FortiMail on Microsoft 365 without changing MX records — the out-of-band Graph API deployment playbook

Pawan Sharma Published 09 Jul 2026  ·  By Pawan Sharma  ·  Email Security  ·  37 min read

If you're running Microsoft 365 for corporate email and evaluating an additional layer of security on top of Exchange Online Protection or Defender for O365, there's a deployment shape that most Indian buyers still don't realise Fortinet supports: FortiMail Cloud added on top of your existing tenant without touching a single MX record. No mail-flow reconfiguration, no cutover risk, no impact on business email if the FortiMail tenant has an issue. This is the "out-of-band" or "API-based" deployment of FortiMail Cloud SaaS — powered by the Microsoft Graph API — and it changes both the deployment risk profile and the "should we add this to our O365 stack?" conversation. This post is the practical guide: what the deployment actually looks like, the exact Graph API permissions FortiMail needs, where this shape is the right answer, and — importantly — where it isn't.

Deployment window

Hours, not weeks

No MX-record changes; Azure AD app registration + tenant onboarding is the whole flow.

Mail-flow risk

Zero

FortiMail sits alongside O365, not in the delivery path. If FortiMail Cloud goes down, mail still flows normally.

Detection posture

Post-delivery

FortiMail scans messages after O365 receives them. Malicious mail lands in the inbox first, then gets clawed back. Trade-off you accept.

Where it's the wrong answer

BFSI / regulated

Sectors where pre-delivery block is mandated by policy (regulator or internal). See Section 8.

The frameWhy "add a security layer without changing MX records" is even a conversation

For most of the last fifteen years, adding a third-party email security product on top of Microsoft 365 (or Exchange on-prem before it) meant one thing: you changed your MX records to point mail at the security vendor first, they scanned it, and they delivered clean mail to your Exchange/O365 tenant. This is the "gateway" or "in-band" deployment model. It's how Mimecast, Proofpoint, Symantec Messaging Gateway, Cisco IronPort, and yes, the traditional FortiMail Cloud Hosted variant all worked. It's still the standard for a lot of enterprises.

The gateway model has real advantages — malicious mail never reaches the tenant, everything is inspected before delivery, and the security vendor sees the full session so anti-spoofing has full context. But it also has non-trivial deployment friction: you're changing DNS at your MX level, which means a botched cutover can silently bounce inbound mail for hours. You're introducing a hop that can add latency or, worse, fail closed if the vendor has an outage. And you're committing to route all your inbound mail through a third party — which raises real data-residency questions under DPDP if the vendor's scrubbing centres aren't in India.

Microsoft Graph API changed the math. Once Microsoft exposed programmatic access to mail via a well-documented API (Graph replaced the older Exchange Web Services API for most modern integrations), it became possible for third-party security products to sit alongside the tenant rather than in front of it. Mail arrives at O365 as normal. The third-party tool polls Graph (or subscribes to notifications), scans messages after delivery, and — critically — can move, quarantine, or delete messages if they turn out to be malicious. This is what Fortinet calls the FortiMail Cloud SaaS variant, and it's the deployment shape most Indian mid-market buyers should at least evaluate before they commit to the MX-cutover playbook.

The two FortiMail Cloud variants — don't confuse them:

 • FortiMail Cloud Hosted — traditional MX-redirect gateway. You change DNS, mail flows through Fortinet's scrubbing centres, gets delivered to your tenant. In-band. Same architecture as Mimecast Gateway or Proofpoint Essentials.

 • FortiMail Cloud SaaS — Graph API integration. No MX change. Mail arrives at O365 first; FortiMail scans post-delivery and clawback-quarantines what it flags. Out-of-band. This post is about this variant.

What "out-of-band via API" actually meansArchitecture, side by side

In-band gateway (FortiMail Cloud Hosted)

Traditional MX-redirect model

The customer's DNS MX record points at Fortinet's scrubbing infrastructure. Every inbound message hits FortiMail first.

  • Mail path: Sender → DNS lookup → Fortinet MX → FortiMail Cloud Hosted → filter → Exchange Online
  • Blocking: Pre-delivery. Malicious mail never reaches the tenant.
  • DNS change: Required. New MX records, TLS certificate implications, SPF alignment updates.
  • Fault mode: If Fortinet's tenant has an issue, inbound mail queues (or bounces if MX TTL is short and secondary MX isn't set up).
  • Data residency: Every inbound message transits Fortinet's scrubbing region. India residency requires India-hosted FortiMail tenant.
  • Deployment window: Typically 2-6 weeks including DNS TTL propagation, SPF/DKIM alignment, dry-run in monitor mode, cutover, tuning.
Out-of-band (FortiMail Cloud SaaS via Graph API)

API-integrated post-delivery model

DNS unchanged. FortiMail talks to O365 via Microsoft Graph API, scans messages after they land in the tenant.

  • Mail path: Sender → DNS lookup → O365 MX → Exchange Online → mail sits in mailbox → FortiMail polls / subscribes via Graph → scans → moves malicious messages to quarantine folder
  • Blocking: Post-delivery. Malicious mail lands in inbox first; clawback within seconds-to-minutes based on polling / notification cadence.
  • DNS change: None. MX records stay pointed at O365.
  • Fault mode: If FortiMail Cloud has an issue, mail continues to flow through O365 uninterrupted. No queueing, no bounces.
  • Data residency: Mail bodies stay in your O365 tenant region. FortiMail reads via Graph but doesn't require message content to be relayed through Fortinet's infrastructure.
  • Deployment window: Hours. Azure AD app registration + admin consent + tenant enrolment on FortiMail Cloud portal.

The one word that matters here: "clawback." Out-of-band deployment can't stop malicious mail from reaching the inbox in the first place — but it can remove it after the fact. If a user opens the mail in the ~30-90 seconds between delivery and FortiMail's scan, they've seen it. That's the fundamental trade-off. For most inboxes, most of the time, this is acceptable. For BFSI / healthcare / regulated where "no exposure at all" is a hard requirement, this deployment shape is the wrong answer. Section 8 walks through when in-band is still what you want.

Why buyers pick this shapeSix reasons the out-of-band model is winning mid-market

Reason 01

Deployment risk collapses

No MX-record changes means no risk of botched cutover, no DNS-TTL propagation lag, no anxious weekend war-room to swap production email routing. The rollback story is also trivial: revoke the Azure AD app's permissions and FortiMail is disconnected from your tenant in seconds. Compare to backing out an MX cutover, which involves DNS changes with 12-24 hour propagation windows.

Reason 02

Coexists with existing EOP / Defender

Because FortiMail isn't in the mail path, you're not choosing between Exchange Online Protection, Defender for O365, and FortiMail — you have all three. EOP catches the obvious bulk-spam and known-signature malware. Defender adds sandboxing and impersonation detection. FortiMail catches what the Microsoft layer misses, particularly on targeted BEC / cousin-domain attacks where FortiGuard's threat intel gives a different perspective. Defence-in-depth at the operational level.

Reason 03

M&A / IPO / rapid-integration scenarios

When you're integrating an acquired business unit and their O365 tenant needs additional email security this quarter — not next quarter — the out-of-band model means you can add FortiMail on Monday and have it filtering by Wednesday. The gateway-model equivalent typically means a 4-6 week project. This is a large fraction of the deployments we see in India: acquiring companies who want to standardise on FortiMail across newly-acquired tenants without disrupting the acquired mail flow.

Reason 04

Internal-mail visibility

Gateway-mode security products only see inbound mail from external senders. Internal user-to-user mail never crosses the MX boundary and stays invisible. Graph API integration sees everything — internal mail included. That matters for two use cases: (a) insider-threat detection where the malicious sender is an employee, and (b) post-compromise account-takeover where the attacker uses a legit internal mailbox to phish colleagues. Neither is catchable in gateway mode.

Reason 05

Data-residency simplification

Under DPDP and increasingly under sectoral guidance from RBI and SEBI, keeping mail contents in the Indian region matters. In the gateway model, every inbound mail crosses through your security vendor's scrubbing centres — which may or may not be in India, depending on the vendor's PoP map. In the out-of-band model, mail bodies never leave your O365 tenant's region (Central India or South India). FortiMail's Graph API calls are metadata / API calls, not mail-body transit. Cleaner compliance story.

Reason 06

Fault-mode behaviour

If FortiMail has a bad day, mail continues to flow. Users don't experience a queue-and-delivery-lag pattern. Business email doesn't stop. Compare to gateway mode where a FortiMail tenant issue means either mail queues (if secondary MX is configured) or bounces (if not). The out-of-band model degrades gracefully to "you have the same email security as O365 native" rather than "you have no email at all."

What you get on the API pathwayFortiMail Cloud SaaS capabilities via Graph

The capability surface of FortiMail Cloud SaaS in the out-of-band deployment is nearly identical to the gateway variant, with a few asterisks that are worth understanding upfront. Same underlying detection engines. Same FortiGuard threat intelligence. Same anti-spam / anti-malware / advanced-threat-protection pipeline. The differences are all about when the detection happens (post-delivery not pre-delivery) and what remediation options are available (clawback / move / quarantine, not block).

What FortiMail Cloud SaaS scans for

  • Anti-spam — SPF / DKIM / DMARC alignment, sender reputation, IP / domain / URL reputation from FortiGuard, content analysis, behavioural analysis. Vendor claim: 99.97% catch rate (Virus Bulletin).
  • Anti-malware — signature-based scanning, heuristic detection, behavioural analysis, virus-outbreak prevention. Vendor claim: 100% detection (SE Labs AAA rating).
  • Advanced threat protection — Content Disarm & Reconstruction (CDR) that neutralises active content in attachments, impersonation detection (senior-exec impersonation for CEO-fraud), cousin-domain detection (visually-similar domains registered days before the campaign), click protection with URL rewriting.
  • FortiSandbox integration — zero-day and ransomware detection via cloud sandbox. Attachments and URLs that pass initial filters but look suspicious get detonated in the sandbox; if malicious, the message is quarantined via Graph API even if it's already been in the inbox for a few seconds.
  • Data loss prevention — outbound scanning for PII / PCI / regulated content. Also runs via Graph, hooking outbound mail via subscription events.
  • Business Email Compromise (BEC) protection — the class of attack this deployment shape is arguably best at catching, because API-mode gives visibility into internal mail patterns that would otherwise be invisible.

What's different vs the gateway variant

  • No pre-delivery block. Everything is post-delivery quarantine / clawback. If your policy or your regulator requires "never lands in the inbox," you need the gateway variant.
  • URL-rewriting behaviour is subtle. In gateway mode, URLs in inbound mail get rewritten at the header level so click-time protection works transparently. In API mode, URL rewrite happens after the message is in the mailbox, which means very-fast-fingered users could click the original URL between delivery and rewrite. Practical impact is small (rewrite typically happens within 30 seconds) but worth knowing.
  • Outbound scanning depends on Graph subscription cadence. If you're relying on FortiMail to block outbound DLP violations before they leave the tenant, API-mode adds a few seconds of latency vs gateway-mode where outbound goes through FortiMail synchronously.
  • Encryption gateway features aren't available. Gateway-mode FortiMail can act as an S/MIME or Voltage encryption gateway for outbound mail. In API mode, you're relying on M365's native encryption (Purview Message Encryption) — which is fine, but different.

The permission surfaceExactly what Graph API scopes FortiMail Cloud SaaS asks for

Understanding the Azure AD app-registration permission surface matters for two reasons: (a) your security team will want to know exactly what you're granting to a third party in your Microsoft tenant, and (b) DPO / compliance review under DPDP will ask specifically what data access has been authorised. Here's the surface Fortinet's documentation specifies.

PermissionWhat it allowsWhy FortiMail needs it
Mail.ReadWrite Read and modify messages in all mailboxes across the tenant. This is the big one and requires admin consent. To scan message contents (read) and to move malicious messages into quarantine folders after detection (write).
Mail.Send Send mail as any user on behalf of the tenant. To deliver quarantine-release notifications and administrator alerts. Optional in some deployments; can be granted a narrower scope like Mail.Send.Shared for a specific service mailbox.
User.Read.All Read all users' basic profile information. To enumerate tenant users, map mailbox GUIDs to display names for the FortiMail admin console, and correlate policy assignment.
Group.Read.All Read all groups the tenant has, including distribution and security groups. To apply security policies at group level rather than per-user (e.g., "apply CDR to Finance dept only").
Directory.Read.All Read directory data. To pick up tenant metadata for auth and to keep the user/group cache fresh.
MailboxSettings.Read Read user mailbox settings. To respect user-level rules and preferences (e.g., quarantine folder choice, notification preferences).

What your security team should verify. Mail.ReadWrite is the sensitive one — it's an "application" permission (not delegated), which means FortiMail can act on any mailbox without a signed-in user's context. That's necessary for the deployment to work autonomously, but it also means the Azure AD app's client secret must be treated as high-value credential material. Rotate on schedule, monitor for anomalous Graph API call patterns via M365 audit logs, and put alerting on the app's principal ID.

The click-pathEnd-to-end deployment walkthrough

Assuming you have a FortiMail Cloud SaaS subscription (either newly-purchased or added to your existing FortiCare account), and Global Admin access to your Microsoft 365 tenant, here's the whole flow. Do it in a change window; it's low-risk but you're granting a third-party app tenant-wide Graph permissions and that's not a change-management-free operation.

Provision the FortiMail Cloud SaaS tenant

From the FortiCloud portal (forticloud.com), navigate to Services → FortiMail Cloud → Provision. Select region (choose Central India or your preferred region), tenant name, admin credentials. Fortinet provisions the tenant in roughly 5-15 minutes.

Register FortiMail as an Azure AD application in your tenant

From the Azure portal (portal.azure.com), navigate to Microsoft Entra ID → App registrations → New registration. Name the app FortiMail Cloud SaaS (or similar). Redirect URI: use the callback URL Fortinet provides in the onboarding wizard. Register. Note the Application (client) ID and the Directory (tenant) ID — you'll paste these into FortiMail's portal.

Grant the required Graph API permissions

Still in the Azure portal, on the newly-registered app → API permissions → Add a permission → Microsoft Graph → Application permissions. Add: Mail.ReadWrite, Mail.Send, User.Read.All, Group.Read.All, Directory.Read.All, MailboxSettings.Read. Click "Grant admin consent for [your tenant]" as a Global Admin. This is where the permissions actually become effective — without admin consent, the app is registered but powerless.

Create a client secret and note it

On the app → Certificates & secrets → New client secret. Add a description like FortiMail Cloud SaaS integration and choose an expiry (recommend 12 months, not "never" — Microsoft doesn't allow "never" for new secrets anyway). Copy the secret value immediately — Azure will hide it after you navigate away and there's no way to recover it. If you lose it you'll create a new one.

Enter tenant credentials in FortiMail Cloud SaaS portal

Back in the FortiMail Cloud SaaS admin console, Tenant Onboarding → Add M365 Tenant. Paste: Application (client) ID, Directory (tenant) ID, Client secret value. FortiMail immediately tests the connection by making a Graph API call. On success, you'll see the enumeration of your users and groups appear in the admin console within about 60 seconds.

Enable in monitor mode first

Default policy on newly-onboarded tenants should be set to Log-only / Monitor mode for the first 3-7 days. FortiMail scans everything but doesn't move any messages — it just logs what it would have quarantined. This lets you review the false-positive candidate list and tune before you enable enforcement. Skip this step at your peril; every deployment we've done has surfaced at least a handful of legitimate business mails that would have been quarantined without a monitor-mode review.

Enable enforcement + user notification

After monitor-mode review, flip policy to enforcement. Configure the quarantine notification workflow — FortiMail can send end-users a daily digest of their quarantined mail, allow one-click release, or route release approval through IT. Recommendation: daily digest with self-service release for known-good senders, IT-approval for anything flagged as targeted-BEC / impersonation.

Configure sandboxing and DLP if licensed

FortiSandbox Cloud integration for zero-day attachment / URL detonation — enable on the FortiMail Cloud SaaS Advanced Threat Protection tab if you've licensed FortiSandbox. DLP policies — configure content-inspection rules (India-specific templates include Aadhaar, PAN, GSTIN, bank account patterns) and set enforcement action per rule. These features work identically to the gateway variant; you're just wiring them up via API rather than through mail flow.

Alert on the Azure AD app principal

Not FortiMail's problem, but yours — set up an M365 Defender / Sentinel alert on unusual behaviour from the FortiMail Cloud SaaS app principal (unusual sign-ins, spike in Graph API calls, calls from unexpected IP ranges). This is the belt-and-braces move: if the app credential ever leaks, you'll see the anomaly in real time.

The honest comparisonFortiMail Cloud SaaS vs Defender for O365 vs Mimecast API vs Proofpoint API

Every buyer evaluating out-of-band email security on M365 is looking at least three options. Here's the honest read as of mid-2026. None of these are marketing pitches; they're operational observations from actual deployments.

ConsiderationDefender for O365 P2FortiMail Cloud SaaSMimecast API (M-EPP)Proofpoint (Aegis / API mode)
Deployment shape Native, part of tenant Out-of-band via Graph API Out-of-band via API Both in-band and API-mode available
Additional layer vs EOP Extends EOP; same platform Additional layer alongside EOP Additional layer alongside EOP Additional layer; API mode also alongside
Threat intel source Microsoft Security FortiGuard (independent perspective on same threats) Mimecast Threat Intel Proofpoint's Threat Intelligence Services
India data residency Central India tenant hosts data; Defender processes there FortiMail Cloud tenant in India; mail bodies stay in O365 tenant region Depends on Mimecast region choice; India region available since 2024 Depends on Proofpoint region choice; India-hosted since 2023
BEC / impersonation posture Strong (2024-25 improvements) Strong; FortiGuard has independent view Historically strong; Mimecast's BEC catch rate is well-regarded Strong; Proofpoint's TAP has the most-published BEC research
Deployment window Zero — already there if you have E5 Hours (Azure AD app registration) Hours Hours in API mode
DLP + encryption Native to Purview Included; API-mode caveats apply Included Included
Ideal buyer profile M365 E5 committed; want single-vendor stack Existing Fortinet Fabric shop; want independent second layer Mimecast incumbent; want to modernise off gateway model Large enterprise; strong BEC research need

The buyer decision framework that actually works. If you're an M365 E5-committed enterprise with no other email-security investment, Defender for O365 P2 is likely enough — don't add a second product just for the sake of defence-in-depth. If you're on M365 E3 (Defender P1 only), or you're already running a Fortinet fabric elsewhere in the estate, FortiMail Cloud SaaS is the strongest "additional layer" option because you get an independent threat-intel perspective and the licensing overhead of adding Defender P2 to E3 tenants often ends up costing more than FortiMail. If you're a legacy Mimecast / Proofpoint gateway customer at renewal, both vendors' API-mode options let you modernise off MX-redirect without switching brands. All four are credible; the decision is about your existing commitments more than about the products' catch rates.

The honest limitsWhen out-of-band is the wrong answer

Any piece that claims a new deployment shape is universally better without naming its limits is marketing. Here are the specific scenarios where the in-band gateway variant is still what you want — or where FortiMail via Graph API isn't the right choice at all.

1. Regulator or internal policy mandates pre-delivery block

RBI Cyber Security Framework doesn't yet explicitly forbid post-delivery clawback for BFSI email security, but some individual banks and NBFCs have interpreted the "adequate controls" language as requiring pre-delivery block. SEBI CSCRF is similar. If your organisation's compliance interpretation requires malicious mail to never touch the inbox, the out-of-band model doesn't meet that bar. Use the gateway variant.

2. High-value BEC-targeted mailboxes where seconds matter

The out-of-band clawback happens within seconds-to-minutes of delivery. For most users that's fast enough — the user isn't checking mail every second. For a CFO's mailbox during a wire-transfer-approval workflow, or a treasury team during month-end payments, even a 60-second window between "malicious mail lands" and "clawback" can be enough for a mistaken click. For those specific mailboxes, run gateway-mode alongside the out-of-band deployment (yes, both — different subsets of users) or use conditional-access mail-flow rules to send only those mailboxes through a gateway hop.

3. Encryption-gateway requirements

If your organisation has a policy requirement to encrypt outbound mail to specific external domains via a gateway-based encryption (S/MIME with certificate-based routing, or Voltage-style transparent encryption), the FortiMail Cloud Hosted variant does this natively. The FortiMail Cloud SaaS variant delegates outbound encryption to M365's Purview Message Encryption, which is fine for most use cases but doesn't replicate all gateway-encryption behaviour.

4. Very large tenants with high mail volume

Graph API has rate limits. For tenants processing more than roughly 5,000-10,000 mails per hour, the out-of-band model can bump against Graph throttling if not architected carefully. Fortinet has published guidance on scaling this out via multiple Graph subscription channels, but at some scale the gateway variant simply performs better because it's not making Graph calls at all. Ask your Fortinet SE for the specific volume threshold at which they'd recommend gateway mode over API mode; typical answer is somewhere between 10,000 and 50,000 mails/hour depending on tenant configuration.

5. Hybrid Exchange environments

If you're still running hybrid Exchange (some mailboxes on-prem, some in M365), the out-of-band model only covers the M365 side. On-prem mailboxes need a different approach — either the gateway variant covering both, or on-prem FortiMail alongside FortiMail Cloud SaaS for the cloud tenants. Most Indian enterprises we work with have completed their hybrid-Exchange migration; if you haven't, factor this in.

6. Purely M365-Defender-committed environments

If you've already invested heavily in Microsoft Defender for O365 P2, and you're running Sentinel or Defender XDR as your SIEM/XDR layer, adding a second email-security vendor may add operational overhead (two consoles, two alert streams, two vendor relationships) without commensurate detection uplift. Do a genuine PoC before you commit — the marginal detection improvement from adding FortiMail on top of Defender P2 is real but smaller than the marginal improvement from adding FortiMail on top of EOP-only.

Where Ogma fitsHonest, brief, not the whole point of the article

Ogma is a Fortinet authorised partner in India across the FortiMail product line — both the Cloud Hosted (gateway) variant and the Cloud SaaS (API / out-of-band) variant covered in this article. We've deployed both shapes across Indian mid-market and enterprise M365 tenants over the last three years and have specific opinions about which shape fits which customer profile, which the framework in this article summarises.

Where we tend to add real value is in the operational-choice layer: helping customers pick between the two deployment shapes on the basis of their actual data-residency posture, their existing M365 licensing (E3 vs E5), their DLP overlap with Purview, and whether their compliance interpretation requires pre-delivery block. The 90-minute architecture review is genuinely useful even for customers who don't end up buying FortiMail from us; we'd rather guide the right buyer to the right shape than pretend a single deployment model fits every use case. Contact details at the bottom.

Want a 90-minute FortiMail deployment-shape review for your M365 tenant?

We'll walk through your existing licensing, current EOP / Defender configuration, sectoral compliance overlay, and DLP posture, and give you a written recommendation on whether the gateway or out-of-band shape fits your environment — with an honest read on when Defender P2 alone is enough.

Book a review +91 80 0979 0979 · [email protected]

Common questionsFAQ

Does FortiMail Cloud SaaS replace Defender for O365, or run alongside?

Alongside. FortiMail Cloud SaaS is designed as an additional layer on top of Exchange Online Protection (which every M365 tenant has) or Defender for O365 P1/P2 (which E5-committed tenants have). The value is defence-in-depth from an independent threat-intel source. If your organisation is looking to consolidate on a single vendor, this deployment shape is not the answer — the gateway variant would be, since it replaces the EOP/Defender path entirely by being the MX endpoint.

How fast is the post-delivery clawback? Can users click a malicious link before FortiMail removes it?

Fortinet's documented target is under 60 seconds from delivery to clawback under normal Graph API cadence, with the median being closer to 15-30 seconds in our observation. It's not zero. The realistic risk is: if a user is actively checking mail at the moment a targeted phishing lands, and they click the URL in the first 15 seconds, they've exposed themselves regardless of what FortiMail does. This is why FortiMail's URL-rewrite protection matters — even after clawback, if the URL was clicked, FortiGuard's click-time-check evaluates the destination and blocks if malicious. But the window exists and it's not honest to claim otherwise.

What happens if I revoke the Azure AD app permissions? Does anything break?

Nothing on the mail-flow side — mail continues to arrive at O365 as normal because FortiMail was never in the delivery path. What breaks is FortiMail's ability to scan, quarantine, or clawback anything from that moment onwards. You'd be back to whatever email security O365 provides natively (EOP + Defender if licensed). Clean rollback. This is actually one of the deployment-shape's advantages: revoking is instant and consequence-free relative to the mail flow, unlike an MX cutover reversal which involves DNS changes and 12-24 hour propagation.

Does FortiMail see internal mailbox-to-mailbox mail?

Yes. Via Graph API, FortiMail sees all mail in the tenant — inbound, outbound, and internal user-to-user. This is one of the key advantages over the gateway model, which only sees inbound external mail. Internal-mail visibility matters for two use cases: (a) insider-threat / disgruntled-employee scenarios where the sender is legitimate but the intent is malicious, and (b) post-compromise account-takeover where an attacker uses a hijacked internal mailbox to phish colleagues. Gateway-mode security never catches these.

Does out-of-band deployment work for outbound-only email security (like DLP)?

Yes, but with a caveat. FortiMail Cloud SaaS can hook outbound mail via Graph subscription events and scan for DLP violations. If a violation is detected, FortiMail can move the outgoing message to a quarantine folder before it's fully delivered externally — but there's a race between Microsoft's outbound-send timer and FortiMail's Graph-notification-and-scan cycle. For most content types this works fine. For extremely time-sensitive DLP requirements (blocking a wire-transfer confirmation email in real time before it leaves the tenant), the gateway variant is more deterministic because everything goes through FortiMail synchronously.

What's the DPDP / RBI compliance story?

Better than the gateway model, for one specific reason: mail bodies never leave your O365 tenant region. FortiMail Cloud SaaS reads mail content via Graph API, but doesn't require message contents to be relayed through Fortinet's scrubbing infrastructure. That simplifies the data-residency story under DPDP considerably. The FortiMail Cloud tenant itself sits in your chosen region (Central India available). RBI Cyber Security Framework and SEBI CSCRF don't yet have specific guidance on "in-band vs out-of-band" email security, but auditors have generally been comfortable with the API-mode deployment provided the Azure AD app-registration is documented, the Graph permission surface is on record, and there's an alert on the app principal for anomalous activity.

How does FortiMail Cloud SaaS coexist with Microsoft's own Purview DLP?

They coexist — you can run both. In practice, most customers pick one as the primary and use the other as a secondary check. Purview DLP is deeply integrated into M365 and covers Teams / SharePoint / OneDrive as well as mail. FortiMail Cloud SaaS DLP covers mail specifically and adds FortiGuard's content-inspection library (which is stronger on some Indian-specific patterns like Aadhaar / PAN / GSTIN detection). The recommendation depends on what else you're protecting — if it's mail-only DLP, either works; if you need Teams / SharePoint / OneDrive DLP as well, Purview is unavoidable and FortiMail adds mail-specific depth on top.

What's the licensing model? Per-user, per-domain, or tier-based?

FortiMail Cloud SaaS is licensed per protected user, sold via Fortinet's partner channel with regional volume tiers. The specific unit pricing is quoted per opportunity — Fortinet doesn't publish list pricing publicly, and any partner-quoted number depends on the mix of features (base mail security + FortiSandbox + FortiDLP + FortiSAT integration) and the customer's Fortinet Fabric commitment. If your organisation is already running FortiGate + FortiAnalyzer + FortiEDR / other Fortinet products, there are cross-product bundling discounts worth exploring in the RFQ.

What's a realistic timeline from decision to steady-state operation?

Weekend to two weeks, depending on how carefully you tune. Week 1: Azure AD app registration, tenant onboarding, monitor-mode enable (day one). Week 1 review: false-positive candidate list from monitor mode, tune allowlists / block lists. Week 2: enforcement mode with user-notification workflow. Week 2+: users get accustomed to the digest, IT sees the volume of quarantine-release requests trend down as users' senders get allowlisted. Steady state is usually within 3-4 weeks. Compare to the gateway model where deployment typically takes 4-6 weeks and cutover requires an overnight window.

Where does this deployment shape fit in an Ogma One SOC subscription?

FortiMail Cloud SaaS integrates cleanly with the SOC operations layer — its alerts feed into the SIEM (Sentinel or FortiSIEM Cloud) and correlate with EDR / firewall / identity signals for the same user. In our own Ogma One subscription (disclosure: pre-launch, our own build), the FortiMail Cloud SaaS deployment shape is the recommended first option for M365-native customers because of the fast deployment, low mail-flow risk, and internal-mail visibility for BEC detection. That said, we deploy the gateway variant for BFSI customers who need pre-delivery block. It's a per-customer architectural choice, not a one-size-fits-all recommendation.

ReferencesSources — Fortinet + Microsoft docs

Stay ahead of cyber threats

One short email a week — curated Indian cybersecurity news, Fortinet releases, DPDPA updates. No fluff.


Cato Firewall as a Service
Cato ZTNA — Zero Trust Network Access
Cato SASE Solution