Troubleshooting Tip: How to troubleshoot SAML authentication error -700003 in FortiClient while connecting to FortiSASE VPN

During the SAML authentication process in FortiClient, a user may encounter an error associated with code 700003.

This typically occurs when Microsoft Entra ID is unable to validate the device object during device-based authentication.

When a user attempts to authenticate via SAML using FortiClient, Microsoft Entra ID performs device-based authentication checks based on the following criteria:

• Whether the device is registered to the domain.
• Whether the device is Azure AD joined or Hybrid Azure AD joined.
• Whether the device object still exists in Entra ID.
• Whether the device is compliant (if Conditional Access policies are applied).

If the device object has been deleted from Entra ID, the authentication will fail with error code 700003.

To resolve this issue, follow the steps below:

1. Remove the connected work/school account from Microsoft Accounts on the affected device.

2. Reboot the device.

3. Re-register or log back in using Azure AD credentials.

4. Relaunch the FortiClient to connect to FortiSASE VPN.