This limitation results in incomplete retrieval of group memberships for users with large group associations (typically exceeding 100 groups). Consequently, not all memberships are processed, and the user may not be reflected in all applicable remote groups.
It is important to note that authentication itself is successful. However, the limitation affects group-based authorization, causing incomplete group visibility.
In the logs, this behavior can be identified by observing that only up to 100 groups are returned during the group membership query. The logs will include an @odata.nextLink entry, indicating that additional group memberships exist but are not retrieved. For example:
YYYY-MM-DD HH:MM:SS.MS +0200 [radius-request-1] DEBUG c.f.f.s.s.g.i.RemoteGroupServiceImpl - updateRemoteGroupMembershipsForValidUsers(), user membership fetched. userId: user@domain.com, application: App_Reg_FortiNAC, userGroupMap: { "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#directoryObjects(id,displayName)", "@odata.nextLink": "https://graph.microsoft.com/v1.0/users/user@domain.com/memberOf?...", "value": [
The @odata.nextLink field confirms that additional pages of data exist. If the connector does not follow this link to retrieve subsequent pages, only the initial set of groups is processed, resulting in incomplete synchronization of group membership.
The behavior is reported under ID 1284094 and is fixed in FortiNAC v7.6.7.
Guide: Microsoft Entra ID Authentication Cookbook.
| 
