Meraki

MartinLL

Hi Gang,

I'm currently constructing a lab with Meraki AccessManager and EntraID. However after following the documentation for the setup i get the message "connection invalid". However i'm struggeling with figuring out what the issue could be. I see a note in the docs about EntraID lincesing, but it is very unclear on what the actuall requirement is. Currently im running the Free Tier option.

Anyone had any issues/experiense with AccessManager and EntraID integration yet?

MLL

Mloraditch

Access Manager is not available to most of us yet, but I suspect if it's a licensing issue you may need a least one Entra AD Premium P1 or equivalent license with that feature set. Legally if you need that level of licensing you generally have to have every user have it, so outside of a Proof of Concept you will want to connect with Microsoft VAR or similar resource to be sure you are compliant.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.

RWelch

Another forum suggests that it requires a premium license to access features like user provisioning and group synchronization for full functionality when managing network access through Meraki Access Manager.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.

Ryan_Miles

@MartinLL I (and some others) had the same thing and had to edit the API permissions then it synced fine.

Actually, this is covered in the doc now.

ShawnHu

This is exactly what I want to rely. You need to grant the proper permission before a successful sync.

BTW, AM is up on Meraki Launchpad demo org. https://cs.co/mlp

MartinLL

Thanks for the reply. You put me on the correct track!

I got it working with the least privilege approach. These are the final permissions i ended on and seems to be the bare minimum. At least to get a full sync going.

By adding these 2 as application permissions and not Delegated Permissions we dont need to add the Access Manager application with user impersonation permissions, which is a big pluss from a security perspective.

ref: to this document. Some of the steps could be expanded upon a bit i think.

Organization End Users - Cisco Meraki Documentation

I am unsure if Directory.Read.All is necessary if we instead add Group.Read.All along with User.Read.All. Removing the Directory.Read.All permission would go a long way in boosting security posture.

Also regarding licensing. Checked with a colleague who is quite learned in the ways of Azure. The Entra ID free tier should be enough for it to work, which is nice to know.

I will do some more testing on my end with the bare minimum permissions and do a short writeup here when i get time 🙂

MLL

rhbirkelund

I ran exactly into the issue the other day aswell.

I was following the guide in Organization End Users, and in my opinion, I think the Permissions step should be moved up a notch, as it is essential for sync to work, instead of as a step after attempting to sync.

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.

Meraki

Community

Connecting AccessManager to EntraID tenant

Connecting AccessManager to EntraID tenant