Since FortiOS 7.4.2 it is possible to log into your FortiGate WebAdmin locally or via the remote management feature in the FortiGate Cloud using the FortiCloud IAM credentials. The configuration procedure is quite simple and documented in this Fortinet KB article. A very important detail from this article is the following sentence: “Non‑IAM users must be the FortiCloud account that the FortiGate is registered to.”. This means, that only the Master-Account can manage the FortiGate. But if you are a reseller and managing multiple customer devices that are registered into multiple tenants, this is not an option for you. In this case, you need to configure the login procedure over FortiCloud IAM according to this documentation article. This article only describes the “management” function of the FortiGate Cloud and does NOT cover the “remote management” option to log in over the WebAdmin GUI (locally or over the FortiGate Cloud).
Therefore, if you see this error message when you trying to remotely manage your FortiGate devices via the FortiGate Cloud from a FortiCloud IAM sub-account, you need to enable this feature.
And this is how: Enable the “FortiOS SSO” permission in the “Permission Profile” of the IAM user, as shown in the following screenshot:
Unfortunately, this setting is missing in the documentation article from Fortinet.
Please note: If you have the free FortiGate cloud in use, you are only able to access the FortiGate in read-only mode.
To log in using the IAM service, you need to enter an account id or alias.
You can find this information when you are logged in with your master account on the right top of the page:
Here it is the number behind “Account”.
Additional information sources
Have a look into this informational video from Fortinet or have a look into the documentation article on how to migrate FortiCloud accounts to IAM accounts. There is also a feature comparison between free and paid FortiGate Cloud offers.
