Meraki

Community

Connecting AccessManager to EntraID tenant

MartinLL
Building a reputation
yesterday
yesterday

Connecting AccessManager to EntraID tenant

Hi Gang,

I'm currently constructing a lab with Meraki AccessManager and EntraID. However after following the documentation for the setup i get the message "connection invalid". However i'm struggeling with figuring out what the issue could be. I see a note in the docs about EntraID lincesing, but it is very unclear on what the actuall requirement is. Currently im running the Free Tier option.

 

Anyone had any issues/experiense with AccessManager and EntraID integration yet?

MLL
0 Kudos
6 Replies 6
Mloraditch
Head in the Cloud
yesterday
yesterday

Access Manager is not available to most of us yet, but I suspect if it's a licensing issue you may need a least one Entra AD Premium P1 or equivalent license with that feature set. Legally if you need that level of licensing you generally have to have every user have it, so outside of a Proof of Concept you will want to connect with Microsoft VAR or similar resource to be sure you are compliant.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
RWelch
Kind of a big deal
Kind of a big deal
yesterday
yesterday

Another forum suggests that it requires a premium license to access features like user provisioning and group synchronization for full functionality when managing network access through Meraki Access Manager.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
Ryan_Miles
Meraki Employee All-Star Meraki Employee All-Star
Meraki Employee All-Star
yesterday
yesterday

@MartinLL I (and some others) had the same thing and had to edit the API permissions then it synced fine.

 

Actually, this is covered in the doc now.

 

Screenshot 2025-03-11 at 14.08.58.png

In response to Ryan_Miles
ShawnHu
Meraki Employee
Meraki Employee
yesterday
yesterday

This is exactly what I want to rely. You need to grant the proper permission before a successful sync.

BTW, AM is up on Meraki Launchpad demo org. https://cs.co/mlp 

In response to Ryan_Miles
MartinLL
Building a reputation
6 hours ago
6 hours ago

Thanks for the reply. You put me on the correct track!

I got it working with the least privilege approach. These are the final permissions i ended on and seems to be the bare minimum. At least to get a full sync going.

MartinLL_2-1741769485669.png

 

 

By adding these 2 as application permissions and not Delegated Permissions we dont need to add the Access Manager application with user impersonation permissions, which is a big pluss from a security perspective.

MartinLL_1-1741768989281.png

 

 

ref: to this document. Some of the steps could be expanded upon a bit i think.

Organization End Users - Cisco Meraki Documentation

 

I am unsure if Directory.Read.All is necessary if we instead add Group.Read.All along with User.Read.All. Removing the Directory.Read.All permission would go a long way in boosting security posture. 

 

Also regarding licensing. Checked with a colleague who is quite learned in the ways of Azure. The Entra ID free tier should be enough for it to work, which is nice to know.

 

I will do some more testing on my end with the bare minimum permissions and do a short writeup here when i get time 🙂

 

MLL
0 Kudos
rhbirkelund
Kind of a big deal
Kind of a big deal
4 hours ago
4 hours ago

I ran exactly into the issue the other day aswell.

I was following the guide in Organization End Users, and in my opinion, I think the Permissions step should be moved up a notch, as it is essential for sync to work, instead of as a step after attempting to sync.

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
© 2025 Cisco Systems, Inc.