I analyzed the users who reported the problem but their configuration is correct and the same as the others.
Then for 99.9% of users the access to SSLVPN is correct after entering username+password+token, while for a few random users they manage to access without token.

i assume that web connections are w/o MFA ?

All users and all type of SSLVPN connection (tunnel or web mode) are with MFA (token or OTP email).

worth having a look, https://community.fortinet.com/t5/FortiGate/Technical-Tip-SSL-VPN-users-show-as-Two-factor-authentic...

as for token not being requested although the user is configured with it, i would start doing debug/checks for them and start isolating the issue. there's gotta be an explanation.

Thanks for your support. Do you think I should try to update to 7.2.9 or later?
In the document of Fortinet Community you've shared,  I don't understand what it mean by "However, to address this error alert, it is recommended to provide the user credentials (username and password together) and then allow a brief interval (Seconds) as FortiGate prompts for two-factor authentication (2FA). " because the login procedure via client or web already requires the token to be entered a few seconds after entering the username and password...
Analyzing the problem is very difficult because it is a problem that occurs randomly on very few users and not always...
All users are configured with MFA but sometimes, some, and not always the same ones, log in only with username+password.

i would go for 7.2.11 since 7.0 version is out of support, but its not guaranteed that it would solve your situation which to be honest is a little bit strange, i havent seen so far when users with MFA enabled try to login they succed w/o entering anything.

7.0 will be out of support from 30.09.2025, but I am considering upgrading to version 7.2.9 or later.

I agree with you, the situation is very strange...