Description
This article describes an issue where a FortiSASE user is unable to match the correct user group due to a mismatch between the user group configuration in Azure and FortiGate
Scope
FortiSASE
Solution
Let's say user's internet access was not working. The username was identified as abc@example.com belonging to the group Internet_Group
Upon verification of the configuration, internet access was only granted to a custom-configured user group and not to all user groups.
Further investigation revealed that the user was matching the default SSO group VPN_SSO_AUTH_GROUP, where the group name was set to 'any'.
As a result, internet access was not allowed because the user was not matching the Internet_Group.
Already correct User group has been configured on FortiSASE with the correct Group ID of Azure but still when the user login with the VPN on FortiSASE the user does not match Internet_Group
Upon further verification, it was discovered that the source attribute in Azure was set to sAMAccountName, while FortiSASE was expecting the Group ID to match user groups.
The source attribute in Azure was then updated to use the Group ID, aligning with FortiSASE expectations.
