Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiDLP Administration Guide

    Home FortiDLP FortiDLP Administration Guide

    Microsoft credentials

    Microsoft credentials

    FortiDLP can be integrated with Microsoft to:

    A single Entra ID app registration can be used to enable all or any of these features in FortiDLP, so we have therefore provided one set of instructions and indicated where you can optionally grant access for a feature.

    A summary of the setup steps is as follows.

    Setup steps
    Step Description

    How to create and retrieve credentials for an Entra ID app registration

    		First, you need to register an Entra ID application and configure it with integration permissions which correspond to the features you want to enable. This will allow FortiDLP to make authorized calls to Microsoft APIs.

    How to add the Entra ID app credentials to FortiDLP

    Next, you need to add the credentials to the Microsoft credentials modal, accessible from any Microsoft feature configuration section in the FortiDLP Console's Admin settings.

    Note

    Credentials can be shared across each feature, so you only need to add the credentials once.

    How to integrate Microsoft features with FortiDLP

    		Finally, depending on which integration permissions you have added to the app, you need to configure and enable each feature in the relevant section of the FortiDLP Console's Admin settings.
    Multiple sets of app credentials

    If you have multiple Microsoft Entra tenants, you can register an app with each tenant and then add each set of app credentials to FortiDLP. However, there are some limitations:

    • You can only sync sensitivity labels from one tenant, so if you have added multiple sets of app credentials, you must select which set you want to use for the configuration.
      Note

      Each time a label sync occurs, all of the labels previously synced are replaced. Therefore, you should ensure that all of the labels you need are associated with the app credentials you choose to sync with.

    • Microsoft only allows a single management API webhook to be configured per tenant, so if it is already being used by another third-party integration, FortiDLP will not be able to connect.
    How to create and retrieve credentials for an Entra ID app registration
    1. Log in to the Microsoft Azure Portal.
    2. In the left-hand panel, click MicrosoftEntra ID.
    3. Under Manage, click App registrations.
    4. Click New registration.
    5. In the Name field, type Fortinet.
    6. Click Register.
    7. When the page refreshes, note the Application (client) ID and Directory (tenant) ID. You will need these values later.
    8. Click API permissions.
    9. To grant permissions for syncing Entra ID users and/or sensitivity labels, do the following:
      1. Click Add a permission.
      2. In the Request API permissions panel, do the following:
        1. Click MicrosoftGraph.
        2. Click Application permissions.
          Note

          Permissions must be configured as "application permissions" and not "delegated permissions", which is the default.

        3. Do at least one of the following:
          • To allow FortiDLP to sync Entra ID users, search for and select the checkboxes of all of the following permissions:
            • Group.Read.All
            • GroupMember.Read.All
            • User.Read.All.
          • To allow FortiDLP to sync sensitivity labels, search for and select the check box of of the following permission:
            • InformationProtectionPolicy.Read.All
        4. Click Add permissions.
    10. To grant permissions for collecting SharePoint and OneDrive events, do the following:
      1. Click Add a permission.
      2. In the Request API permissions panel, do the following:
        1. Select APIs my organization uses.
        2. Search for and select Office 365Management APIs.
        3. Click Application permissions.
          Note

          Permissions must be configured as "application permissions" and not "delegated permissions", which is the default.

        4. Search for and select the checkboxes of all of the following permissions:
          • ActivityFeed.Read
          • ServiceHealth.Read
        5. Click Add permissions.
    11. Under Configured permissions, click Grant admin consent for <your directory>.
    12. In the confirmation dialog that displays at the top of the panel, click Yes.
    13. In the second left-hand panel, click Certificates & Secrets.
    14. Click New client secret.
    15. In the Description field, type Reveal secret.
    16. In the Expiry section, click the Never check box.
    17. Click Add.

    18. In the Client secrets section, note the client secret that displays in the Value column. You will need this later.
      19. Caution

      The client secret will only display once. Ensure you save a copy of it for future reference.
    How to add the Entra ID app credentials to FortiDLP

    The same Microsoft credentials modal is used across all Microsoft features, so credentials only need to be added once from any feature section.

    1. In the FortiDLP Console, on the left-hand side bar, click .
    2. Do one of the following:
      • To add the credentials to the Entra ID user directory section:
        1. Do one of the following:
          • Under Users, select MicrosoftEntra ID.
          • Under Integrations > Microsoft, select Entra ID.
        2. On the top-right corner of the page, click Add new directory.
        3. Under Authentication settings, click Manage credentials.
      • To add the credentials to the sensitivity labels section:
        1. Under Integrations >Microsoft, select Sensitivity labels.
        2. Under Sensitivity labels, click Manage credentials.
      • To add the credentials to the Microsoft SharePoint and OneDrive Connector section:
        1. Under Integrations >Microsoft, select Connectors.
        2. On the top-right corner of the page, click Add new connector.
        3. Under Authentication, click Manage credentials.
    3. Click Create new.
    4. In the Name field, enter a name to identify the credentials, such as "Microsoft credentials".
    5. In the Microsoft Directory (tenant) ID field, paste the Directory (tenant) ID retrieved in How to create and retrieve credentials for an Entra ID app registration.
    6. In the Microsoft Application (client) ID field, paste the Application (client) ID retrieved in How to create and retrieve credentials for an Entra ID app registration.
    7. In the Microsoft Application (client) Secret field, paste the client secret retrieved in How to create and retrieve credentials for an Entra ID app registration.
    8. Click Verify.
      FortiDLP will indicate whether the connection is successful and what feature permissions are granted.
    9. Click Save.
    10. Click Cancel to close the modal.
    How to integrate Microsoft features with FortiDLP

    Depending on which permissions you added to the app registration, do the following:

    Previous
    Next

    Microsoft credentials

    Microsoft credentials

    FortiDLP can be integrated with Microsoft to:

    A single Entra ID app registration can be used to enable all or any of these features in FortiDLP, so we have therefore provided one set of instructions and indicated where you can optionally grant access for a feature.

    A summary of the setup steps is as follows.

    Setup steps
    Step Description

    How to create and retrieve credentials for an Entra ID app registration

    		First, you need to register an Entra ID application and configure it with integration permissions which correspond to the features you want to enable. This will allow FortiDLP to make authorized calls to Microsoft APIs.

    How to add the Entra ID app credentials to FortiDLP

    Next, you need to add the credentials to the Microsoft credentials modal, accessible from any Microsoft feature configuration section in the FortiDLP Console's Admin settings.

    Note

    Credentials can be shared across each feature, so you only need to add the credentials once.

    How to integrate Microsoft features with FortiDLP

    		Finally, depending on which integration permissions you have added to the app, you need to configure and enable each feature in the relevant section of the FortiDLP Console's Admin settings.
    Multiple sets of app credentials

    If you have multiple Microsoft Entra tenants, you can register an app with each tenant and then add each set of app credentials to FortiDLP. However, there are some limitations:

    • You can only sync sensitivity labels from one tenant, so if you have added multiple sets of app credentials, you must select which set you want to use for the configuration.
      Note

      Each time a label sync occurs, all of the labels previously synced are replaced. Therefore, you should ensure that all of the labels you need are associated with the app credentials you choose to sync with.

    • Microsoft only allows a single management API webhook to be configured per tenant, so if it is already being used by another third-party integration, FortiDLP will not be able to connect.
    How to create and retrieve credentials for an Entra ID app registration
    1. Log in to the Microsoft Azure Portal.
    2. In the left-hand panel, click MicrosoftEntra ID.
    3. Under Manage, click App registrations.
    4. Click New registration.
    5. In the Name field, type Fortinet.
    6. Click Register.
    7. When the page refreshes, note the Application (client) ID and Directory (tenant) ID. You will need these values later.
    8. Click API permissions.
    9. To grant permissions for syncing Entra ID users and/or sensitivity labels, do the following:
      1. Click Add a permission.
      2. In the Request API permissions panel, do the following:
        1. Click MicrosoftGraph.
        2. Click Application permissions.
          Note

          Permissions must be configured as "application permissions" and not "delegated permissions", which is the default.

        3. Do at least one of the following:
          • To allow FortiDLP to sync Entra ID users, search for and select the checkboxes of all of the following permissions:
            • Group.Read.All
            • GroupMember.Read.All
            • User.Read.All.
          • To allow FortiDLP to sync sensitivity labels, search for and select the check box of of the following permission:
            • InformationProtectionPolicy.Read.All
        4. Click Add permissions.
    10. To grant permissions for collecting SharePoint and OneDrive events, do the following:
      1. Click Add a permission.
      2. In the Request API permissions panel, do the following:
        1. Select APIs my organization uses.
        2. Search for and select Office 365Management APIs.
        3. Click Application permissions.
          Note

          Permissions must be configured as "application permissions" and not "delegated permissions", which is the default.

        4. Search for and select the checkboxes of all of the following permissions:
          • ActivityFeed.Read
          • ServiceHealth.Read
        5. Click Add permissions.
    11. Under Configured permissions, click Grant admin consent for <your directory>.
    12. In the confirmation dialog that displays at the top of the panel, click Yes.
    13. In the second left-hand panel, click Certificates & Secrets.
    14. Click New client secret.
    15. In the Description field, type Reveal secret.
    16. In the Expiry section, click the Never check box.
    17. Click Add.

    18. In the Client secrets section, note the client secret that displays in the Value column. You will need this later.
      19. Caution

      The client secret will only display once. Ensure you save a copy of it for future reference.
    How to add the Entra ID app credentials to FortiDLP

    The same Microsoft credentials modal is used across all Microsoft features, so credentials only need to be added once from any feature section.

    1. In the FortiDLP Console, on the left-hand side bar, click .
    2. Do one of the following:
      • To add the credentials to the Entra ID user directory section:
        1. Do one of the following:
          • Under Users, select MicrosoftEntra ID.
          • Under Integrations > Microsoft, select Entra ID.
        2. On the top-right corner of the page, click Add new directory.
        3. Under Authentication settings, click Manage credentials.
      • To add the credentials to the sensitivity labels section:
        1. Under Integrations >Microsoft, select Sensitivity labels.
        2. Under Sensitivity labels, click Manage credentials.
      • To add the credentials to the Microsoft SharePoint and OneDrive Connector section:
        1. Under Integrations >Microsoft, select Connectors.
        2. On the top-right corner of the page, click Add new connector.
        3. Under Authentication, click Manage credentials.
    3. Click Create new.
    4. In the Name field, enter a name to identify the credentials, such as "Microsoft credentials".
    5. In the Microsoft Directory (tenant) ID field, paste the Directory (tenant) ID retrieved in How to create and retrieve credentials for an Entra ID app registration.
    6. In the Microsoft Application (client) ID field, paste the Application (client) ID retrieved in How to create and retrieve credentials for an Entra ID app registration.
    7. In the Microsoft Application (client) Secret field, paste the client secret retrieved in How to create and retrieve credentials for an Entra ID app registration.
    8. Click Verify.
      FortiDLP will indicate whether the connection is successful and what feature permissions are granted.
    9. Click Save.
    10. Click Cancel to close the modal.
    How to integrate Microsoft features with FortiDLP

    Depending on which permissions you added to the app registration, do the following:

    Previous
    Next