Enforce MFA for each and every login to Cloud Secure Edge with Google Workspace

Description

Show administrators how to require 2‑Step Verification (2SV) whenever users access the Cloud Secure Edge (CSE) application. If this is not configured, it will follow the Google session control settings. 

Cause

Scope

  • Product: Cloud Secure Edge by SonicWall

  • Identity Provider: Google Workspace (Cloud Identity)

  • License requirement: Google Workspace Business or Enterprise edition, or Cloud Identity Premium

Prerequisites

  1. Cloud Secure Edge is already configured as a SAML application in Google Workspace and assigned to users.

  2. Target users have enrolled in 2‑Step Verification (security key, Google Authenticator, or Google Prompt).

  3. You have Super Admin (or Security Admin + Groups Admin) privileges to manage security settings.

  4. Maintain at least one break‑glass admin account stored securely for emergency lockout scenarios.

Procedure

Part A – Enforce 2‑Step Verification for the target users

  1. Sign in to the Google Admin console with a super‑admin account.

  2. Navigate to Security → Authentication → 2‑step verification.

  3. Select the Organizational Unit or Group that contains the users who need CSE access.

  4. Under Enforcement, choose On and enable Enforce 2‑Step Verification.

  5. Set a Grace period (optional) to give users time to enroll.

  6. Click Save.

Part B – Restrict Cloud Secure Edge access to 2SV‑enforced users

Option 1: Group assignment (simplest)

  1. In the Admin console, go to Apps → Web and mobile apps.

  2. Search for Cloud Secure Edge and open its settings.

  3. Click User access.

  4. Select ON for some and choose only the group/OU that has 2SV enforcement.

  5. Click Save.

Option 2: Context‑Aware Access (granular)

  1. Navigate to Security → Access and data control → Context‑Aware Access.

  2. Click Access levels → Create access level.

  3. Name it Requires 2SV.

  4. Under Add condition, enable Require user to have verified 2‑step verification and set any additional device/location rules you need.

  5. Save the access level.

  6. Go back to Apps → Web and mobile apps → Cloud Secure Edge → Context‑Aware Access.

  7. Set the service status to ON, then apply the Requires 2SV access level.

  8. Click Save.

Validation Steps

  1. Sign in with a test account in the targeted group/OU and launch Cloud Secure Edge. Verify that a 2SV prompt appears.

  2. Remove 2SV enrollment from the test account or move it to an unenforced OU. Confirm that access to CSE is blocked with a message such as “This service requires 2‑Step Verification.”

Considerations

  • Google Workspace enforces 2SV at login. To scope it only to Cloud Secure Edge, use group assignment or Context‑Aware Access.

  • Provide user training and clear communications before enforcing 2SV to avoid support tickets.

  • Keep backup codes or secondary admin accounts available to avoid lockouts.

Related Documentation

Related Articles

  • IP Whitelisting Scenarios for SaaS Applications
    Read More
  • Full Tunnel in SonicWall Cloud Secure Edge (CSE)
    Read More
  • Incompatibility Between Webroot and SonicWall CSE SPA
    Read More

Categories

Cloud Secure Edge
not finding your answers?
Ask the Community
Chat