Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiSASE Administration Guide

    Configuring API permissions and determining Entra ID SSO credentials

    Configuring API permissions and determining Entra ID SSO credentials

    Before you can autoconnect to VPN using Microsoft Entra ID SSO and search user groups from Entra ID single sign on (SSO), you must configure API permissions for autoconnect and group searching, and then determine the SAML provider credentials from the Entra ID portal.

    To access the Entra ID portal:
    1. Log into the Azure portal. You should already have an enterprise application created in Entra ID. If this has not been created, see Creating an enterprise application using FortiSASE as a template from the gallery and collecting SAML IdP URL information.
    2. On the homepage, do one of the following:
      • Under Azure Services, click Microsoft Entra ID.
      • Click the navigation menu and under All Services, click Microsoft Entra ID.
    To add Microsoft Graph API application permissions required for autoconnect and searching user groups:
    1. In the left menu, click App registrations, then click the All applications tab.
    2. Look for the name of your FortiSASE enterprise application and click the hyperlinked name.
    3. In the left menu, click API permissions, and click Add a permission.

    4. In the Request API permissions slide-in, click Microsoft Graph.

    5. Add application permissions:
      1. Select Application permissions.
      2. In the Select permissions section, search for and select the following permissions by clicking the checkboxes next to these permissions required for group searching:
        • Group > Group.Read.All – Read all groups
        • GroupMember > GroupMember.Read.All – Read all group memberships\
      3. Click Add permissions.

    6. Add delegated permissions:

      1. Repeat steps 1-4 to add a permission.
      2. Select Delegated permissions.
      3. In the Select permissions section, search for and select the following permissions by clicking the checkboxes next to these permissions required for autoconnect:
        • Openid permissions > offline_access – Maintain access to data you have given it access
        • Openid permissions > openid – Sign users in
        • Openid permissions > profile – View users' basic profile
        • User > User.Read – Sign in and read user profile
    7. Click Add permissions.
    8. In the API permissions page, click Grant admin consent for <domain name>. If this option is grayed out, you must log into an Entra ID admin account to perform this step. Click Yes in the Grant admin consent confirmation prompt. Observe the Grant consent successful notification at the top-right.

      Also, observe the Status field shows Granted for <domain> for all the permissions added.

      This step is important since it ensures that the administrator grants permissions for the enterprise application from Entra ID instead of end users requiring the administrator to log in to each instance and provide permissions.

      Therefore, in summary, you should add the following Microsoft Graph permissions to support the following Entra ID features:

      FeatureAPI permission groupPermission nameType
      VPN autoconnectOpenId permissionsoffline_accessDelegated
      OpenId permissionsopenid
      OpenId permissionsprofile
      UserUser.read
      Group searchingGroupGroup.Read.AllApplication
      GroupMemberGroupMember.Read.All
    To add a client secret string and determine the value of the client secret string:
    1. In the left menu, click App registrations, then click the All applications tab.
    2. Look for the name of your FortiSASE enterprise application and click the hyperlinked name.
    3. In the left menu, click Certificates & secrets, and click New client secret.
    4. In the Add a Client Secret slide-in, add a Description and select the Expires option of your choice. Click Add.
    5. Observe that a new client secret has been created. Immediately after creation, ensure you copy the Value of the client secret string, which FortiSASE uses as the Client Secret. This value is not visible after this initial creation step and moving to another page.

    To determine the tenant and client IDs:
    1. In the left menu, click App registrations, then click All applications.
    2. Look for your FortiSASE enterprise application name and click the hyperlinked name.
    3. In the left menu, click Overview and note the following values:
      • Application (client) ID, which FortiSASE uses as the Client ID
      • Directory (tenant) ID, which FortiSASE uses as the Tenant ID
    Entra ID page within specific enterprise application Entra ID field FortiSASE field
    Overview Directory (tenant) ID Tenant ID
    Application (client) ID Client ID

    Certificates & Secrets

    Value

    Client Secret
    Previous
    Next

    Configuring API permissions and determining Entra ID SSO credentials

    Configuring API permissions and determining Entra ID SSO credentials

    Before you can autoconnect to VPN using Microsoft Entra ID SSO and search user groups from Entra ID single sign on (SSO), you must configure API permissions for autoconnect and group searching, and then determine the SAML provider credentials from the Entra ID portal.

    To access the Entra ID portal:
    1. Log into the Azure portal. You should already have an enterprise application created in Entra ID. If this has not been created, see Creating an enterprise application using FortiSASE as a template from the gallery and collecting SAML IdP URL information.
    2. On the homepage, do one of the following:
      • Under Azure Services, click Microsoft Entra ID.
      • Click the navigation menu and under All Services, click Microsoft Entra ID.
    To add Microsoft Graph API application permissions required for autoconnect and searching user groups:
    1. In the left menu, click App registrations, then click the All applications tab.
    2. Look for the name of your FortiSASE enterprise application and click the hyperlinked name.
    3. In the left menu, click API permissions, and click Add a permission.

    4. In the Request API permissions slide-in, click Microsoft Graph.

    5. Add application permissions:
      1. Select Application permissions.
      2. In the Select permissions section, search for and select the following permissions by clicking the checkboxes next to these permissions required for group searching:
        • Group > Group.Read.All – Read all groups
        • GroupMember > GroupMember.Read.All – Read all group memberships\
      3. Click Add permissions.

    6. Add delegated permissions:

      1. Repeat steps 1-4 to add a permission.
      2. Select Delegated permissions.
      3. In the Select permissions section, search for and select the following permissions by clicking the checkboxes next to these permissions required for autoconnect:
        • Openid permissions > offline_access – Maintain access to data you have given it access
        • Openid permissions > openid – Sign users in
        • Openid permissions > profile – View users' basic profile
        • User > User.Read – Sign in and read user profile
    7. Click Add permissions.
    8. In the API permissions page, click Grant admin consent for <domain name>. If this option is grayed out, you must log into an Entra ID admin account to perform this step. Click Yes in the Grant admin consent confirmation prompt. Observe the Grant consent successful notification at the top-right.

      Also, observe the Status field shows Granted for <domain> for all the permissions added.

      This step is important since it ensures that the administrator grants permissions for the enterprise application from Entra ID instead of end users requiring the administrator to log in to each instance and provide permissions.

      Therefore, in summary, you should add the following Microsoft Graph permissions to support the following Entra ID features:

      FeatureAPI permission groupPermission nameType
      VPN autoconnectOpenId permissionsoffline_accessDelegated
      OpenId permissionsopenid
      OpenId permissionsprofile
      UserUser.read
      Group searchingGroupGroup.Read.AllApplication
      GroupMemberGroupMember.Read.All
    To add a client secret string and determine the value of the client secret string:
    1. In the left menu, click App registrations, then click the All applications tab.
    2. Look for the name of your FortiSASE enterprise application and click the hyperlinked name.
    3. In the left menu, click Certificates & secrets, and click New client secret.
    4. In the Add a Client Secret slide-in, add a Description and select the Expires option of your choice. Click Add.
    5. Observe that a new client secret has been created. Immediately after creation, ensure you copy the Value of the client secret string, which FortiSASE uses as the Client Secret. This value is not visible after this initial creation step and moving to another page.

    To determine the tenant and client IDs:
    1. In the left menu, click App registrations, then click All applications.
    2. Look for your FortiSASE enterprise application name and click the hyperlinked name.
    3. In the left menu, click Overview and note the following values:
      • Application (client) ID, which FortiSASE uses as the Client ID
      • Directory (tenant) ID, which FortiSASE uses as the Tenant ID
    Entra ID page within specific enterprise application Entra ID field FortiSASE field
    Overview Directory (tenant) ID Tenant ID
    Application (client) ID Client ID

    Certificates & Secrets

    Value

    Client Secret
    Previous
    Next