| Description | This article describes that some customers require to check the user device before granting access from the Microsoft Azure Active directory. This is not a host check which is done by the FortiGate for SSL VPN users instead this is done by the Azure Conditional Access policies under MS Intune device compliance policies. |
| Scope | To enable device-based Conditional Access on Microsoft Azure for FortiGate SSL VPN uses. |
| Solution |
This feature is available only for licensed SSL VPN users who use the EMS solution. As per the below screenshot of the SSL VPN FortiClient, it is necessary to enable (or tick) 'Use External Browser as user-agent for saml user authentication'.
In the normal FortiClient window, this option is not visible and it is necessary to enable it on the FortiEMS and push it to the FortiClient, managed under that respective FortiEMS. Refer to the below FortiEMS screenshot:
Related documents: Create a device-based Conditional Access policy. Use compliance policies to set rules for devices you manage with Intune. |
