As part of  configuring Microsoft Azure Entra to provide SSO authentication for FortiCNAPP, step 5 of the Azure documentation details a configuration choice between assigning specific users and groups to the FortiCNAPP enterprise-app, or not assigning any:
Microsoft Entra ID SAML JIT

The behaviour when not assigning any users or groups is effectively an 'allow all' option.

(There are security considerations when setting this mode. Specifically, it allows all users (including invited external users) to sign in, and all other apps to obtain access tokens to the app being configured).

If this option is chosen, however, the initial test attempts to log in via Entra SSO will fail for all users with the following error:

Error AADSTS50105 - The signed in user is not assigned to a role for the application

This error is caused by the default setting for enterprise applications is to have 'assignment-required' set to 'Yes', meaning that users or groups must be assigned to the app to log in. 

Properties of an enterprise application

The resolution is therefore to either:

• Use the alternative route of assigning users and groups to the app.
• Set the app configuration property 'assignment-required' to 'No'. This then allows unassigned users and groups to be able to log in.