How should authentication be configured in firewall rules?

Friends, I implemented Sophos XG 210 and configured the STAS, integrated to Active Directory, XG can see the live users, I did not enable authentication in the rules yet, because when I do this, users lose their connection to the internet, or the Captive Portal is displayed.
I remember that XG has difficulty recognizing users, because the default group of the same is different from the group to which it belongs, for example, a user in the Accounting group, but its default group is Domain Users.
How should I configure authentication in firewall rules? By group same or should I put users individually?