| Prerequisites: - The domain must be allowed: <domain.com>.
- Directory ID. The directory ID can be fetched using the Azure portal, or by using the open tool 'whatismytenantid.com'.
Configuration: Step 1: Create an FQDN for login.live.com. The other Microsoft sites 'login.microsoftonline.com', 'login.microsoft.com', and 'login.windows.net' should be available by default in FortiGate. config firewall address
edit "live"
set type fqdn
set fqdn "login.live.com"
next
end Step 2: Create a deep inspection profile by cloning the default 'deep-inspection' profile. Remove the 'live.com' FQDN from the exempt list in the deep inspection profile. Step 3: Create a URL filter for Microsoft sites. config webfilter urlfilter
edit 1
set name "Microsoft"
config entries
edit 1
set url "login.microsoftonline.com"
set action allow
next
edit 2
set url "login.microsoft.com"
set action allow
next
edit 3
set url "login.windows.net"
set action allow
next
edit 4
set url "login.live.com"
set action allow
next
end
next
end Step 4: Create a web filter profile. config webfilter profile
edit "Microsoft"
set feature-set proxy
config web
set urlfilter-table 1
end
next
end Step 5: Create a web proxy profile for Microsoft restrictions. config web-proxy profile
edit "Microsoft-Restriction"
set header-client-ip pass
set header-via-request pass
set header-via-response pass
set header-x-forwarded-for pass
set header-x-forwarded-client-cert pass
set header-front-end-https pass
set header-x-authenticated-user pass
set header-x-authenticated-groups pass
set strip-encoding disable
set log-header-change disable
config headers
edit 1
set name "Restrict-Access"
set dstaddr "login.microsoft.com" "login.microsoftonline.com" "login.windows.net"
set action add-to-request
set base64-encoding disable
set add-option new
set protocol https http
set content <domain>
next
edit 2
set name "Restrict-Access-Context"
set dstaddr "login.microsoftonline.com" "login.microsoft.com" "login.windows.net"
set action add-to-request
set base64-encoding disable
set add-option new
set protocol https http
set content <directory_ID>
next
edit 3
set name "Restrict-Access-Policy"
set dstaddr "live"
set action add-to-request
set base64-encoding disable
set add-option new
set protocol https http
set content "restrict-msa"
next
end
next
end Note: If additional domains (Microsoft IDs) need to be added to restrict access, these must be separated by commas. This way, the system can identify and apply the restriction to all specified domains. config web-proxy profile edit "Microsoft-Restriction" set log-header-change disable config headers edit 1 set name "Restrict-Access" set content <domain1>, <domain2>, <domain3> next edit 2 set name "Restrict-Access-Context" set content <directory_ID1>, <directory_ID2>, <directory_ID3> next end next end Step 6: Create a firewall policy: config firewall policy
edit 0
set name "New"
set srcintf "port1"
set dstintf "port2"
set action accept
set srcaddr "LAN"
set dstaddr "login.microsoft.com" "login.microsoftonline.com" "login.windows.net" "live"
set service "HTTP" "HTTPS"
set utm-status enable
set inspection-mode proxy
set webproxy-profile "Microsoft-Restriction"
set ssl-ssh-profile "clone of Deep-inspection"
set webfilter-profile "Microsoft"
set logtraffic all
set nat enable set schedule always next
end
Initiate a test connection to login.microsoftonline.com using a personal Outlook account. An error similar to the following will be observed:
To verify the header insertion for corporate domains and personal accounts: - On the FortiGate, start running the WAD debugs:
WAD debug logs can generate too much output and debug lines that might impact device performance. It is highly recommended to use as many filters as possible that can narrow down the generated logs by the WAD daemon.
diagnose debug disable diagnose debug reset diagnose wad filter clear diagnose wad filter src x.x.x.x <----- x.x.x.x is the client IP address. diagnose wad debug enable category http
diagnose wad debug enable level verbose diagnose wad filter list diagnose wad debug show
diagnose debug enable To stop the debugging: diagnose debug disable diagnose wad filter clear diagnose debug reset - While trying to log in with a corporate Outlook email ID (such as fortinet-us.com), the following WAD debug output containing the domain name will appear:
[I][p:234][s:2481][r:33] wad_dump_fwd_http_req :2567 hreq=0x7fc75f0cd468 Forward request to server:
POST /common/GetCredentialType?mkt=en-US HTTP/1.1
Host: login.microsoftonline.com
Connection: keep-alive
Content-Length: 1961
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="101", "Google Chrome";v="101"
hpgrequestid: d7f706a8-1143-4cdd-ad52-1cc69dc7bb00
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
client-request-id: 5c3d196d-5939-45cc-a45b-232b9ed13fce
........
Restrict-Access-To-Tenants: fortinet-us.com
Restrict-Access-Context: ********-****-452f-8535-************ HTTP/1.1 200 OK
........
referrer-policy: strict-origin-when-cross-origin
content-security-policy-report-only: object-src 'none'; base-uri 'self'; script-src 'self' 'nonce-hsgkM-_lkmX6zKmHi0v8kw' 'unsafe-inline' 'unsafe-eval' https://*.msauth.net https://*.msftauth.net https://*.msftauthimages.net https://*.msauthimages.net https://*.msidentity.com https://*.microsoftonline-p.com https://*.microsoftazuread-sso.com https://*.azureedge.net https://*.outlook.com https://*.office.com https://*.office365.com https://*.microsoft.com https://*.bing.com 'report-sample'; report-uri https://csp.microsoft.com/report/ESTS-UX-All
cross-origin-opener-policy-report-only: same-origin; report-to="coop-endpoint"
reporting-endpoints: coop-endpoint="https://idux.azurewebsites.net/api/coopReport"
x-xss-protection: 0 - When trying a personal Outlook account, the X-XSS-Protection mode is shown as 'block'.
[I][p:234][s:2519][r:34] wad_dump_fwd_http_req :2567 hreq=0x7fc75f0ce6a8 Forward request to server:
GET /oauth20_authorize.srf?client_id=4765445b-32c6-49b0-83e6-1d93765276ca&scope= openid+profile+https%3a%2f%2fwww.office.com%2fv2%2fOfficeHome.All&redirect_uri= https%3a%2f%2fwww.office.com%2flandingv2&response_type=code+id_token&state=7tAt ndYhcA3132S--UOTyLVEtyIZs8FgndTpeYM9mJ1EeA-X5nfqrSalnnPH41cHxfHGug6N5cbliK676v6 xZgszgH_JARVKrptZwBvjI2cbnZ4mttYNNdK1FTlbEt u5VBjgtBOX2u6v3F_9g7UikCpGTnBRGhvO2pyTndT3EEIyAHvhg9LsKRtY3kxce8dQkfk1iDjLcc3q- 01r4rpxSx2xZSbwg_KkAN3kCRQ9uLfE0ziHAcpvunuKmzGBWKnBhC4sJJkXrMEfXwCg4nsOjg& response_mode=form_post&nonce=637877163655610380.MjNjZmM4NzQtOTU5My00OGZlL Tk0NTItZTE5NDU2YjVlODdjNjViOTQwYmUtOTZlMS00M2Y5LTkyN2MtN2QyMjgwNjcxY2Uz &x-client-SKU=ID_NETSTANDARD2_0&x-client-Ver=6.12.1.0&uaid=5c3d196d593945cca45b232b9ed13fce&msproxy=1&issuer=mso &tenant=common&ui_locales=en-US&epct=AQABAAAAAAD--DLA3VO7QrddgJg7WevrfA6SLaDsJUcjb1Bg9OKonF3d_lfNJsdDAIH5hlJdUSGejEBIqsko -A7JX67PzaGdEJgOIGa37VhJzGTYBZ-KgATe9FHssnNmLjM_dojr0dAT83xDhiqQTN2-UcY dcP2s3vPainF7Nqes5ecXRaEoE9Vw9-sN7jfASOkPRWW03aI6buz0niABvA860YOWDb98vd JWPGkWEeuDr6n8_zI5iAA&jshs=0&username=****************%40outlook.com &login_hint=***************%40outlook.com HTTP/1.1
Host: login.live.com
Connection: keep-alive
..............
Referer: https://login.microsoftonline.com/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
sec-Restrict-Tenant-Access-Policy: restrict-msa HTTP/1.1 200 OK
...............
Referrer-Policy: strict-origin-when-cross-origin
x-ms-route-info: C533_BAY
x-ms-request-id: 8f76b817-5512-43f4-bcf9-6cf8b94d3883
PPServer: PPV: 30 H: PH1PEPF00011E91 V: 0
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000
X-XSS-Protection: 1; mode=block Related document: Restricted SaaS access | 
