Merkai Walled Garden wildcards for the PC Entra

Question

Hi,

I'm having a problem related to Meraki walled Garden to add the wildcards.

We have the PC Full hybrid and trying to connect to new user to the WiFi guest so they can changer there generic password.

The Wifi guest isn't letting them to connect to microsoft services.

Also not forget we have a captive portal which allows user to connect to the internet once they are logged-in.And it at the portal we having the problem because for the new user they must have to change there password to get the access.

I'm trying to add the wildcard (ex : msauth.net and login.microsoftonline.com) so the new user can connect to minium internet and can change there password.

Still no result.

My idea to allow the microsoft flux, so they can login and change the password and then login to portal so that they have internet and the certificats will be installed automatically via SCEPman policy.

Doesn't have anyboady have a solution of it.

Thank you

Answer 1

Meraki walled garden rules must allow all required Microsoft endpoints for Microsoft Entra sign-in and password change flows; allowing only *.msauth.net and login.microsoftonline.com is not sufficient.

From the provided context, the only explicitly listed Microsoft cloud endpoints are for Microsoft 365 traffic and Microsoft Entra-related services. For a guest/Wi‑Fi walled garden that must allow Microsoft sign-in and password change, configure the Meraki walled garden (or equivalent allowlist) to permit at least:

1. Microsoft 365 / Microsoft cloud IP ranges (for sign-in and related services) Add the following IP ranges to the allowed list (as destinations that bypass the walled garden restrictions):
   • 132.245.0.0/16
   • 204.79.197.215/32
   • 150.171.32.0/22
   • 131.253.33.215/32
   • 23.103.160.0/20
   • 40.96.0.0/13
   • 52.96.0.0/14
   • 40.104.0.0/15
   • 13.107.128.0/22
   • 13.107.18.10/31
   • 13.107.6.152/31
   • 52.238.78.88/32
   • 104.47.0.0/17
   • 52.100.0.0/14
   • 40.107.0.0/16
   • 40.92.0.0/15
   • 150.171.40.0/22
   • 52.104.0.0/14
   • 104.146.128.0/17
   • 40.108.128.0/17
   • 13.107.136.0/22
   • 40.126.0.0/18
   • 20.231.128.0/19
   • 20.190.128.0/18
   • 20.20.32.0/19
   These are documented Microsoft 365 / Microsoft cloud IPs that must be reachable when Microsoft traffic is being forwarded or filtered.
2. Microsoft Entra / Global Secure Access FQDNs Ensure the walled garden allows at least the documented Microsoft Entra service FQDN suffix:
   • globalsecureaccess.microsoft.com (Meraki supports wildcards, so *.globalsecureaccess.microsoft.com or the base domain depending on configuration)
   In Meraki, this typically means adding that domain (or wildcard) to the allowed destinations so that DNS and HTTPS traffic to those hosts is not blocked or intercepted.
3. General guidance for the scenario
   • Confirm that DNS queries from the guest network can resolve Microsoft domains (no DNS blocking or redirection for these domains).
   • Make sure the walled garden rules are applied to both HTTP and HTTPS traffic.
   • After updating the allowlist, test with a freshly joined hybrid-joined PC on the guest Wi‑Fi and attempt to reach the Microsoft sign-in page and password change page.

If, after adding these documented IP ranges and FQDNs, sign-in still fails, verify on the Meraki side that:

• The rules are ordered correctly so that the allow rules for these IPs/domains are evaluated before any deny/captive-portal rules.
• There is no SSL inspection or proxy behavior that breaks Microsoft sign-in flows for these endpoints.

---

References:

• Security Service Edge (SSE) coexistence with Microsoft and Cisco Secure Access