Troubleshooting Tip: Endpoint Profile cannot be applied to Entra ID group when authenticated onboarding is enabled

The following solution is only applied to FortiSASE that is running on Feature release with authenticated onboarding enabled.

In order for FortiSASE to correctly identify Entra ID user and its group memberships, when configuring authenticated onboarding (Access & Authentication -> SSO -> Authenticated onboarding) in FortiSASE, ensure that the option 'Include associated domain' is enabled and select the Entra ID domain configured in Access & Authentication -> Domains.

This will ensure that when the Entra user is being authenticated during onboarding, the user or group memberships are being recognized as from Entra ID.