When configuring Microsoft Entra ID with FortiClient EMS, an error may occur when making API calls against Microsoft Graph.

Two types of issues arise while integrating Entra ID into FortiClient EMS:

Authentication failed: invalid_client

This error is given when the Client Secret Value is not applied appropriately.

Authentication failed. Application permissions are missing: error checking application permissions for endpoint https://graph.microsoft.com"""Error: http.GET"""Return status: 403 Forbidden

This error message indicates missing or misconfigured application permissions within Azure AD.

Root Causes:

• The invalid_client error was due to the configuration being completed using Client Secret ID instead of Client Secret Value. The Client's Secret Value has to be used always. The client's secret value will appear upon the app creation.

• The error 403 Forbidden was caused by setting permissions as delegated permissions instead of application permissions, which are needed for API calls from FortiClient EMS.

Resolution:

Issue 1: Resolving the 'invalid_client' error.

• Use the Client Secret Value (not the Client Secret ID) in the FortiClient EMS configuration:
• To get the Client's Secret Value from the Azure AD app registration, do the following:
  • Go to Azure Active Directory -> App Registrations.
  • Choose the right app registration.
  • Select the Certificates & Secrets tab and copy the Value of the Client Secret (not the ID).
  • Update the FortiClient EMS configuration, using this value, and save the settings.

Issue 2: Resolution of '403 Forbidden' error.

1. Check the existing permissions:

• Log in to Azure Portal.
• Select Azure Active Directory -> App Registrations.
• Find the app registration created for integration with FortiClient EMS.
• Open the API Permissions tab.
• Scroll down the list of permissions. Ensure all needed permissions are granted as application permissions, not delegated permissions.

2. Assign the Necessary Application Permissions:

    

• In the API Permissions tab, select Add permission.
• Select Microsoft Graph.
• Select Application Permissions.
• Search for and add the following permissions:

User.Read.All.

Directory.Read.All (optional, in case of additional access to the directory).

Any other permission that the integration needs.

Select Add Permissions.

After adding the permissions, select Grant admin consent for the tenant to allow the app to use these permissions.

If prompted, confirm the action.

Important Notes:

• Entra ID Subscription Type: FortiClient EMS only supports commercial Entra ID subscriptions. Make sure the tenant has a commercial subscription type, otherwise, it is not supported, such as GCC, GCC High, or EDU.
• Delegated vs Application Permissions:
  • Delegated permissions require a signed-in user and act on behalf of that user.
  • Application permissions allow the app to act as itself, independent of a user.
  • Always grant admin consent after modifying permissions, to avoid further authentication errors.

Related document:

Resolve Microsoft Graph authorization errors