Organization Users
Users listed within Dashboard represent the people who utilize network resources and/or authenticate into network devices.
External Identity provider (IdP) sources assist in managing these users, allowing the Dashboard to work with the same user and group information that exists in enterprise IdP systems. Information such as names, email addresses, usernames, and User Principal Names (UPN) are sourced from the IdP, ensuring that there is a reliable single source of user information within the Meraki Dashboard.
User records may also be created and managed within Dashboard, either manually or through user self-registration.
Organization Users are accessible across the organization and can be used in any network and Combined Dashboard Networks.
Reference Links
- Managing Access for Users - for more information on how to manage access for Users.
- EntraID IdP Integration - Setup EntraID as an external IdP
Organization > Monitor > Users page
The Organization > Monitor > Users page provides a consolidated view of users created across all the Meraki Dashboard networks as well as user records synced from external identity providers. It enables a single view for user searching, monitoring, and management across every sub network within the Meraki Dashboard. It also provides facilities for creating and managing integrations with external identity providers.
Records maintained by an external identity provider (IdP) such as Microsoft EntraID can be updated with changes from the external IdP during new syncs into the Dashboard. For locally hosted users, with records created within Dashboard or through self-registration, the IdP source is shown as “Meraki”. For example, users added into the Network-wide > Configure > Users page for User Access to Meraki Network Zones (such as Wireless SSID, VPN, and Switch Access Policy) are automatically included in the single Organization > Monitor > Users page with “Meraki” shown as the IdP and zone access information summarized with the type of zone. Owners from Meraki Systems Manager in all the various networks are also added to this single Organization > Monitor > Users page in the same way.
Clicking on an individual user shows more details, including their account information and assigned groups. For users managed directly in Dashboard, the network zones where access has been granted are also shown.
Please reference this secondary guide for additional configuration requirements for the additional EntraID Application for SM Enrollment Authentication.
Table of User Sources
|
User Source |
Authorizations |
Sync |
Groups |
|
Meraki |
Client VPN, Splash |
NA |
NA |
|
EntraID |
Access Manager |
Proactive or on-demand |
Via Sync |
Meraki-hosted Users
Meraki-hosted users are local/guest user accounts whose credentials are created and managed within the Organization Users page and are not federated with an external IdP source. Currently, Meraki-hosted user accounts can authenticate to the following channels:
- Client VPN
- Splash with MerakiAuth
Create a Meraki-hosted User
To create a Meraki-hosted user:
1. Navigate to Organization > Monitor > Users
2. Click on the Add Users button in the user list.
3. In the Add User drawer, enter the Display Name, Email (username), Password information, then click Save.
Edit a Meraki-hosted User
To edit a Meraki-hosted user:
-
Navigate to Organization > Monitor > Users and click the target user in the user list to open the user details page.
-
Click triple dots on the upper right of the IdP - Meraki card on the user details page, and select Edit User Details from the drop down menu.
-
Edit the user details in the drawer
-
Enter updates to Display Name, username or email address
-
A new password can be created or generated
-
-
Click Save keep the changes and optionally send a password update email to the user
Note: Editing the Email (username) for a Meraki-hosted user that is linked to another IdP user(s) results in creating a new, separate user record when saved.
Delete a Meraki-hosted User
To delete a Meraki-hosted user:
-
Click the target user in the user list to open the user details page.
-
Click the triple dots in the upper right of the IdP - Meraki card on the user details page
-
Select Delete User from the drop down menu.
4. Click Delete User in the confirmation modal to save your change.
Note: Deleting a Meraki-hosted user linked to other IdP users will only remove the local user record.
Administrators can also delete multiple Meraki-hosted users from the users list. To do this:
1. Navigate to Organization > Monitor > Users and enable the checkbox next to the target users.
2. Click Delete Meraki user(s) in the action list action bar.
3. Click Delete Users in the confirmation modal.
External IdP Users & Sources
Identity provider sources such as Microsoft Entra ID can be added to allow syncs between the IdP and Dashboard. The IdP sources store the information about the end users & groups. This information is synced and cached by Meraki Dashboard to be used across the organization. Once an IdP source has been configured in Meraki Dashboard, it can be used for IdP Syncs. A single IdP source can be used, or multiple IdP sources can be used.
Groups
Groups are multiple users collected under a single name space. They are synced from external identity provider sources. In the example below 2 users are collected into a group called TestGroup123.
Groups can only be synced in from External IdP sources.
This group is created in Microsoft Entra ID and synced into the Dashboard.
The same group name and associations can be seen in the IdP source, Microsoft EntraID. Changes in the user group assignments in the IdP will be synced into the Dashboard.
For configurations with large IdP tenants, it can be effective to search for a group in the groups table. Clicking on the number of users assigned to the group will navigate to the users table with a filtered set of users who are assigned to that group.
Adding a new external IDP source
A new IdP source can be added in Dashboard by navigating to Organization > Monitor > Users and then clicking on the Add IdP button. IdPs added can be used in different ways depending on configuration and permissions. For use in Access Manager, we recommend a full sync integration. IdPs can also be configured on the Organization > Monitor > Users page for use as an OAuth provider for Splash.
In the IdP integration flow, add the relevant details to specific to the IdP being configured in the Identity provider interface. The configured connection to the IdP will be validated before the integration data is saved or updated in order to reduce misconfigurations.
A detailed walkthrough of integrating with Microsoft EntraID can be found under EntraID Integrations.
Sync configuration
IdP Syncs keep the information about users and groups updated in Meraki Dashboard with the latest information from the identity provider. The last completed IdP sync timestamp will be displayed in Dashboard > Organization > Monitor > Users by hovering over the "Synced" section under IdP Sources.
When configuring an IdP, Dashboard supports two options for synchronization: proactive and manual. These are set on the IdP integration page when creating or editing an IdP.
When the Proactive Sync option is enabled for an IdP configuration, all Users/Groups information from the IdP will be synced to the Dashboard Cloud cache. Dashboard will also automatically update the cached information every ~6 hours.
Note: The initial sync for a large tenant may take several hours.
If automatic syncs are not being used ("enable proactive sync" is disabled) then syncs from the IdP must be initiated manually by an organization administrator.
This can be done on the Organization > Monitor > Users page by clicking on the Sync > ${Your_IdP_Name}.
Manual syncs can take anywhere from ~5 seconds to multiple minutes to complete. The sync will proceed in the background once launched, allowing the administrator to navigate away from the page as needed while the sync is in progress. Once complete, there will be a notification on the page to show that the sync completed successfully.