The objective of this configuration example is to provide three Entra ID users three distinct EMS admin roles, with the Azure domain being fortitest.net:

The user test is a member of the RestrictedAdminGroup security group in the Entra ID and anyone who is part of this group will be able to login to EMS with the Restricted Administrator role in EMS:

1. First, perform the EMS configuration: EMS -> Administration -> SAML SSO -> Add -> enter the values according to the screenshots below. 

In this example, the Identity Provider Settings configurations will be completed later.

Fill in the Access Control section based on the table above, as demonstrated in the image below. Under the Rule column, enter the Entra ID users, but for the RestrictedAdminGroup security group, enter its object ID instead. Under the Role column, assign the corresponding user and group roles accordingly. 

2. Login to portal.azure.com -> Enterprise applications -> 'Create your own application' -> name it -> Create.

3. Navigate to Users and groups -> add users superadmin, readonlyadmin and the RestrictedAdminGroup security group.

4. Select Single sign-on -> SAML -> Basic SAML Configuration -> Edit -> select Add identifier under Identifier (Entity ID) -> copy EMS SP Entity ID value and paste it here -> select Add reply URL under 
   Reply URL (Assertion Consumer Service URL) -> copy EMS SP ACS (login) URL value and paste it here, as well as under Sign on URL (Optional) -> Save.

 

5. Under Single sign-on -> Attributes & Claims -> Edit -> delete all default Additional claims -> select Add new claim on top-left -> enter the value username as Name -> enter the value user.userprincipalname as Source attribute -> Save -> select Add a group claim on top -> select All groups -> expand the Advanced options -> check Customize the name of the group claim and enter the value group for Name (required) -> Save.

 

6. Under Single sign-on -> navigate to number 4 Set up EMS_SAMLSSO -> copy Microsoft Entra Identifier value and paste it in EMS IdP Entity ID -> copy Logout URL value and paste it in EMS IdP single sign-on URL -> navigate to number 3  SAML  Certificate ->  download Certificate (Base64) -> import it in EMS as IdP Certificate.

 

 

The image below shows overall configurations of EMS and its corresponding Entra ID at a glance:

  

 

Attempt to login to EMS with three different Entral ID users. First, enter superadmin@fortitest.net:

 

 

 

After successfully authenticating against Microsoft Azure, EMS login page will show up and since the user is a Super Administrator, can see the Backup and Restore options under System Information along with all menus:

 

 

Now, login with the user readonlyadmin, and since this user is Read-only Administrator, there are no Backup and Restore options under System Information, but all menus are still visible without letting the user change any configuration:

 

 

Finally, login with the user test, and since this user is a Restricted Administrator, only limited options are available for this user:

 

 

These administrators can be removed in FortiClient EMS by selecting the Delete option under Administration -> Admin Users, although the roles cannot be altered.