Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiDLP Administration Guide

    Home FortiDLP FortiDLP Administration Guide

    Microsoft credentials

    Microsoft credentials

    FortiDLP can be integrated with Microsoft to:

    A single Entra ID app registration can be used to enable all or any of these features in FortiDLP, so we have provided one set of instructions and indicated where you can optionally grant access for a feature.

    A summary of the setup steps is as follows.

    Setup steps
    Step Description

    How to register an app in Entra ID app and retrieve its credentials

    		First, you need to register an Entra ID application and configure it with integration permissions which correspond to the features you want to enable. This will allow FortiDLP to make authorized calls to Microsoft APIs.

    How to add Entra ID app credentials to FortiDLP

    Next, you need to add the credentials to the Microsoft credentials modal, accessible from any Microsoft feature configuration section in the FortiDLP Console's Admin settings.

    Note

    Credentials can be shared across each feature, so you only need to add the credentials once.

    How to integrate Microsoft features with FortiDLP

    		Finally, depending on which integration permissions you have added to the app, you need to configure and enable each feature in the relevant section of the FortiDLP Console's Admin settings.
    Multiple Entra ID tenants

    If you have multiple Entra ID tenants, you can register an app with each tenant and then add each set of app credentials to FortiDLP.

    Note

    Microsoft only allows a single management API webhook to be configured per tenant, so if it is already being used by another third-party integration, FortiDLP will not be able to connect.

    How to register an app in Entra ID app and retrieve its credentials
    1. Log in to the Microsoft Azure Portal.
    2. In the portal side menu, select All services.
    3. In the Filter services search box, search for and select Microsoft Entra ID
    4. In the page side menu, under Manage, click App registrations.
    5. Click New registration.
    6. In the Name field, type FortiDLP.
    7. Click Register.
    8. When the page refreshes, note the Application (client) ID and Directory (tenant) ID. You will need these values later.
    9. In the page side menu, under Manage, click API permissions.
    10. To allow FortiDLP to sync Entra ID users, do the following:
      1. Click Add a permission.
      2. In the Request API permissions panel, do the following:
        1. Under Microsoft APIs, select Microsoft Graph.
        2. Click Application permissions.
        3. Do at least one of the following:
          • To allow FortiDLP to sync Entra ID users, search for and select the checkboxes of all of the following permissions:
            • Group.Read.All
            • GroupMember.Read.All
            • User.Read.All.
        4. Click Add permissions.
    11. To allow FortiDLP to collect SharePoint and OneDrive events, do the following:
      1. Click Add a permission.
      2. In the Request API permissions panel, do the following:
        1. Select APIs my organization uses.
        2. Search for and select Office 365 Management APIs.
        3. Click Application permissions.
        4. Search for and select the checkboxes of all of the following permissions:
          • ActivityFeed.Read
          • ServiceHealth.Read
        5. Click Add permissions.
    12. To allow FortiDLP to sync Microsoft sensitivity labels, do the following:
      1. Click Add a permission.
      2. In the Request API permissions panel, do the following:
        1. Under Microsoft APIs, select Microsoft Graph.
        2. Click Application permissions.
        3. Search for and select the check box of InformationProtectionPolicy.Read.All.
        4. Click Add permissions.
          Note

          Labels must be synced in order for label names to be reported in SharePoint and OneDrive events.

    13. Under Configured permissions, click Grant admin consent for <your directory>.
    14. In the confirmation dialog that displays at the top of the panel, click Yes.
    15. In the page side menu, under Manage, click Certificates & Secrets.
    16. Click New client secret.
    17. In the Description field, type FortiDLP secret.
    18. In the Expires section, select an expiry time frame.
    19. Click Add.
    20. In the Client secrets section, note the client secret that displays in the Value column. You will need this later.
      21. Caution

      The client secret will only display once. Ensure you save a copy of it for future reference.
    How to add Entra ID app credentials to FortiDLP

    The same Microsoft credentials modal is used across all Microsoft features, so credentials only need to be added once from any feature section.

    1. In the FortiDLP Console, on the left-hand side bar, click .
    2. Do one of the following:
      • To add the credentials to the Entra ID user directory section:
        1. Do one of the following:
          • Under Users, select Microsoft Entra ID.
          • Under Integrations > Microsoft, select Entra ID.
        2. On the top-right corner of the page, click Add new directory.
        3. Under Authentication settings, click Manage credentials.
      • To add the credentials to the sensitivity labels section:
        1. Under Integrations >Microsoft, select Sensitivity labels.
        2. Under Sensitivity labels, click Manage credentials.
      • To add the credentials to the Microsoft SharePoint and OneDrive Connector section:
        1. Under Integrations >Microsoft, select Connectors.
        2. On the top-right corner of the page, click Add new connector.
        3. Under Authentication, click Manage credentials.
    3. Click Create new.
    4. In the Name field, enter a name to identify the credentials, such as "Microsoft credentials".
    5. In the Microsoft Directory (tenant) ID field, paste the Directory (tenant) ID retrieved in How to register an app in Entra ID app and retrieve its credentials.
    6. In the Microsoft Application (client) ID field, paste the Application (client) ID retrieved in How to register an app in Entra ID app and retrieve its credentials.
    7. In the Microsoft Application (client) Secret field, paste the client secret retrieved in How to register an app in Entra ID app and retrieve its credentials.
    8. Click Verify.
      FortiDLP will indicate whether the connection is successful and what feature permissions are granted.
    9. Click Save.
    10. Click Cancel to close the modal.
    How to integrate Microsoft features with FortiDLP

    Depending on which permissions you added to the app registration, do the following:

    Previous
    Next

    Microsoft credentials

    Microsoft credentials

    FortiDLP can be integrated with Microsoft to:

    A single Entra ID app registration can be used to enable all or any of these features in FortiDLP, so we have provided one set of instructions and indicated where you can optionally grant access for a feature.

    A summary of the setup steps is as follows.

    Setup steps
    Step Description

    How to register an app in Entra ID app and retrieve its credentials

    		First, you need to register an Entra ID application and configure it with integration permissions which correspond to the features you want to enable. This will allow FortiDLP to make authorized calls to Microsoft APIs.

    How to add Entra ID app credentials to FortiDLP

    Next, you need to add the credentials to the Microsoft credentials modal, accessible from any Microsoft feature configuration section in the FortiDLP Console's Admin settings.

    Note

    Credentials can be shared across each feature, so you only need to add the credentials once.

    How to integrate Microsoft features with FortiDLP

    		Finally, depending on which integration permissions you have added to the app, you need to configure and enable each feature in the relevant section of the FortiDLP Console's Admin settings.
    Multiple Entra ID tenants

    If you have multiple Entra ID tenants, you can register an app with each tenant and then add each set of app credentials to FortiDLP.

    Note

    Microsoft only allows a single management API webhook to be configured per tenant, so if it is already being used by another third-party integration, FortiDLP will not be able to connect.

    How to register an app in Entra ID app and retrieve its credentials
    1. Log in to the Microsoft Azure Portal.
    2. In the portal side menu, select All services.
    3. In the Filter services search box, search for and select Microsoft Entra ID
    4. In the page side menu, under Manage, click App registrations.
    5. Click New registration.
    6. In the Name field, type FortiDLP.
    7. Click Register.
    8. When the page refreshes, note the Application (client) ID and Directory (tenant) ID. You will need these values later.
    9. In the page side menu, under Manage, click API permissions.
    10. To allow FortiDLP to sync Entra ID users, do the following:
      1. Click Add a permission.
      2. In the Request API permissions panel, do the following:
        1. Under Microsoft APIs, select Microsoft Graph.
        2. Click Application permissions.
        3. Do at least one of the following:
          • To allow FortiDLP to sync Entra ID users, search for and select the checkboxes of all of the following permissions:
            • Group.Read.All
            • GroupMember.Read.All
            • User.Read.All.
        4. Click Add permissions.
    11. To allow FortiDLP to collect SharePoint and OneDrive events, do the following:
      1. Click Add a permission.
      2. In the Request API permissions panel, do the following:
        1. Select APIs my organization uses.
        2. Search for and select Office 365 Management APIs.
        3. Click Application permissions.
        4. Search for and select the checkboxes of all of the following permissions:
          • ActivityFeed.Read
          • ServiceHealth.Read
        5. Click Add permissions.
    12. To allow FortiDLP to sync Microsoft sensitivity labels, do the following:
      1. Click Add a permission.
      2. In the Request API permissions panel, do the following:
        1. Under Microsoft APIs, select Microsoft Graph.
        2. Click Application permissions.
        3. Search for and select the check box of InformationProtectionPolicy.Read.All.
        4. Click Add permissions.
          Note

          Labels must be synced in order for label names to be reported in SharePoint and OneDrive events.

    13. Under Configured permissions, click Grant admin consent for <your directory>.
    14. In the confirmation dialog that displays at the top of the panel, click Yes.
    15. In the page side menu, under Manage, click Certificates & Secrets.
    16. Click New client secret.
    17. In the Description field, type FortiDLP secret.
    18. In the Expires section, select an expiry time frame.
    19. Click Add.
    20. In the Client secrets section, note the client secret that displays in the Value column. You will need this later.
      21. Caution

      The client secret will only display once. Ensure you save a copy of it for future reference.
    How to add Entra ID app credentials to FortiDLP

    The same Microsoft credentials modal is used across all Microsoft features, so credentials only need to be added once from any feature section.

    1. In the FortiDLP Console, on the left-hand side bar, click .
    2. Do one of the following:
      • To add the credentials to the Entra ID user directory section:
        1. Do one of the following:
          • Under Users, select Microsoft Entra ID.
          • Under Integrations > Microsoft, select Entra ID.
        2. On the top-right corner of the page, click Add new directory.
        3. Under Authentication settings, click Manage credentials.
      • To add the credentials to the sensitivity labels section:
        1. Under Integrations >Microsoft, select Sensitivity labels.
        2. Under Sensitivity labels, click Manage credentials.
      • To add the credentials to the Microsoft SharePoint and OneDrive Connector section:
        1. Under Integrations >Microsoft, select Connectors.
        2. On the top-right corner of the page, click Add new connector.
        3. Under Authentication, click Manage credentials.
    3. Click Create new.
    4. In the Name field, enter a name to identify the credentials, such as "Microsoft credentials".
    5. In the Microsoft Directory (tenant) ID field, paste the Directory (tenant) ID retrieved in How to register an app in Entra ID app and retrieve its credentials.
    6. In the Microsoft Application (client) ID field, paste the Application (client) ID retrieved in How to register an app in Entra ID app and retrieve its credentials.
    7. In the Microsoft Application (client) Secret field, paste the client secret retrieved in How to register an app in Entra ID app and retrieve its credentials.
    8. Click Verify.
      FortiDLP will indicate whether the connection is successful and what feature permissions are granted.
    9. Click Save.
    10. Click Cancel to close the modal.
    How to integrate Microsoft features with FortiDLP

    Depending on which permissions you added to the app registration, do the following:

    Previous
    Next