FortiClient Autoconnect using Entra - Exclusions or timeout options?

Good Morning,

Thank you for the update. Please see my notes below - I'm not sure that any of these suggestions will fully resolve the issue but they do present opportunities for us to test and see if we can get it working as desired.

User Group Configuration - I'm not aware of any way to disable or exclude user groups from the auto connect configuration using firewall policies. We have user groups assigned to the remote IPsec policies, which controls if the user can/cannot access specific resources post auto-connect, but this does not limit if the auto-connect kicks off or not (a user that is not granted any access via firewall policies would still attempt to auto-connect per the EMS Remote Access policy that is applied to FortiClient but endlessly fail)

Firewall Policy Adjustment: This may work if we create a "catch all" user group as the last lookup and allow outbound WAN access only. That may prevent the endless auto connect failures for uses we don't necessarily want auto connecting to the VPN but is still not ideal because we don't need them connecting to the VPN at all. I assume local accounts would also still run into problems as they are unable to authenticate against Entra.

EMS Configuration - This may be the solution we need but will need to do some testing. Currently, our Endpoint Policies in EMS are only assigned to workstations. Importing AD users into EMS and configuring the policies to check against workstation and user may be the solution if we configure a "catch all" profile at the bottom and don't configure the auto-connect tunnel for that policy.

Connection Attempt Limits - Can you provide any additional information on this? The only connection attempt limits i see in the EMS Remote Profile are related to reconnecting after a connection drops (IE, Always Up Max Tries). From my testing, this only applies after a connection has been established and is then disconnected - does not appear to apply to the initial auto-connect attempt.

Custom Scripts or Automations: We could do something like this but to disable auto-connect we would need to update the endpoint profile based on repeated failures AND then update the endpoint profile again should a valid VPN user login to the workstation which seems cumbersome. Secure Remote Access Tags might be a solution, if we can say "host check fails because user is not a member of the VPN group" and the host check failure warning stops the auto-connection attempts once triggered.

Logging and Monitoring: This is primarily why we want to get the configuration working in a manner that excludes certain users. If we cannot exclude certain users from auto-connecting, logging will get flooded with failed connection attempts and limit our visibility on detecting what is a legitimate threat vs. a user account that is simply logged into a workstation that doesn't have VPN access.

I will do some additional testing with the options you included and see if we can find a valid workaround. Thanks!!