How to Enforce MFA for User Login to Cloud Secure Edge with Entra ID.

Description

This article provides guidance for administrators on configuring a Conditional Access policy that enforces multi-factor authentication (MFA) whenever users sign in to the Cloud Secure Edge (CSE) application. If the policy is not correctly implemented, MFA may only be triggered based on Microsoft 365 sign-in frequency settings, which rely on default session lifetimes. These lifetimes can vary depending on browser behavior—for example, users may remain logged in as long as the browser session remains active.

 

 NOTE: When Microsoft Entra ID is integrated with Cloud Secure Edge (CSE), multi-factor authentication (MFA) enforcement depends on the identity provider's (IdP) policies and access conditions.

Resolution

Scope

  • Product: Cloud Secure Edge by SonicWall

  • Identity Provider: Microsoft Entra ID (Azure AD)

  • License requirement: Azure AD Premium P1 or P2

Prerequisites

  1. The Cloud Secure Edge Enterprise Application is already integrated with Microsoft Entra ID for SSO.

  2. Target users have completed MFA registration.

  3. You have a role with permission to create Conditional Access policies (Global Administrator or Security Administrator).

  4. Keep at least one break‑glass account excluded from Conditional Access for emergency access.

Procedure

  1. Sign in to the Microsoft Entra admin center with an administrator account.

  2. Go to Security → Conditional Access.

  3. Select + New policy and choose Create new policy.

  4. Name the policy (for example, CSE – Require MFA).

  5. Assignments → Users or workload identities

    • Under Include, select All users or Select users and groups and choose the identities that should be protected.

    • Under Exclude (recommended), add your break‑glass account(s).

  6. Assignments → Cloud apps or actions

    • Choose Include → Select apps.

    • Pick the Cloud Secure Edge Enterprise Application (or the specific app you want to protect).

  7. Conditions (optional)

    • Add filters such as Device platforms or Locations if you need to narrow the scope. Leave blank for all conditions.

  8. Access controls → Grant

    • Select Grant access.

    • Check Require multi‑factor authentication.

    • Click Select.

  9. Enable policy

    • Set Enable policy to On. If you prefer to pilot first, choose Report‑only.

  10. Click Create to save and activate the policy.

Validation Steps

  1. Sign in as a targeted user with the Cloud Secure Edge application.

  2. Confirm that the user is prompted for MFA.

  3. Sign in with an excluded or non‑targeted account and verify that MFA is not required.

Considerations

  • Do not enable the policy until you have confirmed that all targeted users have registered for MFA; otherwise they may be locked out.

  • Start with a small pilot group using Report‑only or by targeting a test group before applying to All users.

  • Keep at least one break‑glass account excluded from Conditional Access and store its credentials securely.

  • Conditional Access policies apply after first‑factor authentication, so users will still enter their primary credentials before MFA is enforced.

Related Documentation

     Microsoft:

     SonicWall:

Related Articles

  • Cloud Secure Edge (CSE) Global Edge Network
    Read More
  • Cloud Secure Edge (CSE) Cloud Command Center
    Read More
  • SonicWall CSE: Install Connector using Windows Executable
    Read More

Categories

Cloud Secure Edge
How To
Cloud Secure Edge
Secure Private Access
not finding your answers?
Ask the Community