Skip to main content
HS08
HS08
Visitor III
March 31, 2026
Question

Entra Captive Portal

  • March 31, 2026
  • 3 replies
  • 178 views

If the device authenticated based on Entra ID using Captive Portal, then can we assign the vlan based on the Entra Group?

3 replies

Stephen_G
Moderator
Stephen_G
Moderator
April 2, 2026

Hello HS08, 

 

Thank you for using the Community Forum. I will seek to get you some help. We will reply to this thread with an update as soon as possible. 

Regards,
Stephen_G - Fortinet Community Team
ebilcari
Staff
ebilcari
Staff
April 3, 2026

You can refer to this article: Technical Tip: FortiNAC-F Captive Portal with Entra ID SSO
and User Group Assignment and the Entra ID Cookbook.

Emirjon
SkylarDe
SkylarDe
New Member
April 6, 2026

It sounds like a classic mismatch between the firewall's expected return URL and what Entra ID is sending back. Have you double-checked that the Redirect URI in your Azure App Registration exactly matches the one configured on the FortiGate? Even a missing trailing slash can sometimes break the handshake.

Another thing to look at is the walled garden (FQDN addresses) in your captive portal profile. If the client can't reach the Microsoft login endpoints or the CSS/JS resources before they are authenticated, the portal often just hangs or loops. It’s worth adding the common Microsoft login URLs to the exempt list to see if that clears it up.

Terms & ConditionsAccessibility statement