Thanks for the reply. You put me on the correct track! I got it working with the least privilege approach. These are the final permissions i ended on and seems to be the bare minimum. At least to get a full sync going.     By adding these 2 as application permissions and not Delegated Permissions we dont need to add the Access Manager application with user impersonation permissions, which is a big pluss from a security perspective.     ref: to this document. Some of the steps could be expanded upon a bit i think. Organization End Users - Cisco Meraki Documentation   I am unsure if Directory.Read.All is necessary if we instead add Group.Read.All along with User.Read.All. Removing the Directory.Read.All permission would go a long way in boosting security posture.    Also regarding licensing. Checked with a colleague who is quite learned in the ways of Azure. The Entra ID free tier should be enough for it to work, which is nice to know.   I will do some more testing on my end with the bare minimum permissions and do a short writeup here when i get time 🙂   ... View more

You need to contact Meraki support so they can move you over to a shard that has this enabled. I recommend that you only do this for test orgs. ... View more

You need to use SAML if you dont have any radius service like ISE that can forward your authentication to an MFA server.   Read here. https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance/AnyConnect_Azure_AD_SAML_Configuration ... View more

Most likely because the NAT gateway only serves Azure devices instanciated in the VNET where the NAT gateway is then.   At this point, if it has to be in azure you must deploy an NVA. Azure firewall basic is not that bad price wise. ... View more

Hmm, what if you add the ip address of the 3. party site you wanna reach to the split tunnel config, then on the azure side you add an UDR to the vMX subnet that points the anyconnect ip pool back to the vMX? In theory that should work with the NAT gateway. ... View more

Dont use the vMX instance public ip. In fact i'm pretty sure that you cant. The vMX VM public IP is not something the vMX can NAT to, so you wont reach the internet that way.   What i would do instead is to pin all traffic egressing the vMX towards Azure to an Azure Firewall or something. This way you can create DNAT/SNAT rules on the Azure Firewall, have your vendors whitelist the AZFW Public IP and reach it that way instead.   look at my post history. I have explained this setup a few times. if you have more questions after reading my posts feel free to ask. ... View more

Just passed the Implementing and Configuring Cisco Identity Services Engine Exam at Cisco Live. So for the remainder of the year ill definitely focus on putting some more ISEing on the Meraki Stacks i manage 🙂 ... View more

No not in production. But in theory it should be possible. Route all traffic from the vMX VNET to the AZFW, but create a few entries for the Meraki stuff that exits locally. Like the Dashboard IP ranges and VPN registrar. ... View more

Sounds like traffic is still being blocked then. You can look at the live firewall logs on the MX. See if that gives you a clue into whats going on.   https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/Firewall_Logging  ... View more

Great job everyone! 💚 ... View more

That very much depends on your network needs, users, tunnels etc. Check out the Sizing tool, it will help you select the correct MX model 🙂 Meraki Sizing Tool ... View more

Try to create the query variable before you pass it in the requests function.   Like this for example.    params = {'networkID': '12345'}   Then response = dashboard.organizations.getOrganizationDevices(params=params)   ... View more

I belive you will find what you are looking for here. Meraki Licensing - License More Devices vs Renewal - Cisco Meraki Documentation ... View more

Nice!  ... View more

Try software upgrades or ease up on some advanced security settings if it is within your security policy to do so. If not the best option would be to upscale your MX to MX450.   You can also try to reduce the amount of tunnels that terminate if its a vpn hub. You can do this by disabeling the active active tunnel on your spokes. Failover will be slow but you can conserve a good amount of system resources that way as well. ... View more

Undestandable. Good luck to you! ... View more

Your MX will still communicate with meraki cloud through the physical IP configured on your MX. Outbound internet for clients and SD-WAN/VPN uses the VIP.   Also, if your MX cant reach the maraki cloud after a config change it will reboot and return to the last known safe config after a while.   https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Behavior_during_Connection_Loss_to_Cisco_Meraki_Cloud    But if you want to shorten the possible downtime it is always smart to have a resource onsite. ... View more

Check out this thread. In the posted solution you can find some templates and alert settings you can use with webhooks.   https://community.meraki.com/t5/Dashboard-Administration/Custom-webhook-templates-are-network-specific/m-p/222953#M7628    Depending on your ticketing system you might need to write a reform script that maps key value pairs from meraki to values your ticketing system understands.   The example in that thread is for Service Now.   https://documentation.meraki.com/General_Administration/Other_Topics/Webhooks  ... View more

This one is for Meraki MR and VLAN tagging.   https://documentation.meraki.com/MR/Client_Addressing_and_Bridging/VLAN_Tagging_on_MR_Access_Points    For your downstream switch you need to make it a trunk port.   On your router you create a new SVI or subinterface depending on what you are using today.   which vendor do you use for your switch and router/firewall? ... View more

Maybe you can add a new VLAN and subnet to your site and bridge a new ssid then move the devices there? That way you can keep your old setup and isolate the AIPhone devices instead. ... View more

For a time the MS will act as a flat L2 switch, but in time it will stop forwarding packets. To do anything with it you need to add it to the dashboard and license it. Same goes for making it forward packet again. ... View more