Meraki

Community

Entra User Groups in SM?

BFish87
Conversationalist
Sunday
Sunday

Entra User Groups in SM?

Hi there,

 

I recently setup an IDP sync from Microsoft Entra in Organization -> Users of Cisco. It's working great and I can see I have about 75 security groups syncing from Entra and a few thousand users.

 

Unfortunately, when going inside Systems Manager under tags, I see my ASM groups but nothing related to Entra groups. Furthermore, when I am in app deployment or settings, i cannot use any of my Entra user groups as part of the settings to help when doing user-based deployment.

 

Any advise on if this is indeed possible to use Entra user groups for SM app/setting deployment or have I misconfigured something?

Labels:
0 Kudos
4 Replies 4
alemabrahao
Kind of a big deal
Sunday
Sunday

 

Meraki's Entra IDP sync does not currently support the use of Entra groups in Systems Manager for tagging, application deployment, or configuration scoping.

 

You can either try manually assigning tags to devices based on the users that belong to each Entra group or use the Meraki API combined with the Microsoft Graph API to extract the Entra group membership and apply the corresponding tags to the devices in SM via API.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to alemabrahao
BFish87
Conversationalist
Sunday
Sunday

Hi there,

 

That can't be fully accurate as Cisco SM has this

 

Screenshot 2568-06-15 at 22.52.25.png

 

I was able to get it to sync the groups for me when I did an SSO portal login through Entra but can't for the other 2,000 + groups. Once I logged in it grabbed my Microsoft info.

 

How can I get that for the other 2,000 + users without requiring every single user to login?

In response to BFish87
alemabrahao
Kind of a big deal
Sunday
Sunday

What you're observing is accurate behavior. When a user logs in to the SSO portal (via Entra ID) for the first time, Meraki SM captures that user's group membership from Entra and creates a dynamic tag based on that, but, users who never log in to the SSO portal do not sync automatically. Their group memberships aren't pulled into SM until they authenticate at least once.

 

As mentioned you can try using Meraki API combined with Microsoft Graph API to extract Entra group membership and apply corresponding tags to devices in SM via API.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to alemabrahao
BFish87
Conversationalist
Sunday
Sunday

Oh meraki you are breaking my heart.

 

A follow up, I was under the impression that the API did not have a node where you could assign /  manage user tags? ex: I have a tag called All staff, and I write an API to sync all of the group members using Microsoft Graph API into that tag.

 

If it's there, I've definitely missed it but that would solve it.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.