Fortinet FortiNDR Cloud Connector: Migration from Deprecated HTTP Data Collector API to Log Ingestion API with Managed Identity

What Changed

The Fortinet FortiNDR Cloud Function App connector (v3.1.0) has been migrated from the legacy HTTP Data Collector API to the Azure Monitor Log Ingestion API. This is a breaking-change migration: the old credential model (Client ID, Client Secret, Tenant ID via app registration) has been fully removed and replaced with Managed Identity.

Security Impact (Visibility and Fidelity)

Ingestion continuity risk: The HTTP Data Collector API is deprecated. Deployments running v3.0.x would have faced ingestion failure as the API reaches end-of-life. This update is required to maintain continuous FortiNDR Cloud threat visibility in Microsoft Sentinel.

Credential surface reduction: The previous version required three secrets injected as Function App application settings via ARM template parameters. These have been entirely removed. Authentication is now handled by ManagedIdentityCredential, eliminating static credential exposure in deployment templates and app settings.

ARM template changes:

• AzureClientID, AzureClientSecret, and AzureTenantID ARM parameters have been dropped - new deployments no longer prompt for or store these values.
• The Function App package deployment has been restructured: packageUri has moved from siteConfig to a dedicated Microsoft.Web/sites/extensions resource with onedeploy, gated behind a 30-second WaitSection deployment script to allow Managed Identity propagation before the role assignment takes effect.
• A new Microsoft.Authorization/roleAssignments resource scopes the Monitoring Metrics Publisher role (3913510d-42f4-4e42-8a64-420c390055eb) to the DCR, assigned to the Function App managed identity principal - previously this was a manual post-deployment step.
• The FortinetFortiNdrCloudRaw_CL table creation has been refactored from a tenantResourceId scope (which failed cross-subscription) into a nested Microsoft.Resources/deployments with resourceGroup scoping, fixing the ARM template deployment failure.
• A workspace saved search / KQL parser (Fortinet_FortiNDR_Cloud) is now deployed inline in the ARM template, covering suricata, observation, and detection log type suffixes against FortinetFortiNdrCloudRaw_CL.

Python code changes (sentinel.py):

• ClientSecretCredential replaced with ManagedIdentityCredential - no credential parameters required.
• LogsIngestionClient is now initialized at module load using only DceUri (the Data Collection Endpoint URI).
• Error messaging updated to remove references to CLIENT_ID, CLIENT_SECRET, TENANT_ID - authentication failures now direct operators to verify the Monitoring Metrics Publisher DCR role assignment on the managed identity.

Operational Notes

• Existing deployments on v3.0.x must redeploy using the new ARM template. The old app settings (TENANT_ID, CLIENT_ID, CLIENT_SECRET) will no longer be consumed by the Function App code.
• The App Registration used for the previous credential-based flow is no longer needed and can be decommissioned.
• The connector UI JSON (FortinetFortiNdrCloud_API_AzureFunctionApp.json) has been updated to remove references to Azure Client Secret from Key Vault guidance steps.

Affected Files

Solutions/Fortinet FortiNDR Cloud/Data Connectors/FortinetFortiNdrCloud_API_AzureFunctionApp.json
Solutions/Fortinet FortiNDR Cloud/Data Connectors/azuredeploy_FortinetFortiNdrCloud_API_FunctionApp.json
Solutions/Fortinet FortiNDR Cloud/Data Connectors/fortinetFortiNdrCloudDataConn/OrchestratorWatchdog/__init__.py
Solutions/Fortinet FortiNDR Cloud/Data Connectors/fortinetFortiNdrCloudDataConn/sentinel/sentinel.py
Solutions/Fortinet FortiNDR Cloud/Workbooks/FortinetFortiNdrCloudWorkbook.json
(packaging artefacts: 3.1.0.zip, fortinetFortiNdrCloudDataConn.zip, fortinetFortiNdrCloudDataConn_v2.zip, mainTemplate.json)