Technical Tip: MSSP Migration to OU

Description

 

This article describes the migration process for existing FortiWeb Cloud MSSP tenants to the new FortiCloud Organization (OU).

 

Scope

 

FortiWeb Cloud.

 

Solution

 

There are two options for migrating tenants to FortiCloud OU.

 

Option 1: New Member Account (Recommended):

• Create an Organization and add new member accounts to the organization. Each account is a separate tenant.

• Log in to the FortiCloud organization portal and create an organization. See Creating an organization for detailed instructions.

• Select Services in the top navigation bar, and go to Organizations.

 

 

• On the left-side navigation bar, choose the Organization/SubOU to create new member accounts, and select the New Member Account button located on the right side of the page.

 

 

• In the New Member Account pop-up window, enter the necessary information to create new member accounts for the tenants. Use the email addresses linked to the tenants' FortiWeb Cloud accounts to create these new accounts.

 

 

If a tenant no longer has access to the email associated with their FortiWeb Cloud account, it is possible to create their FortiCloud account using a generated dummy email address by leaving the 'I want to use a real email' checkbox unchecked.

 

Note:

Member accounts created with dummy email addresses have reduced functionality compared to accounts created with real email addresses.

For example, accounts with real email addresses can set a password to log in to the FortiCloud organization portal via the Email Login option. Member accounts created with dummy email addresses can only be accessed via the IAM user that created them.

 

1. Request tenants to confirm account creation via email: After having successfully created a new member account, the tenant will receive an email notification informing them about the newly created account. This email will contain a link that allows them to reset their password. Once they've reset their password, they will be able to log in to their account.

 

2. Create IAM users for former admin users of each tenant: See Adding IAM users for detailed instructions.
   This step is only necessary if the tenant's root account has admin accounts associated with it. The FortiWeb Cloud team cannot automatically migrate the accounts because the admin accounts are now created in FortiCloud instead of FortiWeb Cloud. it would be necessary to log in to the FortiCloud accounts and then create IAM users with the appropriate permissions to access different parts of the FortiWeb Cloud user interface (as defined by the old Role Management page in FortiWeb Cloud).
   Note that this step does not necessarily have to be done at this point. It is possible to first finish all the other migration steps, and then log in to FortiCloud later to perform this step.

 

3. Once creating member accounts for all tenants, notify the contact person in the FortiWeb Cloud team. The records will be modified in the backend database, transferring all contracts, data encompassing applications, attack logs, and event logs to the newly created accounts. This process is expected to take approximately 2-3 days.

 

Option 2: Invitation Tokens:

• Request tenants to create FortiCloud accounts through the FortiCloud organization portal. It is recommended that tenants register to create a FortiCloud Account using the email address that is associated with their FortiWeb Cloud account. If the tenant no longer has access to the email associated with their FortiWeb Cloud account, it is possible to notify the contact person in the FortiWeb Cloud team to manually establish the connection between the two accounts.

 

As creating a FortiCloud account requires email address verification, it is not directly possible to assist tenants in creating accounts.

1. Create an organization and generate Invitation Tokens.

• Log in to the FortiCloud organization portal and create an organization. See Creating an organization for detailed instructions.
• Once an organization is created, select Services in the top navigation bar, and go to Organizations.

 

 

• Go to the Invitation Token page and select Generate Token. See Creating invitation tokens for more information.

 

 

• It is possible to select the Organization the token provides membership to, customize the Token Expiry Date, and leave a Comment to help track the tokens. The comment will not be displayed to the tenant that receives the invitation. By default, one token is generated for the selected Organization. When enabling the option to Generate a separate token for each SubOU, tokens are created for each subOU under the selected Organization.

 

 

• Manually send the tenants the generated token(s). Ask the tenants to follow the steps below to join your organization:

1. Log into their FortiCloud account (the account they created in step 1).
2. Select Join Organization from the landing page.
3. Enter the token you provided to the Invitation Token field along with other relevant information on each page of the Join Organization procedure.
4. For more information on joining Organizations, see Joining an Organization.

 

• Approve tenants' join requests once they have entered the token(s) to join the organization. For more information, see Invitation Approval.

1. Create IAM users for former admin users of each tenant. See Adding IAM users for detailed instructions.
   This step is only necessary if the tenant's root account has admin accounts associated with it. The FortiWeb Cloud team cannot automatically migrate the accounts because the admin accounts are now created in FortiCloud instead of FortiWeb Cloud. It would be necessary to log in to the FortiCloud accounts and then create IAM users with the appropriate permissions to access different parts of the FortiWeb Cloud user interface (as defined by the old Role Management page in FortiWeb Cloud).
   Note that this step does not necessarily have to be done at this point. It is possible to first finish all the other migration steps, and then log in to FortiCloud later to perform this step.

2. Once finished approve all tenants, and notify the contact person in the FortiWeb Cloud team. the records will be modified in the backend database, transferring all contracts, data encompassing applications, attack logs, and event logs to the newly created accounts. This process is expected to take approximately 2-3 days. 

 

After the migration: 

The Tenant Management and Contract Management features in FortiWeb Cloud's MSSP Portal will no longer be in use, as their functions will be integrated into FortiCloud's Organizations and Asset Management sections.
The tenants' contacts will be automatically migrated to FortiCloud.

 

IAM Login:

Following migration to the OU (Organizational Unit), administrators should log in as the OU admin, an IAM user with "organization" type and permissions. Admins to tenant accounts should also log in as an IAM user. 

 

 

To manage a specific application, select the account of the application owner during login.

 

 

To learn more about OUs and what it is possible to do with them, see Organizational Units (OU). For help managing assets, such as registering and assigning contracts, see Asset Management.

 

Member account login:

There are two types of tenant (member) accounts; ones created with a real email address, and ones created using a generated dummy email.

 

Real email address:

When a tenant's member account is created with their real email address, they will receive an email from registration@fortinet.com containing a password reset link.

Once the tenant sets their password, they will be able to log in to the FortiCloud organization portal via the Email Login option.

 

 

Generated (dummy) email address:

Member accounts created with dummy email addresses can only be accessed via the IAM (OU Admin) user that created it.

To log into this member account, follow the steps for IAM Login and select the desired member account when prompted.