Prerequisites:

• The domain must be allowed: <domain.com>
• Directory ID. The directory ID can be fetched using the Azure portal, or by using the open tool 'whatismytenantid.com'.

Configuration:

Step 1: Create an FQDN for login.live.com. The other Microsoft sites 'login.microsoftonline.com', 'login.microsoft.com' and 'login.windows.net', should be available by default in FortiGate.

config firewall address
    edit "live"
        set type fqdn
        set fqdn "login.live.com"
    next
end

Step 2: Create a deep inspection profile by cloning the default 'deep-inspection' profile. Remove the 'live.com' FQDN from the exempt list in the deep inspection profile.

Step 3: Create a URL filter for Microsoft sites.

config webfilter urlfilter
    edit 1
        set name "Microsoft"
            config entries
                edit 1
                    set url "login.microsoftonline.com"
                    set action allow
                next
                edit 2
                    set url "login.microsoft.com"
                    set action allow
                next
                edit 3
                    set url "login.windows.net"
                    set action allow
                next
                edit 4
                    set url "login.live.com"
                    set action allow
                next
            end
        next
    end

Step 4: Create a webfilter profile.

    config webfilter profile
        edit "Microsoft"
            set feature-set proxy
                config web
                    set urlfilter-table 1
                end
            next
        end

Step 5: Create a webproxy profile for Microsoft restriction.

config web-proxy profile
    edit "Microsoft-Restriction"
        set header-client-ip pass
        set header-via-request pass
        set header-via-response pass
        set header-x-forwarded-for pass
        set header-x-forwarded-client-cert pass
        set header-front-end-https pass
        set header-x-authenticated-user pass
        set header-x-authenticated-groups pass
        set strip-encoding disable
        set log-header-change disable
            config headers
                edit 1
                    set name "Restrict-Access"
                    set dstaddr "login.microsoft.com" "login.microsoftonline.com" "login.windows.net"
                    set action add-to-request
                    set base64-encoding disable
                    set add-option new
                    set protocol https http
                    set content <domain>
                next
                edit 2
                    set name "Restrict-Access-Context"
                    set dstaddr "login.microsoftonline.com" "login.microsoft.com" "login.windows.net"
                    set action add-to-request
                    set base64-encoding disable
                    set add-option new
                    set protocol https http
                    set content <directory_ID>
                next
                edit 3
                    set name "Restrict-Access-Policy"
                    set dstaddr "live"
                    set action add-to-request
                    set base64-encoding disable
                    set add-option new
                    set protocol https http
                    set content "restrict-msa"
                next
            end
        next
    end

Step 6: Create a firewall policy:

config firewall policy
    edit 0
        set name "New"
        set srcintf "port1"
        set dstintf "port2"
        set action accept
        set srcaddr "LAN"
        set dstaddr "login.microsoft.com" "login.microsoftonline.com" "login.windows.net" "live"
        set service "HTTP" "HTTPS"
        set utm-status enable
        set inspection-mode proxy
        set webproxy-profile "Microsoft-Restriction"
        set ssl-ssh-profile "clone of Deep-inspection"
        set webfilter-profile "Microsoft"
        set logtraffic all
        set nat enable

        set schedule always

    next
end

Initiate a test connection to login.microsoftonline.com using a personal Outlook account. An error similar to the following will be observed:

To verify the header insertion for corporate domains and personal accounts:

1. On the FortiGate, start running the WAD debugs:
   
   

diagnose wad debug enable category http
diagnose wad debug enable level info
diagnose debug enable

2. While trying to login with a corporate outlook email ID (such as fortinet-us.com), the following WAD debug output containing the domain name will appear:
   
   

[I][p:234][s:2481][r:33] wad_dump_fwd_http_req :2567 hreq=0x7fc75f0cd468 Forward request to server:
POST /common/GetCredentialType?mkt=en-US HTTP/1.1
Host: login.microsoftonline.com
Connection: keep-alive
Content-Length: 1961
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="101", "Google Chrome";v="101"
hpgrequestid: d7f706a8-1143-4cdd-ad52-1cc69dc7bb00
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
client-request-id: 5c3d196d-5939-45cc-a45b-232b9ed13fce
........
Restrict-Access-To-Tenants: fortinet-us.com
Restrict-Access-Context: ********-****-452f-8535-************

HTTP/1.1 200 OK
........
referrer-policy: strict-origin-when-cross-origin
content-security-policy-report-only: object-src 'none'; base-uri 'self'; script-src 'self' 'nonce-hsgkM-_lkmX6zKmHi0v8kw' 'unsafe-inline' 'unsafe-eval' https://*.msauth.net https://*.msftauth.net https://*.msftauthimages.net https://*.msauthimages.net https://*.msidentity.com https://*.microsoftonline-p.com https://*.microsoftazuread-sso.com https://*.azureedge.net https://*.outlook.com https://*.office.com https://*.office365.com https://*.microsoft.com https://*.bing.com 'report-sample'; report-uri https://csp.microsoft.com/report/ESTS-UX-All
cross-origin-opener-policy-report-only: same-origin; report-to="coop-endpoint"
reporting-endpoints: coop-endpoint="https://idux.azurewebsites.net/api/coopReport"
x-xss-protection: 0

3. When trying personal outlook account, the X-XSS-Protection mode is shown as 'block'.

[I][p:234][s:2519][r:34] wad_dump_fwd_http_req :2567 hreq=0x7fc75f0ce6a8 Forward request to server:
GET /oauth20_authorize.srf?client_id=4765445b-32c6-49b0-83e6-1d93765276ca&scope=

openid+profile+https%3a%2f%2fwww.office.com%2fv2%2fOfficeHome.All&redirect_uri=

https%3a%2f%2fwww.office.com%2flandingv2&response_type=code+id_token&state=7tAt

ndYhcA3132S--UOTyLVEtyIZs8FgndTpeYM9mJ1EeA-X5nfqrSalnnPH41cHxfHGug6N5cbliK676v6

xZgszgH_JARVKrptZwBvjI2cbnZ4mttYNNdK1FTlbEt

u5VBjgtBOX2u6v3F_9g7UikCpGTnBRGhvO2pyTndT3EEIyAHvhg9LsKRtY3kxce8dQkfk1iDjLcc3q-

01r4rpxSx2xZSbwg_KkAN3kCRQ9uLfE0ziHAcpvunuKmzGBWKnBhC4sJJkXrMEfXwCg4nsOjg&

response_mode=form_post&nonce=637877163655610380.MjNjZmM4NzQtOTU5My00OGZlL

Tk0NTItZTE5NDU2YjVlODdjNjViOTQwYmUtOTZlMS00M2Y5LTkyN2MtN2QyMjgwNjcxY2Uz

&x-client-SKU=ID_NETSTANDARD2_0&x-client-Ver=6.12.1.0&uaid=5c3d196d593945cca45b232b9ed13fce&msproxy=1&issuer=mso

&tenant=common&ui_locales=en-US&epct=AQABAAAAAAD--DLA3VO7QrddgJg7WevrfA6SLaDsJUcjb1Bg9OKonF3d_lfNJsdDAIH5hlJdUSGejEBIqsko

-A7JX67PzaGdEJgOIGa37VhJzGTYBZ-KgATe9FHssnNmLjM_dojr0dAT83xDhiqQTN2-UcY

dcP2s3vPainF7Nqes5ecXRaEoE9Vw9-sN7jfASOkPRWW03aI6buz0niABvA860YOWDb98vd

JWPGkWEeuDr6n8_zI5iAA&jshs=0&username=****************%40outlook.com

&login_hint=***************%40outlook.com HTTP/1.1
Host: login.live.com
Connection: keep-alive
..............
Referer: https://login.microsoftonline.com/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
sec-Restrict-Tenant-Access-Policy: restrict-msa

HTTP/1.1 200 OK
...............
Referrer-Policy: strict-origin-when-cross-origin
x-ms-route-info: C533_BAY
x-ms-request-id: 8f76b817-5512-43f4-bcf9-6cf8b94d3883
PPServer: PPV: 30 H: PH1PEPF00011E91 V: 0
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000
X-XSS-Protection: 1; mode=block

Related document:

restricted-saas-access - FortiGate administration guide