Meraki

Community

Meraki Access Manager - with username+password

PhilipDAth
Kind of a big deal
Kind of a big deal
‎Apr 15 2025 7:51 PM
‎Apr 15 2025 7:51 PM

Meraki Access Manager - with username+password

I'm trying to follow this guide to try out Access Manager using username+password authentication.

https://documentation.meraki.com/Access_Manager/Access_Manager_Configuration_Guides/Access_Manager_U...

 

The issue is on the Entra ID side.

I configured an exclusion in every conditional access policy for the app (yucky, but ok).  So 100%, there is no policy requiring MFA.

PhilipDAth_2-1744771814826.png

 

Our authentication methods policy has been fully migrated to use modern policies.

PhilipDAth_0-1744771638668.png

 

 

Despite having every conditional access disabled through exclusion, Entra ID is saying the authentication failed because MFA is required.  Everyone has to do the above migration - there is no choice.

 

PhilipDAth_1-1744771711381.png

 

 

 

So does this mean the entire section on using username/password authentication against Entra ID in the new Access Manager is a non-starter?  Anyone who has it working at the moment will have it fail when their tennancy is forced migrated?

Labels:
15 Replies 15
alemabrahao
Kind of a big deal
Kind of a big deal
‎Apr 16 2025 5:30 AM
‎Apr 16 2025 5:30 AM

I've never configured or implemented anything like this but after searching a bit I found these links. I hope it helps you.

 

Manage users excluded from Conditional Access policies - Microsoft Entra ID Governance | Microsoft L...

 

How to troubleshoot sign-in errors - Microsoft Entra ID | Microsoft Learn

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to alemabrahao
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Apr 16 2025 1:07 PM
‎Apr 16 2025 1:07 PM

Good attempt, but neither of those help.

In response to PhilipDAth
cmr
Kind of a big deal
Kind of a big deal
‎Apr 27 2025 1:38 PM
‎Apr 27 2025 1:38 PM

I just tried setting this up and it seems you are right, a somewhat useless feature 😥

If my answer solves your problem please click Accept as Solution so others can benefit from it.
In response to cmr
cmr
Kind of a big deal
Kind of a big deal
‎Apr 27 2025 1:49 PM
‎Apr 27 2025 1:49 PM

This is what the session logs show:

cmr_0-1745786934544.png

 

If my answer solves your problem please click Accept as Solution so others can benefit from it.
In response to cmr
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Apr 27 2025 2:21 PM
‎Apr 27 2025 2:21 PM

That is what I get as well.  There is simply no way (once Authentication Methods is migrated) to create an account that does not require MFA.

Ruben_S
Comes here often
‎May 5 2025 9:42 AM
‎May 5 2025 9:42 AM

Hello,

 

I confirm I'm able to make it working after excluding from existing Conditionnal Access rules my "Meraki_Access_Manager" App registration.

 

Ruben

0 Kudos
In response to Ruben_S
PhilipDAth
Kind of a big deal
Kind of a big deal
‎May 5 2025 3:44 PM
‎May 5 2025 3:44 PM

Have your Authentication methods been migrated?

 

PhilipDAth_0-1746485041243.png

 

0 Kudos
Ruben_S
Comes here often
‎May 16 2025 8:27 AM
‎May 16 2025 8:27 AM

Not yet. Status is "in progress"

0 Kudos
In response to Ruben_S
PhilipDAth
Kind of a big deal
Kind of a big deal
‎May 16 2025 12:55 PM
‎May 16 2025 12:55 PM

That means it is not migrated yet.   The username/password authentication is likely to break once it is completed.

In response to Ruben_S
linuxoid70
Conversationalist
‎Sep 11 2025 3:37 AM
‎Sep 11 2025 3:37 AM

Any progress? Did you make it work?

No matter what I do (I even excluded Access Manager app from Conditional access as whole) - I am still getting the same error as shown on screenshot above (MFA thing). 

 

Anyone made it work?

0 Kudos
In response to linuxoid70
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Sep 11 2025 12:56 PM
‎Sep 11 2025 12:56 PM

If your authentication methods have been migrated to "Modern" (which you cannot stop), you will no longer be able to use username/password authentication.  You can only use certificate authentication.

 

This is because the modern authentication method FORCES the use of MFA.  It is not possible to create a conditional access policy to prevent it.

0 Kudos
In response to PhilipDAth
Boston
Here to help
Monday
Monday

This is not accurate, we are on "modern" and have it working, it's just a function of setting up the conditional access polices to exclude the enterprise app when originating from Meraki's broker IP's.  It 100% works if set up this way.  The big problem is getting a comprehensive list of Meraki broker IP's 

0 Kudos
In response to Boston
PhilipDAth
Kind of a big deal
Kind of a big deal
Monday
Monday

Please refer to my original post, where I included a screenshot showing that the Enterprise app was excluded from all conditional access policies.

 

I am not sure what the secret is, then.

0 Kudos
In response to PhilipDAth
Boston
Here to help
Monday
Monday

hmm...

Is it possible that you still have legacy per-user MFA (or security defaults) enabled as well as conditional access policies?  I have seen in some tenants in the past where Microsoft didn't transition the tenant properly and for certain scenarios its failing back to PUMFA when CA does not apply ...

 

But now that i am looking closer at your screenshots.... I am having flashbacks from about 3 years ago with this.... do you have Identity protection set up ?  it can require MFA without a CA policy if you have it set that way



Either way i can 100% confirm it works on 3 different environments i work in.  

0 Kudos
In response to Boston
PhilipDAth
Kind of a big deal
Kind of a big deal
Monday
Monday

Lehacy per-use MFA is disabled.

 

We don't have a licence for Identity Protection, nor have we configured any policies using it.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
© 2025 Cisco Systems, Inc.