Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiMail 7.6.1 Administration Guide
    7.6.1
    7.6.1
    7.6.0
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.7
    6.2.0
    6.0.6
    6.0.4
    6.0.3
    6.0.1
    6.0.0

    Configuring accounts

    Configuring accounts

    Before you can scan email in Microsoft 365, Exchange, or Google Workspace mailboxes, you must connect to a respective server.

    • Adding a Microsoft 365 account in FortiMail requires your Tenant ID, Application ID, and Application Secret.
    • Adding a Microsoft Exchange account in FortiMail requires your service URL, service account and password.
    • Adding a Google Workspace account in FortiMail requires an email address designated for the administrator, and the account's JSON content.

    To create a Microsoft 365 account

    On the MS365 side:

    When acquiring the Tenant ID and Application ID from Microsoft 365, you must also grant consent permissions for the administrator.

    Add the following permissions for the administrator in Microsoft 365:

    • User.Read.All
    • Mail.ReadWrite
    • Mail.Send
    • Directory.Read.All

    By default, User.Read is added.

    On the FortiMail side:

    1. Go to View > Microsoft & Google API View.
    2. Go to .
    3. Click New.
    4. Leave Status enabled.
    5. Set Type to Microsoft 365.
    6. Enter the Tenant ID, Application ID, and the Application Secret. You receive log on credentials when you create the custom application on Microsoft Azure. For details, see the Azure documentation.
    7. Select a regional Service Endpoint appropriate to your geographical location.
    8. Enable Real-time Scan if you wish to conduct real-time scanning of emails that match certain criteria specified in a real-time scan policy. For more information, see Enabling and configuring real-time scanning.
    9. Optionally, click New under User Filter Setting to configure user filter settings. Enable Status, select the appropriate user Type, and specify additional options depending upon the filter type selected, then click Create.
      Note

      FortiMail supports the importation of Azure AD user group memberships, which can subsequently be applied to domain level recipient policies.

      To use this feature, select Azure AD Group from the Type dropdown when configuring User Filter Settings.

      This feature is currently only available when configuring Microsoft 365 accounts.

    To create a Microsoft Exchange account

    On the Microsoft Exchange Server side:

    1. Go to the Exchange management shell and run the following command:
      Get-WebServicesVirtualDirectory|Select name, *url*|fl
    2. Take note of the internal URL. You’ll need to enter it on the FortiMail side. And make sure the URL is reachable by FortiMail via HTTPs.
    3. Go to Exchange admin center > recipients > mailboxes, click “+” and create a new mailbox as the service account.
    4. Go to the Exchange management shell and enter the following command to set the “Application Impersonation” role for the service account:
      New-ManagementRoleAssignment -Name:FortiMailScan -Role:ApplicationImpersonation -User:service@domain

      Where “service@domain” is the service account mailbox created in the previous step.

    5. Go to Exchange admin center > permissions > admin roles, and edit “Discovery Management”. Add “Mailbox Search” to its roles and add the service account to its members.
    6. Go to the Exchange management shell, and run the following command:
      Get-GlobalAddressList|fl name,guid
    7. Take note of the default global address list (Guid). You’ll need to enter it on the FortiMail side.

    On the FortiMail side:

    1. Go to View > Microsoft & Google API View.
    2. Go to .
    3. Click New.
    4. Set Type to Microsoft Exchange.
    5. Enter the Exchange Server's service URL, service account, password and global address list from the previous steps.
    6. Enable Real-time Scan if you wish to conduct real-time scanning of emails that match certain criteria specified in a real-time scan policy. For more information, see Enabling and configuring real-time scanning.
    7. Optionally, click New under User Filter Setting to configure user filter settings. Enable Status, select the appropriate user Type, and specify additional options depending upon the filter type selected, then click Create.
    To create a Google Workspace account

    On the Google Cloud side:

    1. Log in to the Google Cloud console as the Workspace admin.
    2. From the Project dropdown list, click New Project. Enter a new project name, then switch to the new project.
    3. Go to APIs & Services.
    4. Click Enable APIs and Services, search and enable Admin SDK API, Gmail API, and Cloud Pub/Sub API.
    5. Go to APIs & Services > OAuth Consent, select Internal and then select Create. Enter the name and contact email. Save and continue.
    6. Add the following scopes, then save and continue:

      7. https://mail.google.com

      https://www.googleapis.com/auth/admin.directory.user.readonly

      https://www.googleapis.com/auth/admin.directory.domain.readonly

      https://www.googleapis.com/auth/pubsub

    7. Go to APIs & Services > Credentials. Click Create Credentials. Select Service Account, and enter the name. Click Create and Continue and then Done.
    8. Go to IAM & Admin > Service Accounts. Click on the default account in the list. Go to Keys tab. Click Add Key, Create New Key, JSON, and Create. Store the JSON file securely.
    9. Go to Details of the new account, and expand Advanced Settings. Copy the client ID.
    10. Click View Google Workspace Admin Console, and log in as super admin.
    11. Go to Security > Access and Data Control > API Controls. Click Manage Domain Wide Delegation, and then Add New. Enter the copied client ID and the above scopes.
    12. Click Authorize.

    On the FortiMail side:

    1. Go to View > Microsoft & Google API View.
    2. Go to .
    3. Click New.
    4. Leave Status enabled.
    5. Set Type to Google Workspace.
    6. Enter the Admin email and the JSON content. You receive JSON credentials when you create the custom application on Google Workspace. For details, see the Google documentation.
    7. Enable Real-time Scan if you wish to conduct real-time scanning of emails that match certain criteria specified in a real-time scan policy. For more information, see Enabling and configuring real-time scanning.
    8. Optionally, click New under User Filter Setting to configure user filter settings. Enable Status, select the appropriate user Type, and specify additional options depending upon the filter type selected, then click Create.
    9. When finished configuring the account, click Create. If successful, your account will appear in the account list, showing FortiMail connected to Microsoft 365/Exchange or Google Workspace.
    10. Click View User List to view the following email user information under the selected account:
      • Status: Displays whether the user is subscribed or not.
      • Email: User names of the email users on the Microsoft 365/Exchange or Google Workspace account.
      • Expiry Date: Subscription expiry date and time to notifications of the user's real-time email.
    Previous
    Next

    Configuring accounts

    Configuring accounts

    Before you can scan email in Microsoft 365, Exchange, or Google Workspace mailboxes, you must connect to a respective server.

    • Adding a Microsoft 365 account in FortiMail requires your Tenant ID, Application ID, and Application Secret.
    • Adding a Microsoft Exchange account in FortiMail requires your service URL, service account and password.
    • Adding a Google Workspace account in FortiMail requires an email address designated for the administrator, and the account's JSON content.

    To create a Microsoft 365 account

    On the MS365 side:

    When acquiring the Tenant ID and Application ID from Microsoft 365, you must also grant consent permissions for the administrator.

    Add the following permissions for the administrator in Microsoft 365:

    • User.Read.All
    • Mail.ReadWrite
    • Mail.Send
    • Directory.Read.All

    By default, User.Read is added.

    On the FortiMail side:

    1. Go to View > Microsoft & Google API View.
    2. Go to .
    3. Click New.
    4. Leave Status enabled.
    5. Set Type to Microsoft 365.
    6. Enter the Tenant ID, Application ID, and the Application Secret. You receive log on credentials when you create the custom application on Microsoft Azure. For details, see the Azure documentation.
    7. Select a regional Service Endpoint appropriate to your geographical location.
    8. Enable Real-time Scan if you wish to conduct real-time scanning of emails that match certain criteria specified in a real-time scan policy. For more information, see Enabling and configuring real-time scanning.
    9. Optionally, click New under User Filter Setting to configure user filter settings. Enable Status, select the appropriate user Type, and specify additional options depending upon the filter type selected, then click Create.
      Note

      FortiMail supports the importation of Azure AD user group memberships, which can subsequently be applied to domain level recipient policies.

      To use this feature, select Azure AD Group from the Type dropdown when configuring User Filter Settings.

      This feature is currently only available when configuring Microsoft 365 accounts.

    To create a Microsoft Exchange account

    On the Microsoft Exchange Server side:

    1. Go to the Exchange management shell and run the following command:
      Get-WebServicesVirtualDirectory|Select name, *url*|fl
    2. Take note of the internal URL. You’ll need to enter it on the FortiMail side. And make sure the URL is reachable by FortiMail via HTTPs.
    3. Go to Exchange admin center > recipients > mailboxes, click “+” and create a new mailbox as the service account.
    4. Go to the Exchange management shell and enter the following command to set the “Application Impersonation” role for the service account:
      New-ManagementRoleAssignment -Name:FortiMailScan -Role:ApplicationImpersonation -User:service@domain

      Where “service@domain” is the service account mailbox created in the previous step.

    5. Go to Exchange admin center > permissions > admin roles, and edit “Discovery Management”. Add “Mailbox Search” to its roles and add the service account to its members.
    6. Go to the Exchange management shell, and run the following command:
      Get-GlobalAddressList|fl name,guid
    7. Take note of the default global address list (Guid). You’ll need to enter it on the FortiMail side.

    On the FortiMail side:

    1. Go to View > Microsoft & Google API View.
    2. Go to .
    3. Click New.
    4. Set Type to Microsoft Exchange.
    5. Enter the Exchange Server's service URL, service account, password and global address list from the previous steps.
    6. Enable Real-time Scan if you wish to conduct real-time scanning of emails that match certain criteria specified in a real-time scan policy. For more information, see Enabling and configuring real-time scanning.
    7. Optionally, click New under User Filter Setting to configure user filter settings. Enable Status, select the appropriate user Type, and specify additional options depending upon the filter type selected, then click Create.
    To create a Google Workspace account

    On the Google Cloud side:

    1. Log in to the Google Cloud console as the Workspace admin.
    2. From the Project dropdown list, click New Project. Enter a new project name, then switch to the new project.
    3. Go to APIs & Services.
    4. Click Enable APIs and Services, search and enable Admin SDK API, Gmail API, and Cloud Pub/Sub API.
    5. Go to APIs & Services > OAuth Consent, select Internal and then select Create. Enter the name and contact email. Save and continue.
    6. Add the following scopes, then save and continue:

      7. https://mail.google.com

      https://www.googleapis.com/auth/admin.directory.user.readonly

      https://www.googleapis.com/auth/admin.directory.domain.readonly

      https://www.googleapis.com/auth/pubsub

    7. Go to APIs & Services > Credentials. Click Create Credentials. Select Service Account, and enter the name. Click Create and Continue and then Done.
    8. Go to IAM & Admin > Service Accounts. Click on the default account in the list. Go to Keys tab. Click Add Key, Create New Key, JSON, and Create. Store the JSON file securely.
    9. Go to Details of the new account, and expand Advanced Settings. Copy the client ID.
    10. Click View Google Workspace Admin Console, and log in as super admin.
    11. Go to Security > Access and Data Control > API Controls. Click Manage Domain Wide Delegation, and then Add New. Enter the copied client ID and the above scopes.
    12. Click Authorize.

    On the FortiMail side:

    1. Go to View > Microsoft & Google API View.
    2. Go to .
    3. Click New.
    4. Leave Status enabled.
    5. Set Type to Google Workspace.
    6. Enter the Admin email and the JSON content. You receive JSON credentials when you create the custom application on Google Workspace. For details, see the Google documentation.
    7. Enable Real-time Scan if you wish to conduct real-time scanning of emails that match certain criteria specified in a real-time scan policy. For more information, see Enabling and configuring real-time scanning.
    8. Optionally, click New under User Filter Setting to configure user filter settings. Enable Status, select the appropriate user Type, and specify additional options depending upon the filter type selected, then click Create.
    9. When finished configuring the account, click Create. If successful, your account will appear in the account list, showing FortiMail connected to Microsoft 365/Exchange or Google Workspace.
    10. Click View User List to view the following email user information under the selected account:
      • Status: Displays whether the user is subscribed or not.
      • Email: User names of the email users on the Microsoft 365/Exchange or Google Workspace account.
      • Expiry Date: Subscription expiry date and time to notifications of the user's real-time email.
    Previous
    Next