VPN User Provisioning with API

gingerwon · ‎11-08-2024

Happy Friday everyone,
Boss tasked me with going through our Anyconnect authorized users on Meraki, verifying who is inactive in AD, and removing inactive users from Anyconnect. While SCIM would be ideal, I'm not finding any SCIM availability for AnyConnect Provisioning. So far I'm getting the information I want from the Invoke-RestMethod, and I'm able to then query those users against AD to confirm Enabled -eq True. My final hurdle is to take the list of disabled users, get their id from the Meraki response, and send a DELETE invoke-RestMethod to delete the disabled users via the "{{baseUrl}}/networks/:networkId/merakiAuthUsers/:merakiAuthUserId" endpoint.

$AllUsers = @()
foreach ($NetworkID in $NetworkIDs) {
$Users = Invoke-RestMethod -Method Get -Uri "https://api.meraki.com/api/v1/networks/$NetworkID/merakiAuthUsers" -Headers $headers
$AllUsers += $Users
}
$InactiveUsers = foreach ($User in $AllUsers) {
$ADUser = Get-ADUser -Filter "mail -eq '$($User.email)'" -Properties Enabled
if ($ADUser -and !$ADUser.Enabled)
}

Any tips or tricks would be greatly appreciated!

Philip D'Ath · ‎11-14-2024

Going completely sideways; do you use Office 365/Entra ID? Have you considered authenticating directly against that instead?

https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance/AnyConnect_Azure_AD_SAML_Configuration

gingerwon · ‎11-14-2024

Thanks for the reply Philip!

We have/are considering this, but didn't think SSO would automatically deprovision disabled users from the Meraki authenticated users list. Maybe this is a much simpler solution, I'll try to do some testing today. Thanks again!