Meraki

Community

Access Manager MFA/Conditional access for Entra

Boston
Here to help
‎Aug 19 2025 1:28 PM
‎Aug 19 2025 1:28 PM

Access Manager MFA/Conditional access for Entra

I'm currently trying out Meraki Access manager in conjunction with Entra ID to try and use Entra groups and users to manage access  for WiFi (and eventually hopefully switch based access) Couple issues I've found that I wanted to see if anyone had a work around for or had any information on if and when these things may be supported:

 

  1. We use conditional access and require MFA when logging in from outside of certain IPs. When trying to connect to an SSID that is using Meraki Access Manager, the log in attempt comes from San Francisco CA and the IP changes often. Connection to the SSID fails because MFA requirements weren't met (no window, splash page etc. pops up it just doesn't let you connect).  
    1. Has anyone seen or know of a set of public IPs that Meraki Access Manager would be authenticating from?  We spoke to support and they don't currently have a list of IP's available.  Will this eventually be published? 
    2. Any clue if MFA modern authentication prompts, splash page for MFA or anything along those lines is going to be supported or is in the works?

 

Based on the logs it fails because MFA can't be done and is required to authenticate. I know that we could exclude Meraki Access manager from MFA requirements completely, but this leaves a pretty big security hole, especially if we can't lock that bypass down to a specific set of Meraki IPs. Anybody come across this issue and find any secure ways of making this work at this point?

I am really looking forward to using this feature once it comes out of beta but cannot really use it the way it is set up currently.  

0 Kudos
3 Replies 3
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Aug 19 2025 3:23 PM
‎Aug 19 2025 3:23 PM

You can only exclude the IP addresses for MFA if you have not yet been forcibly migrated to a modern MFA policy.  You can see your migration status by going to:

 

https://entra.microsoft.com/

Authentication Methods

Policies

 

PhilipDAth_0-1755642098099.png

 

 

You should aim to migrate to using certificate-based authentication.  You can use Intune CloudPKI for this (requires an Intune licence and a Cloud PKI licence), or a Microsoft CA server (if you have Active Directory).

 

 

ps. This change affects all authentication with Entra ID.  You won't be able to avoid MFA once migrated.

0 Kudos
In response to PhilipDAth
Boston
Here to help
‎Aug 19 2025 3:44 PM
‎Aug 19 2025 3:44 PM

This is only accurate if you are using traditional MFA.  if you are using conditional access policies as stated in the subject you can absolutely still exclude IP's via IP as a "trusted site".  

0 Kudos
In response to Boston
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Aug 19 2025 3:57 PM
‎Aug 19 2025 3:57 PM

Check out this post of mine about it not working.

https://community.meraki.com/t5/Full-Stack-Network-Wide/Meraki-Access-Manager-with-username-password...

 

I've spent a considerable amount of time testing this.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
© 2025 Cisco Systems, Inc.