Skip to main content

 

Cisco Meraki Documentation

Organization Users

The following instructions explain how to use the Organization Users page. Organization Users are the end users who utilize network client devices and/or authenticate into network devices. Identity provider (IdP) sources assist in managing these end users, allowing the Dashboard to work with the same users and groups as existing enterprise IdP systems. Information such as names, email addresses, usernames, and User Principal Names (UPN) are sourced from the IdP, ensuring that there is a reliable single source of end user information within the Meraki Dashboard. 

Optionally, multiple IdP sources can be synced into a Meraki Organization, enabling the integration of end users from various IdP sources into one cohesive system. Organization Users are accessible across the organization and can be used in any network and Combined Dashboard Networks

Note

  • To access the Organization Users feature, opt-in is required. Org-write admins can find the Early Access page in the navigation menu under Organization > Configure > Early Access.
  • Features and user interface screenshots in this document may change during the Early Access period as development continues.

Concepts

The Organization User page focuses on two main concepts: end users and groups. An end user refers to an individual identity, such as an employee, contractor, or guest user, who can be granted access to various network services like VPN or wireless authentication. A group is a logical collection of users, typically organized by function, department, or access needs, which enables admins to manage permissions and policies at scale. By combining users and groups together, administrators can efficiently assign roles, enforce access controls, and maintain consistency across organizational units, whether users are created locally or synced from external identity providers.

End Users

End Users represent the users within an organization who will be authorized and/or blocked for access of various parts of the Meraki networks. In the example below an end user called matt_user is created in Microsoft Entra ID and then synced into Dashboard. 

The Organization > Users page loads all the users within the Organization. These users can be searched by username, display name, email, etc. 

End Users are individuals within an organization who can be granted or denied access to different parts of the Meraki networks. For example, an end user named 'matt user' is created in Microsoft Entra ID and then synchronized into the Dashboard. 

Clicking on an individual user shows more details, including their account information, groups, and channels of enabled or disabled access.

Note: During the Early Access period, the Enabled access features of Meraki End Users will be under development.

View of the same user from Microsoft Entra ID: 

This image displays the same user from Microsoft Entra ID.

The master record of this account is maintained by the IdP and can be updated with changes from the IdP, such as Entra ID, during new syncs into the Meraki Dashboard.

Note: User information from multiple IdP sources are aggregated into a single user in the Organization End User page if the email addresses are the same.  Details for each linked IdP user record can be viewed at the top of the user details page. 

Groups

Groups are multiple users collected under a single name space. In the example below a group with 2 users collected into a group called TestGroup123.

Groups can only be synced in from External IdP sources.

This group is created in Microsoft Entra ID and synced into the Dashboard.  This image displays the group created in Microsoft Entra ID and synced into Dashboard.  

In Microsoft Entra ID, we can see the same group name synced into Meraki Dashboard. Changes to this can be done on the IdP and then synced into Meraki Dashboard.

This image displays the Microsoft Entra ID,  synced into Meraki Dashboard in the same group name. Changes to this can be done on the IdP and then synced into Meraki Dashboard.

Existing Network Users

Network users created in all the various Meraki Dashboard networks are consolidated into the single Organization > Users page. For example, users added into the Network-wide > Users page for User Access to Meraki Network Zones (such as Wireless SSID, VPN, and Switch Access Policy) are automatically added to the single Organization > Users page. Owners from Meraki Systems Manager in all the various networks are also added to this single Organization > Users page in the same way. This allows a single page for end user searching, monitoring, and management across every sub network within the Meraki Dashboard.

External IdP Users & Sources

Identity provider sources such as Microsoft Entra ID can be added to facilitate syncs between the IdP and Dashboard. The IdP sources store the information about the end users & groups. This information is synced and cached by Meraki Dashboard to be used across the organization. Once an IdP source has been configured in Meraki Dashboard it can be used for IdP Syncs. A single IdP source can be used, or multiple IdP sources can be used. 

Adding a new external IDP source

A new IdP source can be added in Dashboard by navigating to Organization > Users and then clicking on Create IdP.  

This image displays a new IdP source can be added in Dashboard by navigating to Organization, Users and click on Create IdP.  

Microsoft Entra ID

Microsoft Entra ID is a supported identity provider to Meraki Dashboard. When using Microsoft Entra ID the master records of user accounts can remain on Microsoft Entra ID portal and synced (cached) into Meraki Dashboard. 

  1. Sign into the Azure Portal.

Note:

  • Ensure your account Microsoft Entra ID is enabled. More information is available in Microsoft Entra plans and pricing for licensing information. 
  • Use Azure Global. Azure Gov environment is not supported at this time.

 

  1. Navigate to "Microsoft Entra ID" (Click or Type in the search bar).
  2. To Create the enterprise application, Navigate to Manage > All applications in the sidebar. And then click on + New application. The application holds the users/groups delegations.

    This image displays the Enterprise applications.
  3. Click '+' to create an application and name it. In the 'Create your own application' dialog, select the option to integrate an application not found in the gallery.
  4. Once the application is saved & created, copy the Application ID -- this is the Application (client) ID inside Meraki Dashboard.
  5. Click Entra ID directory name. Navigate to Manage > App registrations > All applications > ${Your_IdP_Name}.
  6. Copy the Application (client) ID and Directory (tenant) ID.  You will need these values later.
    clipboard_ef8f30dc7dfc9edfe2a98e0f707a9cdaa.png
  7.  Navigate to Manage > Certificates & secrets click on + New client secret
  8. Add a description to your client secret, select the expiration date, and save it. The client secret will be added to your application, and the value will be visible. Copy the client secret value, as you will need this information later.
    add-secret.png

Note: Every Entra ID secret value has an expiration date. Once this expiration date is reached a new secret value will be necessary for IdP syncs to continue. 

  1. Add the following Microsoft Graph API permissions (found under Manage > API Permissions) are required to grant to the Entra ID application. Without these permissions, the syncs may not be able to complete successfully: 
    • Grant Admin Consent for your Entra Directory
    • Microsoft Graph > Application > Directory.Read.All
    • Microsoft Graph > Application > User.Read.All
    • Microsoft Graph > Delegated > User.Read (Required for Access Manager integration)

       This image displays Add Permissions. 
  2. Add Directory (tenant) IDApplication (client) ID, and Client secret value. to your Meraki Dashboard IDP configuration page found in Organization > Users > Configure > Integrate with Microsoft Entra ID

    This image displays Integrate with Microsoft Entra ID.

IdP Syncs

IdP Syncs keep the information about end users and groups updated in Meraki Dashboard with the latest information from the identity provider. An IdP sync can be triggered manually or setup to sync automatically (see below steps for each). The last completed IdP sync timestamp will be displayed in Dashboard > Organization > Users under IdP Sources

IdP Syncs keep the information about end users and groups updated in Meraki Dashboard with the latest information from the identity provider.

Automatic Syncs

The Meraki Dashboard will automatically sync Users/Groups from the IdP every ~6 hours when enabling the Proactive Sync option for the IdP settings in Dashboard:

This image displays to configure your Microsoft Entra ID integration to retrieve users, user groups, and user attributes.

Manual Syncs

If automatic syncs are not being used ("enable proactive sync" is disabled) then syncs from the IdP must be initated manually by an organization administrator. This can be done on the Organization > Users page by clicking on the Sync > ${Your_IdP_Name}

This image displays the Idp sources. If automatic syncs are not being used, then syncs from the IdP must be initated manually by an organization administrator.

Manual syncs can take anywhere from ~5 seconds to multiple minutes to complete. You do not need to remain on the page while the sync progress, as this will happen in the background on the Meraki Cloud. However if you are still on the Organization > Users page while the sync finishes a banner will appear to show the successfully completed sync.  

This image displays sync successfully completed.

Meraki-hosted Users

Meraki-hosted users are local/guest user accounts whose credentials are created and managed within the Organization End Users page and are not federated with an external IdP source. Currently, Meraki-hosted user accounts can authenticate to the following channels:

  • Client VPN

Create a Meraki-hosted User

To create a Meraki-hosted user:

  1. Navigate to Organization > Users 
  2. Click on the Add Users button in the user list.  This image is displayed to add users.
  3. In the Add User drawer, enter the Display Name, Email (username), Password information, then click Save. 

This image displays Add User.

Edit a Meraki-hosted User

To edit a Meraki-hosted user:

  1. Navigate to Organization > Users and click the target user in the user list to open the user details page.
  2. Click triple dots on the upper right of the IdP - Meraki card on the user details page, and select Edit User Details from the drop down menu.  clipboard_ec829b0fa7a17c360c776b200b0698cc0.png
  3. Edit the user details in the drawer and click Save.  

Note: Editing the Email (username) for a Meraki-hosted user that is linked to another IdP user(s) results in a new user record created when saved.    

Delete a Meraki-hosted User

To delete a Meraki-hosted user:

  1. Click the target user in the user list to open the user details page.
  2. Click the triple dots in the upper right of the IdP - Meraki card on the user details page
  3. Select Delete User from the drop down menu.  
    This image displays to delete Meraki-hosted user.
  4. Click Delete User in the confirmation modal to save your change.

Note: Deleting a Meraki-hosted user linked to other IdP users will only remove the local user record.

Administrators can also delete multiple Meraki-hosted users from the the users list.  To do this:

  1. Navigate to Organization > Users and enable the checkbox next to your target users. 
  2. Click Delete Meraki user(s) in the action list action bar. This image displays to delete Meraki user.
     
  3. Click Delete Users in the confirmation modal. 

Authorizations

Organization End Users can be authorized for access to network zones such as Client VPN and Meraki Cloud Radius. These end users can be authorized for access in bulk via groups and/or individually. Currently, administrators can manage the following types of authorizations:

  • Client VPN (Meraki-hosted users only)

Manage Client VPN authorization

Authorize Client VPN access

To authorize Client VPN for a single user:

  1. Navigate to Organization > Users, and click the target end user. 
  2. On the user details page, navigate to the Manage Authorizations section.
  3. Click Add Authorizations.
    This image displays Manage Authorizations.
  4. In the Add Authorization drawer, select the target network(s) where the user should be authorized to access Client VPN. Client VPN access can be authorized indefinitely using the Authorize and never expire option.  Administrators can also authorize access to expire within a certain time window or specify a time frame with custom start and end dates using the Authorize and expire in option.

This image displays Add Client VPN authorization.\

Edit Client VPN access

To edit the expiration criteria for a Client VPN authorization for a single user:

  1. Navigate to Organization > Users, and click the target end user. 
  2. Select the desired authorizations from the list by checking the box next to each option you want to edit. 
  3. Click Edit Access to make changes. This image displays to edit access in the Manage authorizations page.
  4. In the Edit Client VPN(s) Authorization drawer, change the authorization expiration criteria, and click save. 

This image displays to select require Authorization (Authorization and expire in).

Note: Administrators cannot edit the target networks using the Edit Client VPN authorization(s) action. 

Revoke Client VPN access

To revoke Client VPN access for a single user:

  1. Navigate to Organization > Users, and click the target end user.
  2. On the user details page, navigate to the Manage Authorizations section, and select the target authorizations in the list to remove by enabling the checkmark next to each option.
  3. Click Revoke Access. 
    This image displays Revoke Client VPN access.
  4. Click Revoke Access  to confirm your selection in the pop up box

To revoke Client VPN access for multiple users:

  1. Navigate to Organization > Users. Select your target users by enabling the checkbox next to the user entry.
  2. Click the Edit Client VPN access dropdown and select Revoke Access.

This image displays to revoke access.

  • Was this article helpful?