Technical Tip: Auto-connect to IPsec VPN using Entra ID logon session information using user groups in the firewall policies

Support for auto-connecting to IPsec VPN using Microsoft Entra ID was added in v7.2.8 and v7.4.2, with FortiClient EMS v7.2.3:

Support for autoconnect to IPsec VPN using Microsoft Entra ID 7.2.8

Support for autoconnect to IPsec VPN using Microsoft Entra ID 7.4.2

Support autoconnect to IPsec VPN using Entra ID logon session information 7.2.3

The ability to use multiple user groups in the firewall policies was added in v7.2.9, v7.4.4, and v7.6.0.

1. Configure the msgraph user:

config user external-identity-provider

    edit "msgraph"

        set type ms-graph

        set version v1.0

    next

end

2. Configure IPsec phase1 without using the 'authusrgrp' setting:

config vpn ipsec phase1-interface
    edit "RemoteAccess"

        set type dynamic

        set interface "port1"

        set ike-version 2

        set peertype any

        set net-device disable

        set mode-cfg enable

        set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256

        set dhgrp 21

        set childless-ike enable

        set azure-ad-autoconnect enable

        set ipv4-start-ip 192.168.100.1

        set ipv4-end-ip 192.168.100.255

        set dns-mode auto

        set save-password enable

        set client-auto-negotiate enable

        set client-keep-alive enable

        set psksecret <password>

   next

end

If the tunnel has already been configured and has the 'authusergrp' setting, use the 'unset' command to remove the configured group.

Example:

config vpn ipsec phase1-interface
    edit "RemoteAccess"

        unset authusergrp

    next
end

3. Configure two different user groups using different group Object Id’s from Entra ID
   
   config user group
       edit "group1"
           set member "msgraph"
           config match
               edit 1
                   set server-name "msgraph"
                   set group-name "<Group Object id>"
               next
           end
       next
       edit "group2"
           set member "msgraph"
           config match
               edit 1
                   set server-name "msgraph"
                   set group-name "<Group Object id>"
               next
           end
       next
   end
   
   
4. Configure firewall policies using the different groups that have been configured.
   
   config firewall policy
       edit 1
           set srcintf "RemoteAccess"
           set dstintf "port9"
           set action accept
           set srcaddr "all"
           set dstaddr "all"
           set schedule "always"
           set service "ALL"
           set groups "group1"
       next
       edit 2
           set srcintf "RemoteAccess"
           set dstintf "port10"
           set action accept
           set srcaddr "all"
           set dstaddr "all"
           set schedule "always"
           set service "ALL"
           set groups "group2"
       next
   end