cloud-api account

cloud-api account

Use this command to connect to Microsoft 365 and Google Workspace to scan email in the user mailboxes.

Before scanning email in Microsoft 365, Microsoft Exchange, or Google Workspace mailboxes, FortiMail uses OAuth to authenticate with the service API. So for each tenant ID, you must create the service account that FortiMail will use to authenticate. Grant read permissions required to scan the email, but also for related actions such as moving email to quarantine and sending notifications.

Syntax

config cloud-api account

edit <profile_name>

[set description "<comment_str>"]

set status {enable | disable}

set type {exchange | ms365 | gmail}

set tenant <tenant_str>

set application-id <id_str>

set application-secret <password_str>

set service-endpoint {china | germany | global | us-dod | us-gov}

set service-url <service_url>

set service-email <service_email>

set service-password <password_str>

set global-address-list <id_str>

set admin-email <administrator_email>

set application-key <key_str>

set realtime-scan-status {enable | disable}

config user-filter

edit <user-filter_index>

set status {enable | disable}

set type {ad-group | email-group | imported-user | ldap-group | regex | wildcard}

set ad-group-attr {custom | displayname | mail}

set ad-group-attr-name <attribute-name_str>

set ad-group-attr-value <attribute-value_str>

set email-group <group_name>

set ldap-profile <profile_name>

set ldap-group <group_str>

set pattern <user-filter_pattern>

end

Variable	Description	Default
<profile_name>	Enter a unique name for the profile.
<user-filter_index>	Enter an index number to identify the user filter.
ad-group-attr-name <attribute-name_str>	Enter the custom Microsoft Azure Entra ID (formerly Active Directory) group attribute name. This setting is only available if `ad-group-attr {custom \| displayname \| mail}` is `custom`.
ad-group-attr-value <attribute-value_str>	Enter the Microsoft Azure Entra ID (formerly Active Directory) group attribute value. This setting is available only if `type {ad-group \| email-group \| imported-user \| ldap-group \| regex \| wildcard}` is `ad-group`.
ad-group-attr {custom \| displayname \| mail}	Select the type of group attribute name to use for a user filter with Microsoft Azure Entra ID (formerly Active Directory).Also configure `ad-group-attr-value <attribute-value_str>` and (if you select `custom` for a custom schema) `ad-group-attr-name <attribute-name_str>`. This setting is available only if `type {ad-group \| email-group \| imported-user \| ldap-group \| regex \| wildcard}` is `ad-group`.	displayname
admin-email <administrator_email>	Enter your organization's Google Workspace service account for FortiMail. This setting is available only if `type {exchange \| ms365 \| gmail}` is `gmail`.
application-id <id_str>	Enter your organization's Microsoft 365 application ID for FortiMail. This setting is available only if `type {exchange \| ms365 \| gmail}` is `ms365`.
application-key <key_str>	Enter your organization's Google Workspace administrator account JSON content that contains the application key. This setting is available only if `type {exchange \| ms365 \| gmail}` is `gmail`.
application-secret <password_str>	Enter your organization's Microsoft 365 application secret for FortiMail. This setting is available only if `type {exchange \| ms365 \| gmail}` is `ms365`.
description "<comment_str>"	Enter a description or comment.
email-group <group_name>	Select which email group to use for the user filter. This setting is available only if `type {ad-group \| email-group \| imported-user \| ldap-group \| regex \| wildcard}` is `email-group`.
global-address-list <id_str>	Enter the GUID of a global address list. To get the ID, start a Microsoft Exchange management shell and enter the command: Get-GlobalAddressList\|fl name,guid This setting is available only if `type {exchange \| ms365 \| gmail}` is `exchange`.
ldap-group <group_str>	Enter the group name to use for the user filter. This setting is available only if `type {ad-group \| email-group \| imported-user \| ldap-group \| regex \| wildcard}` is `ldap-group`.
ldap-profile <profile_name>	Select which LDAP profile to use for the user filter. Also configure `ldap-group <group_str>`. This setting is available only if `type {ad-group \| email-group \| imported-user \| ldap-group \| regex \| wildcard}` is `ldap-group`.
pattern <user-filter_pattern>	Select which pattern to use for the user filter. This setting is available only if `type {ad-group \| email-group \| imported-user \| ldap-group \| regex \| wildcard}` is `regex` or `wildcard`.
realtime-scan-status {enable \| disable}	Enable or disable real-time scans for the account. Also configure `realtime-scan-status {enable \| disable}` (global policy setting) and `push-notification-url-base <url_str>` (which URL will receive webhook notifications when an email is received).	enable
service-email <service_email>	Enter your organization's Microsoft Exchange service account for FortiMail This setting is available only if `type {exchange \| ms365 \| gmail}` is `exchange`.
service-endpoint {china \| germany \| global \| us-dod \| us-gov}	Select either `global` or a specific data center region for the service endpoint. This setting is available only if `type {exchange \| ms365 \| gmail}` is `ms365`.	global
service-password <password_str>	Enter your organization's Microsoft Exchange service account password. This setting is available only if `type {exchange \| ms365 \| gmail}` is `exchange`.
service-url <service_url>	Enter your organization's Microsoft Exchange service URL. This setting is available only if `type {exchange \| ms365 \| gmail}` is `exchange`.
status {enable \| disable}	Enable or disable the account used by the cloud API connector.	enable
status {enable \| disable}	Enable or disable this user filter.	disable
tenant <tenant_str>	Enter your organization's Microsoft 365 tenant ID. This setting is available only if `type {exchange \| ms365 \| gmail}` is `ms365`.
type {ad-group \| email-group \| imported-user \| ldap-group \| regex \| wildcard}	Select the user filter type, either: `ad-group`: Group attribute in Microsoft Azure Entra ID (formerly Active Directory). This option is available only for Microsoft 365. `email-group`: Email group. `imported-user`: Imported internal or external user. Also configure `config profile user-import`. `ldap-group`: Group attribute. `regex`: Regular expression. `wildcard`:Wild card.	wildcard
type {exchange \| ms365 \| gmail}	Select whether the cloud API account for FortiMail is on Microsoft Exchange EWS, Microsoft 365, or Google Workspace (Gmail). Also configure account settings that vary by this type, such as `tenant <tenant_str>` for Microsoft 365.	ms365

cloud-api account

Use this command to connect to Microsoft 365 and Google Workspace to scan email in the user mailboxes.

Syntax

config cloud-api account

edit <profile_name>

[set description "<comment_str>"]

set status {enable | disable}

set type {exchange | ms365 | gmail}

set tenant <tenant_str>

set application-id <id_str>

set application-secret <password_str>

set service-endpoint {china | germany | global | us-dod | us-gov}

set service-url <service_url>

set service-email <service_email>

set service-password <password_str>

set global-address-list <id_str>

set admin-email <administrator_email>

set application-key <key_str>

set realtime-scan-status {enable | disable}

config user-filter

edit <user-filter_index>

set status {enable | disable}

set type {ad-group | email-group | imported-user | ldap-group | regex | wildcard}

set ad-group-attr {custom | displayname | mail}

set ad-group-attr-name <attribute-name_str>

set ad-group-attr-value <attribute-value_str>

set email-group <group_name>

set ldap-profile <profile_name>

set ldap-group <group_str>

set pattern <user-filter_pattern>

end

Variable	Description	Default
<profile_name>	Enter a unique name for the profile.
<user-filter_index>	Enter an index number to identify the user filter.
ad-group-attr-name <attribute-name_str>	Enter the custom Microsoft Azure Entra ID (formerly Active Directory) group attribute name. This setting is only available if `ad-group-attr {custom \| displayname \| mail}` is `custom`.
ad-group-attr-value <attribute-value_str>	Enter the Microsoft Azure Entra ID (formerly Active Directory) group attribute value. This setting is available only if `type {ad-group \| email-group \| imported-user \| ldap-group \| regex \| wildcard}` is `ad-group`.
ad-group-attr {custom \| displayname \| mail}	Select the type of group attribute name to use for a user filter with Microsoft Azure Entra ID (formerly Active Directory).Also configure `ad-group-attr-value <attribute-value_str>` and (if you select `custom` for a custom schema) `ad-group-attr-name <attribute-name_str>`. This setting is available only if `type {ad-group \| email-group \| imported-user \| ldap-group \| regex \| wildcard}` is `ad-group`.	displayname
admin-email <administrator_email>	Enter your organization's Google Workspace service account for FortiMail. This setting is available only if `type {exchange \| ms365 \| gmail}` is `gmail`.
application-id <id_str>	Enter your organization's Microsoft 365 application ID for FortiMail. This setting is available only if `type {exchange \| ms365 \| gmail}` is `ms365`.
application-key <key_str>	Enter your organization's Google Workspace administrator account JSON content that contains the application key. This setting is available only if `type {exchange \| ms365 \| gmail}` is `gmail`.
application-secret <password_str>	Enter your organization's Microsoft 365 application secret for FortiMail. This setting is available only if `type {exchange \| ms365 \| gmail}` is `ms365`.
description "<comment_str>"	Enter a description or comment.
email-group <group_name>	Select which email group to use for the user filter. This setting is available only if `type {ad-group \| email-group \| imported-user \| ldap-group \| regex \| wildcard}` is `email-group`.
global-address-list <id_str>	Enter the GUID of a global address list. To get the ID, start a Microsoft Exchange management shell and enter the command: Get-GlobalAddressList\|fl name,guid This setting is available only if `type {exchange \| ms365 \| gmail}` is `exchange`.
ldap-group <group_str>	Enter the group name to use for the user filter. This setting is available only if `type {ad-group \| email-group \| imported-user \| ldap-group \| regex \| wildcard}` is `ldap-group`.
ldap-profile <profile_name>	Select which LDAP profile to use for the user filter. Also configure `ldap-group <group_str>`. This setting is available only if `type {ad-group \| email-group \| imported-user \| ldap-group \| regex \| wildcard}` is `ldap-group`.
pattern <user-filter_pattern>	Select which pattern to use for the user filter. This setting is available only if `type {ad-group \| email-group \| imported-user \| ldap-group \| regex \| wildcard}` is `regex` or `wildcard`.
realtime-scan-status {enable \| disable}	Enable or disable real-time scans for the account. Also configure `realtime-scan-status {enable \| disable}` (global policy setting) and `push-notification-url-base <url_str>` (which URL will receive webhook notifications when an email is received).	enable
service-email <service_email>	Enter your organization's Microsoft Exchange service account for FortiMail This setting is available only if `type {exchange \| ms365 \| gmail}` is `exchange`.
service-endpoint {china \| germany \| global \| us-dod \| us-gov}	Select either `global` or a specific data center region for the service endpoint. This setting is available only if `type {exchange \| ms365 \| gmail}` is `ms365`.	global
service-password <password_str>	Enter your organization's Microsoft Exchange service account password. This setting is available only if `type {exchange \| ms365 \| gmail}` is `exchange`.
service-url <service_url>	Enter your organization's Microsoft Exchange service URL. This setting is available only if `type {exchange \| ms365 \| gmail}` is `exchange`.
status {enable \| disable}	Enable or disable the account used by the cloud API connector.	enable
status {enable \| disable}	Enable or disable this user filter.	disable
tenant <tenant_str>	Enter your organization's Microsoft 365 tenant ID. This setting is available only if `type {exchange \| ms365 \| gmail}` is `ms365`.
type {ad-group \| email-group \| imported-user \| ldap-group \| regex \| wildcard}	Select the user filter type, either: `ad-group`: Group attribute in Microsoft Azure Entra ID (formerly Active Directory). This option is available only for Microsoft 365. `email-group`: Email group. `imported-user`: Imported internal or external user. Also configure `config profile user-import`. `ldap-group`: Group attribute. `regex`: Regular expression. `wildcard`:Wild card.	wildcard
type {exchange \| ms365 \| gmail}	Select whether the cloud API account for FortiMail is on Microsoft Exchange EWS, Microsoft 365, or Google Workspace (Gmail). Also configure account settings that vary by this type, such as `tenant <tenant_str>` for Microsoft 365.	ms365

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

Web Application / API Protection

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

All Products

CLI Reference