Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2183
Views
8
Helpful
4
Replies

Entra User Groups in SM?

BFish87
Community Member

‎06-15-2025 07:47 AM

Hi there,

I recently setup an IDP sync from Microsoft Entra in Organization -> Users of Cisco. It's working great and I can see I have about 75 security groups syncing from Entra and a few thousand users.

Unfortunately, when going inside Systems Manager under tags, I see my ASM groups but nothing related to Entra groups. Furthermore, when I am in app deployment or settings, i cannot use any of my Entra user groups as part of the settings to help when doing user-based deployment.

Any advise on if this is indeed possible to use Entra user groups for SM app/setting deployment or have I misconfigured something?

Labels:
0 Helpful
4 Replies 4

aleabrahao
Meraki Community All-Star
Meraki Community All-Star

‎06-15-2025 07:53 AM

Meraki's Entra IDP sync does not currently support the use of Entra groups in Systems Manager for tagging, application deployment, or configuration scoping.

You can either try manually assigning tags to devices based on the users that belong to each Entra group or use the Meraki API combined with the Microsoft Graph API to extract the Entra group membership and apply the corresponding tags to the devices in SM via API.

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

BFish87
Community Member
In response to aleabrahao

‎06-15-2025 08:54 AM

Hi there,

That can't be fully accurate as Cisco SM has this

image.png

I was able to get it to sync the groups for me when I did an SSO portal login through Entra but can't for the other 2,000 + groups. Once I logged in it grabbed my Microsoft info.

How can I get that for the other 2,000 + users without requiring every single user to login?

aleabrahao
Meraki Community All-Star
Meraki Community All-Star
In response to BFish87

‎06-15-2025 09:01 AM

What you're observing is accurate behavior. When a user logs in to the SSO portal (via Entra ID) for the first time, Meraki SM captures that user's group membership from Entra and creates a dynamic tag based on that, but, users who never log in to the SSO portal do not sync automatically. Their group memberships aren't pulled into SM until they authenticate at least once.

As mentioned you can try using Meraki API combined with Microsoft Graph API to extract Entra group membership and apply corresponding tags to devices in SM via API.

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

BFish87
Community Member
In response to aleabrahao

‎06-15-2025 05:36 PM

Oh meraki you are breaking my heart.

A follow up, I was under the impression that the API did not have a node where you could assign / manage user tags? ex: I have a tag called All staff, and I write an API to sync all of the group members using Microsoft Graph API into that tag.

If it's there, I've definitely missed it but that would solve it.

0 Helpful
Customers Also Viewed These Support Documents