When FortiGate runs as an explicit web proxy with session-based authentication, with a typical configuration below, end-users can access most websites except *.microsoft.com:

config firewall proxy-policy
    edit 1
        set name "Bypass_IdP"
        set proxy explicit-web
        set dstintf "port2"
        set srcaddr "all"
        set dstaddr "FAC"
        set service "webproxy"
        set action accept
        set schedule "always"
        set logtraffic all
    next
    edit 2
        set name "Auth_User"
        set proxy explicit-web
        set dstintf "port2"
        set srcaddr "all"
        set dstaddr "all"
        set service "webproxy"
        set action accept
        set schedule "always"
        set logtraffic all
        set groups "samlgroup"
        set ssl-ssh-profile "custom-deep-inspection"
    next
end

 This could be because the wildcard FQDN object 'microsoft' is exempted. 

config firewall ssl-ssh-profile
    edit "custom-deep-inspection"
        set comment "Customizable deep inspection profile."
        config ssl-exempt
            edit 23
                set type wildcard-fqdn
                set wildcard-fqdn "microsoft" <---
            next
        end
    next
end

With session-based authentication, SSL/TLS deep inspection is required. However, if there is an object configured under the SSL exemption list, the session-based authentication is skipped. Then the end user got an error of 'Access Denied'.

Therefore, the solution is to remove the relevant object under 'Exempt from SSL Inspection' from the SSL/SSH inspection profile being used.