I just went through figuring this out today with some trial and error. Here is what worked for my setup.
I'm on FortiOS v6.0.4 build0231 (GA)
This is for Azure AD with no local domain sync enabled. Make sure domain services is set up and ldaps is configured with a proper certificate.
Also don't forget to set AADS NSG rules to allow ldaps on port 636 from your firewall IP.
Edit the global settings for a longer ldap connection timeout to 5000
config system global
set ldapconntimeout 5000
Set up a LDAP server
Server IP/Name your.ldap.name
Server Port 636
Common Name Identifier userPrincipalName
Distinguished Name ou=AADDC Users,dc=company,dc=com
Bind Type Regular
(The bind account needs to be in the AAD DC Administrators group)
Secure Connection checked to on
Test Connectivty and then Test User Credentials.
The username is their primary email address. email@example.com
If you have Office 365 MFA enabled it will fail. I haven't found anyway to auth a user successfully with MFA enabled.
Go to User Groups and do not create a new user group. Select local and add a Remote Group. Add the ldap server from above as the Remote Server.
Select the ldap group the vpn user are in. Make sure you right click on the grou and hit + Add Selected.
In SSL-VPN Settings under Authentication/Portal Mapping add the local group to the Portal full-access if your users are going to have full tunnel access.
post edited by dcook - 2019/02/15 16:57:08