Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiDLP Administration Guide

    Home FortiDLP FortiDLP Administration Guide

    Entra ID users

    Entra ID users

    FortiDLP can integrate with Entra ID to sync users and generate directory labels based on their attributes.

    FortiDLP provides one-way directory synchronization. No information from FortiDLP is imported into your Entra ID user directory. Syncs are performed on-demand from the FortiDLP Console's Admin settings.

    Prior to connecting to an Entra ID server, you must organize your directory so that it contains the appropriate user groups. FortiDLP supports basic query capabilities using Entra ID's $filter parameter for identifying users. Refer to the Entra ID documentation here for the relevant syntax.

    Before you configure an Entra ID integration, ensure you understand the following concepts:

    • field mappings
    • directory label mappings.
    Field mappings

    Field mappings define how Entra ID attributes map to user fields that display in the FortiDLP Console or are used by FortiDLP for identification.

    The following table describes the supported mappings, which do not require configuration.

    Field mappings
    Entra ID attribute FortiDLP field Description
    displayName Name The user's first and last name.
    mail Email The user's email address.
    photo Image The user's profile picture.
    jobTitle Title The user's job title.
    department Department The user's department.
    manager.displayName Manager The user's line manager's first and last name.
    mobilePhone Mobile phone The user's mobile phone number.
    businessPhones Office phone The user's office phone number.
    streetAddress Home address The user's home address.
    officeLocation Office address The user's office address.
    id Unique ID The user's identifier.
    Directory label mappings
    Note

    Prior to reading this section, it is recommended that you read Labels.

    Directory label mappings define how Entra ID attributes map to labels, which FortiDLP uses to associate users with policy groups and Agent configuration groups.

    Example

    For example, a directory label mapping could be used to assign a label to users that identifies their department within your organization. This would ease configuration, allowing you to select specific departments when enabling policies and Agent functionality.

    FortiDLP can generate and assign directory labels for the following Entra ID attributes:

    • city
    • country
    • department
    • employeeHireDate
    • employeeType
    • jobTitle
    • officeLocation
    • memberOf

    Resulting directory labels will display in the FortiDLP Console in the format Attribute | Value, such as Department | Sales.

    For security purposes, directory label values can be replaced with pseudonyms in the FortiDLP Console for operators with the pseudonymization perspective (for more information about this feature, see Operator roles). Further, directory labels for the memberOf attribute can be "flagged" upon generation, highlighting associated users in the FortiDLP Console.

    Previous
    Next

    Entra ID users

    Entra ID users

    FortiDLP can integrate with Entra ID to sync users and generate directory labels based on their attributes.

    FortiDLP provides one-way directory synchronization. No information from FortiDLP is imported into your Entra ID user directory. Syncs are performed on-demand from the FortiDLP Console's Admin settings.

    Prior to connecting to an Entra ID server, you must organize your directory so that it contains the appropriate user groups. FortiDLP supports basic query capabilities using Entra ID's $filter parameter for identifying users. Refer to the Entra ID documentation here for the relevant syntax.

    Before you configure an Entra ID integration, ensure you understand the following concepts:

    • field mappings
    • directory label mappings.
    Field mappings

    Field mappings define how Entra ID attributes map to user fields that display in the FortiDLP Console or are used by FortiDLP for identification.

    The following table describes the supported mappings, which do not require configuration.

    Field mappings
    Entra ID attribute FortiDLP field Description
    displayName Name The user's first and last name.
    mail Email The user's email address.
    photo Image The user's profile picture.
    jobTitle Title The user's job title.
    department Department The user's department.
    manager.displayName Manager The user's line manager's first and last name.
    mobilePhone Mobile phone The user's mobile phone number.
    businessPhones Office phone The user's office phone number.
    streetAddress Home address The user's home address.
    officeLocation Office address The user's office address.
    id Unique ID The user's identifier.
    Directory label mappings
    Note

    Prior to reading this section, it is recommended that you read Labels.

    Directory label mappings define how Entra ID attributes map to labels, which FortiDLP uses to associate users with policy groups and Agent configuration groups.

    Example

    For example, a directory label mapping could be used to assign a label to users that identifies their department within your organization. This would ease configuration, allowing you to select specific departments when enabling policies and Agent functionality.

    FortiDLP can generate and assign directory labels for the following Entra ID attributes:

    • city
    • country
    • department
    • employeeHireDate
    • employeeType
    • jobTitle
    • officeLocation
    • memberOf

    Resulting directory labels will display in the FortiDLP Console in the format Attribute | Value, such as Department | Sales.

    For security purposes, directory label values can be replaced with pseudonyms in the FortiDLP Console for operators with the pseudonymization perspective (for more information about this feature, see Operator roles). Further, directory labels for the memberOf attribute can be "flagged" upon generation, highlighting associated users in the FortiDLP Console.

    Previous
    Next