Skip to main content

 

Cisco Meraki Documentation

Organization Users

The following instructions explain how to use the Organization Users page. Organization Users are the end users who utilize network client devices and/or authenticate into network devices. Identity provider (IdP) sources assist in managing these end users, allowing the Dashboard to work with the same users and groups as existing enterprise IdP systems. Information such as names, email addresses, usernames, and User Principal Names (UPN) are sourced from the IdP, ensuring that there is a reliable single source of end user information within the Meraki Dashboard.

Optionally, multiple IdP sources can be synced into a Meraki Organization, enabling the integration of end users from various IdP sources into one cohesive system. Organization Users can be accessed across the organization and utilized in any of the networks and Combined Dashboard Networks

Note: Organization Users is in Early Access and needs to be opted in. The Early Access page is available to org-write admins in the navigation menu by going to Organization > Configure > Early Access. 

Some features and user interface screenshots referenced in this document may change as development progresses throughout the Early Access period.

Concepts

The Organization User page is built around two core concepts: end users and groups. An end user refers to an individual identity, such as an employee, contractor, or guest user, who can be granted access to various network services like VPN or wireless authentication. A group is a logical collection of users, typically organized by function, department, or access needs, which enables admins to manage permissions and policies at scale. By combining users and groups together, administrators can efficiently assign roles, enforce access controls, and maintain consistency across organizational units, whether users are created locally or synced from external identity providers.

End Users

End Users represent the users within an organization who will be authorized and/or blocked for access of various parts of the Meraki networks. In the example below an end user called matt_user is created in Microsoft Entra ID and then synced into Dashboard. 

The Organization > Users page loads all the users within the Organization. These users can be searched by username, display name, email, etc. 

clipboard_e26cf66631db827ce1c76407fff814955.png

Clicking on the individual user loads additional information about the user such as their account information, groups, and channels of enabled/disabled access. 

Note: While Meraki End Users is under Early Access the "Enabled access" features will be under development. 

View of this same user from Microsoft Entra ID: 

entra-id-user.png

The master record of this account remains held with the IdP and can be updated with changes on the IdP (e.g. Entra ID) and new syncs into Meraki Dashboard.

User information from multiple IdP sources are aggregated into a single user in the Organization End User page if the email addresses are the same.  Details for each linked IdP user record can be viewed at the top of the user details page. 

Groups

Groups are multiple users collected under a single name space. In the example below a group with 2 users collected into a group called TestGroup123.

Groups can only be synced in from External IdP sources.

This group is created in Microsoft Entra ID and then synced into Dashboard.  groups.png

In Microsoft Entra ID, we can see this same group name which is synced into Meraki Dashboard. Changes to this can be done on the IdP and then synced into Meraki Dashboard.

new_azure_group.png

Existing Network Users

Network users created in all the various Meraki Dashboard networks are consolidated into the single Organization > Users page. For example, users added into the Network-wide > Users page for User Access to Meraki Network Zones (such as Wireless SSID, VPN, and Switch Access Policy) are automatically added to the single Organization > Users page. Owners from Meraki Systems Manager in all the various networks are also added to this single Organization > Users page in the same way. This allows a single page for end user searching, monitoring, and management across every sub network within the Meraki Dashboard.

External IdP Sources

Identity provider sources such as Microsoft Entra ID can be added to facilitate syncs between the IdP and Dashboard. The IdP sources store the information about the end users & groups. This information is synced and cached by Meraki Dashboard to be used across the organization. Once an IdP source has been configured in Meraki Dashboard it can be used for IdP Syncs. A single IdP source can be used, or multiple IdP sources can be used. 

Adding a new external IDP source

A new IdP source can be added in Dashboard by navigating to Organization > Users and then clicking on Create IdP.  

clipboard_e0b4e160f7c62560424d652a91a5dae4c.png

Microsoft Entra ID

Microsoft Entra ID is a supported identity provider to Meraki Dashboard. When using Microsoft Entra ID the master records of user accounts can remain on Microsoft Entra ID portal and synced (cached) into Meraki Dashboard. 

1. Sign into Azure Portal.

Note: Please ensure your account Microsoft Entra ID enabled. More information available here for licensing information. 

Note: Please use Azure Global. Azure Gov environment is not supported at this time.

2. Navigate to "Microsoft Entra ID" (either by clicking or by typing it in the search bar at the top).

3. Navigate to Home > Overview. Copy the Tenant ID for your account. This identifier is used as the Directory (tenant) ID within Meraki Dashboard. 

tenant-id.png

4. Next, we need to create the enterprise application. The application holds the users/groups delegations. Navigate to Manage > All applications in the sidebar. And then click on + New application

 

add-application.png

Click on + Create your own application and give your application a name. Inside the Create your own application dialogue choose integrate any other application you don't find in the gallery.

Once the application is saved & created, copy the Application ID -- this is the Application (client) ID inside Meraki Dashboard.

5. Click on the Entra ID directory name at the top. Navigate to Manage > App registrations > All applications > ${Your_IdP_Name}.
app-id.png

6. Next, we will need the application secret. Navigate to Manage > Certificates & secrets click on + New client secret. Give your client secret a description, choose the expiration date, and save it. Then the client secret will be added to your application and the Value will be viewable. This Value is Client secret value we need to add to Dashboard.


add-secret.png

Note: Every Entra ID secret value has an expiration date. Once this expiration date is reached a new secret value will be necessary for IdP syncs to continue. 

Great! Now you have the Directory (tenant) IDApplication (client) ID, and Client secret value.

Add these to your Meraki Dashboard in Organization > Users > Configure > Integrate with Microsoft Entra ID
clipboard_e778bf04e7175760fd953b27445f6bfc8.png

Permissions

The following Microsoft Graph API permissions (found under Manage > API Permissions) are required to grant to the Entra ID application. Without these permissions, the syncs may not be able to complete successfully: 

Microsoft Graph > Directory.Read.All
Microsoft Graph > User.Read.All

Please ensure these are all selected as Application permissions. 

 permissions-api.png

IdP Syncs

IdP Syncs keep the information about end users and groups updated in Meraki Dashboard with the latest information from the identity provider. An IdP sync can be triggered manually or setup to sync automatically (see below steps for each). The last completed IdP sync timestamp will be displayed in Dashboard > Organization > Users under IdP Sources

IdP-sync-complete.png

Automatic Syncs

The Meraki Dashboard will automatically sync Users/Groups from the IdP every ~6 hours when enabling the Proactive Sync option for the IdP settings in Dashboard:
clipboard_eab1a5fd0ac9b8729a4c0074b714fadde.png

Manual Syncs

If automatic syncs are not being used ("enable proactive sync" is disabled) then syncs from the IdP must be initated manually by an organization administrator. This can be done on the Organization > Users page by clicking on the Sync > ${Your_IdP_Name}

manual-sync.png

Manual syncs can take anywhere from ~5 seconds to multiple minutes to complete. You do not need to remain on the page while the sync progress, as this will happen in the background on the Meraki Cloud. However if you are still on the Organization > Users page while the sync finishes a banner will appear to show the successfully completed sync.  

sync-complete.png

Meraki-hosted Users

Meraki-hosted users are local/guest user accounts whose credentials are created and managed within the Organization End Users page and are not federated with an external IdP source. Currently, Meraki-hosted user accounts can authenticate to the following channels:

  • Client VPN

Create a Meraki-hosted User

To create a Meraki-hosted user, navigate to Organization > Users and click on the Add Users button in the user list.  

clipboard_ee4a2be28f7c8a26d52c5da85103c7227.png

In the Add User drawer, enter the Display Name, Email (username), Password information, then click Save. 

clipboard_efa45ecda0d1bba511f560eb3ebcadc51.png

Edit a Meraki-hosted User

To edit a Meraki-hosted user, navigate to Organization > Users and click on the target user in the user list to open the user details page.

Click the the triple dots in the upper right of the IdP - Meraki card on the user details page, then  select Edit User Details from the drop down menu.  

clipboard_ec829b0fa7a17c360c776b200b0698cc0.png

Edit the user details in the drawer and click Save.  

Editing the Email (username) for a Meraki-hosted user that is linked to another IdP user(s) results in a new user record created when saved.    

Delete a Meraki-hosted User

To delete a Meraki-hosted user, click on the target user in the user list to open the user details page.

Click the the triple dots in the upper right of the IdP - Meraki card on the user details page, then  select Delete User from the drop down menu.  

clipboard_e95556dc49af2b60c312d4920f46a9e11.png

Click Delete User in the confirmation modal to save your change.

clipboard_ec5644ed8cf12cea2fb90353af7a56afb.png

 

Deleting a Meraki-hosted user that is linked to another IdP user(s),  will only remove the local user record.  

Administrators can also delete multiple Meraki-hosted users from the the users list.  To do this, navigate to Organization > Users and enable the checkbox next to your target users.  Click on Delete Meraki user(s) in the action list action bar. 

clipboard_ea70b32a96290603fe617b35065d18d7f.png

Then click on Delete Users in the confirmation modal. 

clipboard_eb45211787455660bce2141c47cac784b.png

Authorizations

Organization End Users can be authorized for access to network zones such as Client VPN and Meraki Cloud Radius. These end users can be authorized for access in bulk via groups and/or individually. Currently, administrators can manage the following types of authorizations:

  • Client VPN (Meraki-hosted users only)

Manage Client VPN authorization

Authorize Client VPN access

To authorize Client VPN for a single user, navigate to Organization > Users, then click on the target end user.  On the user details page, navigate to the Manage Authorizations section, then click on Add Authorizations 

clipboard_e3bfc19f44e050d5b1b269eb93d0adc5d.png

In the Add Authorization drawer, select the target network(s) where the user should be authorized to access Client VPN. Client VPN access can be authorized indefinitely using the Authorize and never expire option.  Administrators can also authorize access to expire within a certain time window or specify a time frame with custom start and end dates using the Authorize and expire in option.

clipboard_e7470777263dde71cd5bbdac7808a9bba.png\

Edit Client VPN access

To edit the expiration criteria for a Client VPN authorization for a single user navigate to Organization > Users, then click on the target end user.  Select the desired authorizations from the list by checking the box next to each option you want to edit. Click on Edit Access to make changes. 

clipboard_e3660fc0b875c70dd7de93158f8f05589.png

In the Edit Client VPN(s) Authorization drawer, change the authorization expiration criteria, then click save. 

clipboard_ec330873d796ec3051e5c94fe105a7e69.png

Administrators cannot edit the target networks using the Edit Client VPN authorization(s) action. 

Revoke Client VPN access

To revoke Client VPN access for a single user, navigate to Organization > Users, then click on the target end user.  On the user details page, navigate to the Manage Authorizations section, then select the target authorizations in the list to be removed by enabling the checkmark next to each option. Click Revoke Access. 

clipboard_ebf4f9350e523f04545adbba377c17efb.png

Click Revoke Access  to confirm your selection in the pop up box

clipboard_e3b828a994a0419cff86be6be6a5f0d66.png

To revoke Client VPN access for multiple users, navigate to Organization > Users. Select your target users by enabling the checkbox next to the user entry. Click the Edit Client VPN access dropdown and select Revoke Access.

clipboard_e9a2cc72fe565dd9e0aa34225b628fd32.png

  • Was this article helpful?