home FortiClient 7.4.5 EMS Administration Guide
    7.4.5
    7.4.5
    7.4.4
    7.4.3
    7.4.1
    7.4.0
    7.2.13
    7.2.12
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.9
    6.4.8
    6.4.7
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.0.8
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0

    Adding an Entra ID server

    Adding an Entra ID server

    Entra ID integration with EMS has the following limitations:

    • FortiClient (Linux) does not support Entra ID integration with EMS.

    • FortiClient (macOS) does not support native Entra ID integration with EMS. For the integration to work, macOS endpoints must be managed by Intune or JAMF and enrolled to company portal using Entra ID.

    • Azure Government (e.g. GCC, GCC High, GCC DoD) is not supported. Only commercial subscription is supported.
    To create an enterprise application for FortiClient:
    1. In the Azure portal, go to Microsoft Entra ID > Enterprise applications > New application.
    2. Click Create your own application.
    3. In the What's the name of your app? field, enter the desired name.
    4. Under What are you looking to do with your application?, select Register an application to integrate with Azure AD (App you're developing).
    5. Click Create.
    To add Microsoft Graph API application permissions required for searching user groups:
    1. In the left menu, click App registrations, then click the All applications tab.
    2. Click your FortiClient enterprise application.
    3. In the left menu, click API permissions, and click Add a permission.
    4. In the Request API permissions slide-in, click Microsoft Graph.
    5. Select Application permissions.
    6. In the Select permissions section, search for and select the following permissions:
      • Device.Read.All
      • Domain.Read.All
      • Group.Read.All
      • GroupMember.Read.All
      • User.Read
      • User.Read.All
    7. Click Add permissions.

    8. In API permissions, click Grant admin consent for Default Directory. If this option is grayed out, you must log into an Azure admin account to perform this step.
    To add a client secret string and determine its value:

    This only applies if you use client secret authentication.

    1. In the left menu, click App registrations, then click the All applications tab.
    2. Click your FortiClient enterprise application.
    3. In the left menu, click Certificates & secrets, and click New client secret.
    4. In the Add a Client Secret slide-in, add a Description and select the desired Expires option. Click Add.
    5. Observe that a new client secret has been created. Immediately after creation, copy the Value of the client secret string, which EMS uses as the Azure Client Secret. This value is not visible after this initial creation step and moving to another page.
    To upload a CA-signed certificate to Azure:

    This only applies if you use certificate authentication. The following assumes that you have a certificate authority (CA)-signed certificate.

    1. In the left menu, click App registrations, then click the All applications tab.
    2. Click your FortiClient enterprise application.
    3. In the left menu, click Certificates & secrets, and click Certificates.
    4. Click Upload certificate, and select the desired certificate.
    To configure an Entra ID server in EMS:
    1. Configure the Entra ID server as an authentication server in EMS:
      1. Go to Administration > Authentication Servers.
      2. Click Add > Microsoft Entra.

      3. In the Tenant ID and Client ID fields, enter the tenant ID and client ID that you collected from the Azure management console.

      4. In Authorization Type, select Client Secret or Certificate as needed:
        • To use client secret authentication, select Client Secret and enter the client secret that you collected from the Azure management console in the Client Secret field.

        • To use certificate authentication, select Certificate and browse to select the CA-signed certificate that you uploaded to Azure in To upload a CA-signed certificate to Azure:.

      5. Configure other fields as desired.
      6. Click Test.
      7. After the test succeeds, click Save.
    2. Go to Endpoints > Manage Domains.
    3. Click Add, then Microsoft Entra.
    4. From the Microsoft Entra Server dropdown list, select the desired server.
    5. In the Sync every field, enter the number of minutes after which EMS syncs with the Microsoft Entra server.

    6. For Group Selection Behaviour, select Import Entire MS Entra Domain or Import Selected MS Entra Groups.

      Option

      Description
      Import Entire MS Entra Domain All enabled devices, users, and groups from the Microsoft Entra server will be imported.
      Import Selected MS Entra Groups Only the enabled devices, users, and groups from the selected Microsoft Entra groups will be imported.

    7. When Import Selected MS Entra Groups is selected, enable Import as Base Group for the desired groups as needed.

      Note that subgroups are listed flat without preserving the hierarchy from the Microsoft Entra server.

    8. Click Save. EMS then syncs all enabled devices, users, and groups from all or selected Microsoft Entra groups in the Microsoft Entra server. Disabled devices, users, and groups are excluded.

    When using user management, Entra ID users can register their FortiClient to EMS using an invitation code or with SAML.

    To configure the Azure tenant app for initiating passthrough (domain):

    This is necessary for registering an Entra ID endpoint to EMS using an invitation code. This only applies for Entra ID-joined endpoints.

    1. Configure the redirect URL:
      1. In the Azure portal, go to App registration. Copy the application/client ID of the application used to connect with EMS.
      2. Click the application, then click the Redirect URIs link.
      3. Click Add a Platform > Select Mobile and Desktop applications.
      4. Add the following URL: ms-appx-web://microsoft.aad.brokerplugin/<application client ID>.
      5. Under Allow public client flows, toggle to Yes for Enable the following mobile and desktop flows.
      6. Save the configuration.
    2. Go to Roles and administrators.
    3. Search for and select Directory Readers.
    4. Click Add assignments.
    5. Select the application used to connect with EMS.
    6. Add desired users to the application in Entra ID:
      1. Go to Enterprise applications, and select the application used to connect with EMS.
      2. Go to Users and groups.
      3. Click Add user/group, and select the users that you will invite to EMS using an invitation code.
    Previous
    Next

    Adding an Entra ID server

    Adding an Entra ID server

    Entra ID integration with EMS has the following limitations:

    • FortiClient (Linux) does not support Entra ID integration with EMS.

    • FortiClient (macOS) does not support native Entra ID integration with EMS. For the integration to work, macOS endpoints must be managed by Intune or JAMF and enrolled to company portal using Entra ID.

    • Azure Government (e.g. GCC, GCC High, GCC DoD) is not supported. Only commercial subscription is supported.
    To create an enterprise application for FortiClient:
    1. In the Azure portal, go to Microsoft Entra ID > Enterprise applications > New application.
    2. Click Create your own application.
    3. In the What's the name of your app? field, enter the desired name.
    4. Under What are you looking to do with your application?, select Register an application to integrate with Azure AD (App you're developing).
    5. Click Create.
    To add Microsoft Graph API application permissions required for searching user groups:
    1. In the left menu, click App registrations, then click the All applications tab.
    2. Click your FortiClient enterprise application.
    3. In the left menu, click API permissions, and click Add a permission.
    4. In the Request API permissions slide-in, click Microsoft Graph.
    5. Select Application permissions.
    6. In the Select permissions section, search for and select the following permissions:
      • Device.Read.All
      • Domain.Read.All
      • Group.Read.All
      • GroupMember.Read.All
      • User.Read
      • User.Read.All
    7. Click Add permissions.

    8. In API permissions, click Grant admin consent for Default Directory. If this option is grayed out, you must log into an Azure admin account to perform this step.
    To add a client secret string and determine its value:

    This only applies if you use client secret authentication.

    1. In the left menu, click App registrations, then click the All applications tab.
    2. Click your FortiClient enterprise application.
    3. In the left menu, click Certificates & secrets, and click New client secret.
    4. In the Add a Client Secret slide-in, add a Description and select the desired Expires option. Click Add.
    5. Observe that a new client secret has been created. Immediately after creation, copy the Value of the client secret string, which EMS uses as the Azure Client Secret. This value is not visible after this initial creation step and moving to another page.
    To upload a CA-signed certificate to Azure:

    This only applies if you use certificate authentication. The following assumes that you have a certificate authority (CA)-signed certificate.

    1. In the left menu, click App registrations, then click the All applications tab.
    2. Click your FortiClient enterprise application.
    3. In the left menu, click Certificates & secrets, and click Certificates.
    4. Click Upload certificate, and select the desired certificate.
    To configure an Entra ID server in EMS:
    1. Configure the Entra ID server as an authentication server in EMS:
      1. Go to Administration > Authentication Servers.
      2. Click Add > Microsoft Entra.

      3. In the Tenant ID and Client ID fields, enter the tenant ID and client ID that you collected from the Azure management console.

      4. In Authorization Type, select Client Secret or Certificate as needed:
        • To use client secret authentication, select Client Secret and enter the client secret that you collected from the Azure management console in the Client Secret field.

        • To use certificate authentication, select Certificate and browse to select the CA-signed certificate that you uploaded to Azure in To upload a CA-signed certificate to Azure:.

      5. Configure other fields as desired.
      6. Click Test.
      7. After the test succeeds, click Save.
    2. Go to Endpoints > Manage Domains.
    3. Click Add, then Microsoft Entra.
    4. From the Microsoft Entra Server dropdown list, select the desired server.
    5. In the Sync every field, enter the number of minutes after which EMS syncs with the Microsoft Entra server.

    6. For Group Selection Behaviour, select Import Entire MS Entra Domain or Import Selected MS Entra Groups.

      Option

      Description
      Import Entire MS Entra Domain All enabled devices, users, and groups from the Microsoft Entra server will be imported.
      Import Selected MS Entra Groups Only the enabled devices, users, and groups from the selected Microsoft Entra groups will be imported.

    7. When Import Selected MS Entra Groups is selected, enable Import as Base Group for the desired groups as needed.

      Note that subgroups are listed flat without preserving the hierarchy from the Microsoft Entra server.

    8. Click Save. EMS then syncs all enabled devices, users, and groups from all or selected Microsoft Entra groups in the Microsoft Entra server. Disabled devices, users, and groups are excluded.

    When using user management, Entra ID users can register their FortiClient to EMS using an invitation code or with SAML.

    To configure the Azure tenant app for initiating passthrough (domain):

    This is necessary for registering an Entra ID endpoint to EMS using an invitation code. This only applies for Entra ID-joined endpoints.

    1. Configure the redirect URL:
      1. In the Azure portal, go to App registration. Copy the application/client ID of the application used to connect with EMS.
      2. Click the application, then click the Redirect URIs link.
      3. Click Add a Platform > Select Mobile and Desktop applications.
      4. Add the following URL: ms-appx-web://microsoft.aad.brokerplugin/<application client ID>.
      5. Under Allow public client flows, toggle to Yes for Enable the following mobile and desktop flows.
      6. Save the configuration.
    2. Go to Roles and administrators.
    3. Search for and select Directory Readers.
    4. Click Add assignments.
    5. Select the application used to connect with EMS.
    6. Add desired users to the application in Entra ID:
      1. Go to Enterprise applications, and select the application used to connect with EMS.
      2. Go to Users and groups.
      3. Click Add user/group, and select the users that you will invite to EMS using an invitation code.
    Previous
    Next