Technical Tip: How to enable ZTNA resource Access through Microsoft Entra ID domain
| Description | This article describes how a Windows user can access a ZTNA resource Microsoft Entra ID domain by using the same LDP login. |
| Scope | FortiOS 7.6.3. |
| Solution | A user/FortiClient managed by the window domain can access ZTNA resources automatically new Authentication scheme entra-sso, which authenticates a ZTNA session against the Entra ID session.
Use the following configuration to achieve this:
config user external-identity-provider edit "Test_EIP" set type ms-graph set version v1.0 next end
config authentication scheme edit "test123" set method entra-sso <----- Select this option. set external-idp "Test_EIP" next end
config authentication rule edit "1" set srcaddr "all" set dstaddr "all" set sso-auth-method "test123" next end
config user group edit "Test_group" set member "Test_EIP" next end
config firewall proxy-policy <----- Make sure it is a proxy policy, not a standard policy. edit 1 set proxy access-proxy set access-proxy "abc" set srcintf "any" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set logtraffic all set groups "Test_group" next end |