Skip to main content

 

Cisco Meraki Documentation

Microsoft Entra ID Integration with Splash Page

  1. Last updated
  2. Save as PDF

Overview

Microsoft Entra ID (formerly known as Microsoft Azure AD) is a cloud-based identity and access management service provided by Microsoft. It is designed to help organizations manage users and their access to applications, both on-premises and in the cloud.  This feature implementation allows admins to configure SSIDs on Meraki to support the authentication of their Microsoft Entra ID users via Splash Page.

Prerequisites

  • Firmware: MR28+ 
  • Licensing: MR Enterprise

Configuration


Navigate to Wireless > Configure > Access Control on the dashboard.

This image shows how to access the Access Control settings on the Meraki dashboard.

  1. Select the SSID in the top Left Corner.

    This image shows where to select the SSID in the top left corner of the dashboard.

  2. Under the Splash Page section, select the Sign on With Microsoft Entra ID and add your Allowed Domains.

This image shows how to select "Sign on With Microsoft Entra ID" and add allowed domains under Splash Page settings.

The built-in Microsoft domain works. Add it to the Allowed Domain field in the dashboard. Verify all custom domains that do not use onmicrosoft.com.

  1. Navigate to Advanced Splash Settings below and then set the Captive Portal Strength to "Block all access until sign-on is complete".

This image shows how to set the Captive Portal Strength to "Block all access until sign-on is complete" in Advanced Splash Settings.

Block a client's internet access by default when it enters the captive portal. Set the captive portal strength to "Block all access until Sign-on is complete" on the Access-control page of the SSID. This setting blocks internet access but keeps the client connected to the SSID.

  1. Set Walled Garden to Enabled, and add the domains from Microsoft’s  Azure portal authentication urls documentation to the Walled Garden Ranges. If a domain is not specified, all the valid Entra ID accounts will be permitted to access the SSID.

Add "device.login.microsoftonline.com" to the Walled Garden ranges for unmanaged Android devices.

  1. Save the configuration.

Granting Microsoft Admin Consent to Cisco Application

  1. Network admins can sign-in using the below link to grant admin permission to the Cisco application.

https://login.microsoftonline.com/organizations/adminconsent?client_id=d1b29572-1b35-40cc-9152-a8056ab586c4

This image shows the link network admins use to sign in and grant admin permission to the Cisco application.

  1. Navigate to Microsoft Entra ID > Enterprise applications.

  2. Search for the application Cisco Meraki Network Access.

  3. Under Permission, click Grant admin consent for Cisco.

This image shows how to grant admin consent for Cisco by clicking the blue button under Permission.

Alternatively, admins can connect to the configured Entra SSID to grant admin consent.

  1. Connect to the configured SSID.

  2. Click Sign in with Microsoft.

This image shows where to click "Sign in with Microsoft.

3. Accept the permission request to add the application to the admin Entra ID account. 

This image shows how to accept the permission request to add the application to the admin Entra ID account.

4. Verify the new Cisco Meraki Network Access app is present in the Enterprise application portal.

This image shows how to confirm that the new Cisco Meraki Network Access app appears in the Enterprise application portal.

Authentication Process

When an unauthorized user connects to the AP, the first HTTP GET request redirects to the splash page server hosted in the dashboard. The splash page gives the user the option to log in to the SSID using a Microsoft AD account.

1. Sign in to the user account to sign on to the application. 

This image shows where to sign in to the user account to access the application.

2. Users are then directed to the Microsoft login screen hosted on Microsoft active directory servers.

This image shows that users are directed to the Microsoft login screen hosted on Microsoft Active Directory servers.

3. After the user enters their credentials, the system either grants access or prompts them to re-enter valid credentials.

4. Once accurate credentials are provided users will be granted access to the network.  

Troubleshooting SSID Configuration

This section describes how to identify and mitigate common issues experienced with Splash page configuration in dashboard.

  1. The built-in Microsoft domain onmicrosoft.com must be included in the Allowed domain field in the splash page of Dashboard. 

Edit sectionThis image shows where to add the built-in Microsoft domain onmicrosoft.com to the Allowed domain field in the splash page of the Dashboard.

Troubleshooting Entra ID Configuration

If you encounter errors during the connection to the Entra ID SSID please confirm all of the below Entra ID account configurations have been verified.

  1. The Entra ID  user attempting to authenticate with the network must have an active email associated with their account.
  2. Within the Microsoft AD account the Cisco Meraki Application must be a verified application. Please refer to the section
    Granting Microsoft Admin Consent to the Meraki Enterprise Application  
  3. The Azure user attempting to authenticate with the network must have an active email associated with their account.

The associated user email must be the same as the user principal name. If they are not the same the Entra ID sign-in attempt will fail with the below error.

This image shows that the user email must match the user principal name, or the Entra ID sign-in will fail with an error.

3.1. To verify, sign in to the Azure Portal: Go to https://portal.azure.com and sign in with your Azure account credentials.

3.2.Navigate to Azure Active Directory:

3.3. In the left-hand navigation pane, select Microsoft Entra ID. Select Users:

3.4. Under the Manage section, select Users. Search for the User.

3.5. Use the search bar and search for the relevant User.

3.6. Check the User Properties.

3.7. Click on the Properties tab of the selected User and ensure that there is a valid email.
 

This image shows how to click on the Properties tab of the selected user to check for a valid email.

Email Domain Verification

  1. Sign in to the Azure ID Portal: Go to https://portal.azure.com and sign in with your Entra ID account credentials.

  2. Navigate to Azure Active Directory: In the left-hand navigation pane, select Microsoft Entra ID.

  3. Under the Manage section, select Custom domain names.

  4. Confirm the domain is verified.

This image shows how to confirm that the domain is verified.

Monitoring

If a Sign-on Splash Page is used, login attempts are reported in dashboard under Wireless > Monitor > Splash logins and Wireless > Monitor > Login attempts.

Wireless > Monitor > Splash logins page:

This image shows where login attempts are reported in the dashboard under Login attempts.

For comprehensive API documentation, steps to configure the Entra ID with Splash Page and sample source code, refer to Developer Hub for more information.

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    Topic
    Stage
    Draft
  2. Tags
    This page has no tags.