I don't think Microsoft intends to update their client to handle IPv6.   You'll need to look at using Cisco AnyConnect.  I would use SAML authentication against AzureAD in your case. https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance/AnyConnect_Azure_AD_SAML_Configuration    BUT   My first thought is - when you are pursuing a zero-trust architecture - why are you basing conditional access on an IP address?  Why aren't you simply checking that the computer accessing the service is a trusted, compliant computer?  I think if you resolve this issue - your entire problem will dissappear. ... View more