Skip to main content
Cisco Meraki Documentation

Cisco Secure Connect - IdP Microsoft Entra ID SCIM Configuration

Provision Identities from Azure AD(Microsoft Entra ID)

Cisco+ Secure Connect supports the provisioning of user and group identities from Azure Active Directory (Now Known as Microsoft Entra ID). This integration can be used in conjunction with the following deployments:

  • Umbrella DNS: To enable user identity support for the Umbrella Roaming Client and AnyConnect Roaming Security module.
  • Umbrella SWG:
    • To enable user identity support for the AnyConnect SWG module.
    • To provision user and group identities for use with SAML-based end-user authentication.

The Microsoft Entra ID integration eliminates the need to deploy an on-premise Umbrella Active Directory Connector for the above use cases.

Note: An on-premise Umbrella AD connector is mandatorily required for Virtual Appliance or IP-to-user mapping deployments since Microsoft Entra ID does not store the private IP – AD user mappings that are required for these deployments.

Table of Contents Prerequisites
  • A valid Azure Active Directory subscription with a premium Microsoft Entra ID license.
  • No concurrent provisioning from on-premise Active Directory and Azure Active Directory.
    • If you are using the on-premise Umbrella AD Connector to import user and group identities to Umbrella, and now wish to import the same identities from Azure Active Directory, ensure that the on-premise Umbrella AD connector is switched off or that the OpenDNS Connector service on the connector machine is stopped.
      Note–Concurrent synchronization of the same user and group identities from the Umbrella AD Connector and the Cisco Umbrella Azure AD application is not supported and will lead to inconsistent policy enforcement.
  • Import of the ObjectGUID attribute from Azure Active Directory.
    The on-premise Umbrella AD Connector and Cisco AnyConnect/Umbrella Roaming Clients rely on the ObjectGUID attribute for user and group identification. You need to ensure that the ObjectGUID attribute of users and groups is synchronized from Azure Active Directory to Cisco Umbrella only if either of the conditions below are true:
    • You have previously imported AD users and groups to Umbrella using the on-premise Umbrella AD connector and want these previously imported identities to be persisted for policy or reporting purposes. (If you do not import the objectGUID for groups, existing AD group-based policies will not be enforced and you will need to re-assign these policies to groups imported from Microsoft Entra ID).
    • You have endpoints that are authenticating against on-premise Active Directory and are running the Cisco AnyConnect agent or Umbrella Roaming Client. Follow the instructions on Microsoft’s website to set up the import of the ObjectGUID attribute for users and groups.

Note: Before setting up the import of the ObjectGUID, ensure that the on-premise Umbrella AD Connector that is synchronizing these identities is switched off or that the OpenDNS Connector service on the connector machine is stopped.


  • A maximum of 200 groups can be provisioned from Microsoft Entra ID to Cisco Umbrella. There is no restriction on the number of users you can be provision from Microsoft Entra ID to Umbrella.
  • To ensure that all users are provisioned, create a dynamic ‘All Users’ group per the instructions in the Microsoft documentation and assign this group to the Cisco Umbrella app. You can assign other additional groups as required for group-based Umbrella policy enforcement.
  • After the initial provisioning of users and groups, Microsoft Entra ID synchronizes changes to Umbrella at 40-minute intervals, so it can take up to one hour for these changes to reflect on the Umbrella dashboard.
  • Depending on the number of users and groups, it can take several hours for these identities to be available on the Umbrella dashboard.

Note: Microsoft Entra ID does not support nested group memberships for group-based assignment to any SaaS application.


Configure Automatic Provisioning from Microsoft Entra ID
  1. Navigate to Deployments > Core Identities > Users and Groups.
  2. Expand Azure Active Directory and click on the API Keys page.
  1. Expand Azure Active Directory on the API Keys page and click on Generate Token.
    The generated token will be displayed only once. Copy and save the URL and the token. These values will need to be entered in the Tenant URL and Secret Token fields respectively in the Provisioning tab of the Cisco Umbrella application in the Azure portal.
  2. Follow the instructions on Microsoft’s website to deploy the Cisco Umbrella app on Microsof Entra ID and provision users.
  3. You can view the users and groups provisioned from Microsoft Entra ID on the Users and Groups page.

Note: Cisco Umbrella recommends refreshing the SCIM token at least once every 180 days for security reasons. You can refresh the token on the API Keys page of the Umbrella dashboard. Ensure that you immediately copy the new token to the Cisco Umbrella app on Microsoft Entra ID so that provisioning is not impacted. Refreshing the SCIM token is the full responsibility of the user; Umbrella does not perform this action.

This is what was achieved and what was omitted in this how-to.

  • Was this article helpful?