Skip to main content
Cisco Meraki Documentation

Azure AD (MSFT Entra ID) Identity Integration

Overview

Cisco Secure Connect supports the provisioning of user and group identities from Azure Active Directory (Now Known as Microsoft Entra ID). This integration can be used in conjunction with the following deployments:

  • Umbrella DNS: To enable user identity support for the Umbrella Roaming Client and Cisco Secure Client Roaming Security module.
  • Umbrella SWG:
    • To enable user identity support for the Secure Client SWG module.
    • To provision user and group identities for use with SAML-based end-user authentication.

The Microsoft Entra ID integration eliminates the need to deploy an on-premise Umbrella Active Directory Connector for the above use cases.

Note: An on-premise Umbrella AD connector is mandatorily required for Virtual Appliance or IP-to-user mapping deployments since Microsoft Entra ID does not store the private IP to AD user mappings that are required for these deployments.

Prerequisites

  • A valid Azure Active Directory subscription with a premium Microsoft Entra ID license.
  • No concurrent provisioning from on-premise Active Directory and Azure Active Directory.
    • If you are using the on-premise Umbrella AD Connector to import user and group identities to Umbrella, and now wish to import the same identities from Azure Active Directory, ensure that the on-premise Umbrella AD connector is switched off or that the OpenDNS Connector service on the connector machine is stopped.
      Note: Concurrent synchronization of the same user and group identities from the Umbrella AD Connector and the Umbrella Azure AD application is not supported and will lead to inconsistent policy enforcement.
  • Import of the ObjectGUID attribute from Azure Active Directory.
    The on-premise Umbrella AD Connector and Secure Client/Umbrella Roaming Clients rely on the ObjectGUID attribute for user and group identification. You need to ensure that the ObjectGUID attribute of users and groups is synchronized from Azure Active Directory to Umbrella only if either of the conditions below are true:
    • You have previously imported AD users and groups to Umbrella using the on-premise Umbrella AD connector and want these previously imported identities to be persisted for policy or reporting purposes. (If you do not import the objectGUID for groups, existing AD group-based policies will not be enforced and you will need to re-assign these policies to groups imported from Microsoft Entra ID).
    • You have endpoints that are authenticating against on-premise Active Directory and are running the Secure Client agent or Umbrella Roaming Client. Follow the instructions on Microsoft’s website to set up the import of the ObjectGUID attribute for users and groups.

Note: Before setting up the import of the ObjectGUID, ensure that the on-premise Umbrella AD Connector that is synchronizing these identities is switched off or that the OpenDNS Connector service on the connector machine is stopped.

Note: If all of your endpoints are running the Cisco Secure Client/AnyConnect version 4.10 MR6 or above, you do not have to import the ObjectGUID attribute from Azure AD.

Note: The Microsft link describes how to configure Cisco User Management for Secure Access for automatic user provisioning, configurations stay the same for Cisco Secure Connect.

Limitations

  • A maximum of 200 groups can be provisioned from Microsoft Entra ID to Umbrella. Umbrella supports the provisioning of up to 3000 groups. To increase your group provisioning, contact Support.
  • To ensure that all users are provisioned, create a dynamic ‘All Users’ group per the instructions in the Microsoft documentation and assign this group to the Umbrella app. You can assign other additional groups as required for group-based Umbrella policy enforcement.
  • After the initial provisioning of users and groups, Microsoft Entra ID synchronizes changes to Umbrella at 40-minute intervals, so it can take up to one hour for these changes to reflect on the Umbrella dashboard.
  • Depending on the number of users and groups, it can take several hours for these identities to be available on the Umbrella dashboard.

Note: Microsoft Entra ID does not support nested group memberships for group-based assignment to any SaaS application.

Configure Automatic Provisioning from Microsoft Entra ID

  1. Navigate to Deployments > Core Identities > Users and Groups.
  2. Expand Azure Active Directory and click on the API Keys page.
  1. Expand Azure Active Directory on the API Keys page and click on Generate Token.
    The generated token will be displayed only once. Copy and save the URL and the token. These values will need to be entered in the Tenant URL and Secret Token fields respectively in the Provisioning tab of the Umbrella application in the Azure portal.
    umb_api_key_ad.png
  2. Follow the instructions on Microsoft’s website to deploy the Umbrella app on Microsof Entra ID and provision users. (Configurations stay the same for Cisco Secure Connect.)
  3. You can view the users and groups provisioned from Microsoft Entra ID on the Users and Groups page.

Note: Umbrella recommends refreshing the SCIM token at least once every 180 days for security reasons. You can refresh the token on the API Keys page of the Umbrella dashboard. Ensure that you immediately copy the new token to the Umbrella app on Microsoft Entra ID so that provisioning is not impacted. Refreshing the SCIM token is the full responsibility of the user; Umbrella does not perform this action.