Yes I have set up NPS and use 802.1x WPA2 enterprise with RADIUS

I have already linked AD groups to Meraki groups and it works - for layer 3, layer 7 and traffic shaping rules

What I want is to.be able to put students into AD group on the day of their exam, where they are allowed to use their computer but with at lot of restrictions - here I need the security appliance only restrictions so I can limit their internet access only to a few websites.

That AD group maps to a Meraki group - let's call it "RestrictedExamAccess".

All clients get the right 802.1x policy but it only maps to the layer 3, layer 7 and traffic shaping rules of the Meraki group policy.

For the security appliance only rules I have to manually set each device policy to "RestrictedExamAccess" - which is a poor solution when it has to be done for hundreds of students

The above mapping works for me with content filtering as well.  We use it to allow users to get to Dropbox so we just have to make sure they are in the AD group and it automatically maps to the Meraki group and allows them access.  Although there is a slight delay for it to sync.  Which part(s) aren't mapping/working in your test because it seems like you are trying to do what we are doing?

The part that isn't working is the settings on the image to the right. The image on the left shows a client which received the 802.1x policy "EksamenStrict". Below you se no rules for layer 3, layer 7 and a single traffic shaping rule. These rules work fine (also layer 3 and layer 7 if there were any)

But note that the device policy says "normal" If I change the device policy to "group policy" and select the "EksamenStrict" Meraki group policy, then the rules on the above image works.

It seems as if 802.1x policy only applies to layer 3, layer 7 and traffic shaping rules - the mapping of AD groups and Meraki groups does not include "security appliance only" rules - unless you manually set the device policy.

I think I may be getting a sense of what you have going on here.  So in your "left" image, it shows the 802.1x "Access Policy".  The only settings that tie to that policy are in Switch>Access Policies and they look like this:

Group Policies, on the other hand, are configured under Network Wide>Group Policies.  They look more like this:

I believe there are two ways you can assign the Group Policy to a device.  One is manual as you observed and that would be annoying.  The second is to go to Security Appliance>Active Directory and link your Active Directory Group to the Meraki Group Policy.  I don't believe this shows up in the dashboard when you view a computer but it definitely works.  Then you can just assign users to that Active Directory Group and they'll automatically get the permissions from the Meraki Group Policy.    

You are quite right - the trouble however is, that it's precisely what I've done:

I have no trouble mapping the AD-group and the Meraki policy - only trouble is, that I only get layer 3, layer 7 and traffic shaping rules - none of the rules listed under "Security appliance only" in the Meraki group policy page are working.

There seems to be a difference between 802.1x policy and device policy. My testing shows, that AD groups only control layer 3, layer 7 and traffic shaping rules of the Meraki group policy. The last part (the rules below Security appliance only) has to do with a device policy, that needs to be set manually.

What types of things are you trying to set for the Security Appliance Only section that aren't working?  In the Dropbox policy I've referenced, those work just fine.  Here is what I do since we block File Sharing.  I append whitelisted dropbox items then if the user is part of that AD group it maps to this Meraki Group Policy and allows them.  

Here are my settings:

I have blocked every URL pattern (*) only allowing the ones I have whitelisted. This part is only working if I set the device policy to the group policy name manually.

Two things I'd try.

1.  Just set the * as the default in Security Appliance>Content Filtering for blocked and in your Group Policy configure the whitelist to append.

2.  Try just setting a single site to blacklist in your policy to test if for some reason it is the * thing messing it up. 

Thanks a lot - I'll try that tomorrow 

I have now tried all the settings below 'Security appliance only' and none of them works. I tried to blacklist a single website with no luck.

However, all setting work when I manually choose to set the device policy for the client to the same group policy

My conclusion is - at least in my setup with WPA2 enterprise and RADIUS - that AD groups mapped to Meraki groups only gives the client part of the group policy (layer 3, layer 7 and traffic shaping rules) and that the last part of the policy (security appliance only) is controlled by device policy that has to be set manually.