Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ChrisTan
Staff
Staff

Created on ‎12-16-2024 09:59 PM

Article Id 364207

Technical Tip: How to check Azure the inherited (nested) groups for SAML login

Description This article describes how to identify Azure SAML groups when the portal displays fewer than 150 groups but authentication still fails.
Scope FortiGate, Azure SAML Authentication.
Solution

In some cases, the user groups displayed in the Azure portal do not align with those listed in SAML Authentication. This discrepancy occurs because the Azure portal does not display inherited (nested) groups.

 

2024-12-12_15h14_10.png


From the SAML debug log, there are five groups in the SAML assertion:

 

samld_send_common_reply [95]: Attr: 10, 108, 'http://schemas.microsoft.com/ws/2008/06/identity/claims/groups' '8724203f-b372-4648-b9ae-8254d36cf736'
samld_send_common_reply [95]: Attr: 10, 108, 'http://schemas.microsoft.com/ws/2008/06/identity/claims/groups' 'a425fb5d-8c25-4af2-bcf2-e59b349f17d8'
samld_send_common_reply [95]: Attr: 10, 108, 'http://schemas.microsoft.com/ws/2008/06/identity/claims/groups' '3ad24389-a0ed-47a7-ab0f-bf71573f51b6'
samld_send_common_reply [95]: Attr: 10, 108, 'http://schemas.microsoft.com/ws/2008/06/identity/claims/groups' 'f055bcad-8a59-4e71-a827-88ecebc45a27'
samld_send_common_reply [95]: Attr: 10, 108, 'http://schemas.microsoft.com/ws/2008/06/identity/claims/groups' 'bdc357d3-d318-4132-8a86-8f88bab5b4fa'

 

For example, the group 'chris top' may include two nested groups, 'chris' and 'chris1', but does not directly contain any users.

As a result, the nested group memberships may not appear in the Azure portal but are still included in the SAML assertion.

 

2024-12-12_15h53_19.png

 

2024-12-12_15h56_59.png

 

To verify the total groups, including inherited ones, use the following commands in the Azure Cloud Shell:

 

2024-12-12_15h51_37.png

 

Count the total groups (including nested groups):


az ad user get-member-groups --id "<user-object-id>" --query "length(@)" -o tsv

 

List all groups the user belongs to:


az ad user get-member-groups --id "<user-object-id>"

 

View detailed information for a specific group (by Group Object ID):


az ad group show --id "<group-object-id>"

 

These commands allow the retrieval of accurate group membership information, including nested groups, that may not be visible in the Azure portal.

 

Related article:

Technical Tip: Understanding the limitation of 150 assertions from Microsoft Azure as SAML IdP that ...
258
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.