SonicWall CSE: Grant CSE Access to 3rd-Party Contractors Using Entra ID B2B

Use this guide to onboard 3rd-party contractors (e.g., vendors, partners) to Cloud Secure Edge (CSE) using Entra ID’s B2B Collaboration. This approach allows you to grant, manage, and revoke access for a single group in your Entra ID tenant without incurring additional licensing fees, using Entra ID’s External Identities Monthly Active Users (MAU) model. Admins can then onboard thousands of contractors with no license cost, provided that the number of unique contractors signing in per month remains below 50,000.

Pre-requisites #

• Entra External Identities licensing model (offered with all Microsoft Entra ID tenants, including the Free tier, and provides a free tier of 50,000 monthly active users).

Steps #

Step 1: Create an access group for contractors.

Step 2: Invite contractors as guest users, and add them to an access group.

Step 3: Configure an Enterprise Application in Entra ID for SAML Single Sign-On (SSO).

Step 4: Configure Group-Based Access in Cloud Secure Edge.

Step 1: Create an access group in Entra ID #

Create a single group that will be used to grant access. All contractors added to this group will be given access to CSE.

1.1 In the Entra admin center, navigate from Groups > All groups.

1.2 Select + New group.

1.3 Select the Group type: Security (recommended) or Microsoft 365.

1.4 Enter a Group Name (e.g., SEC-ZTNA-Contractors-Access or M365-ZTNA-Contractors).

1.5 Set Membership type to Assigned.

1.6 Select Create.

Step 2: Invite contractors as guest users #

Invite your contractors, and add them directly to the access group you created in Step 1.

2.1 In the Entra admin center, navigate from Users > All users.

2.2 Select + New user > Invite external user.

2.3 Enter the contractor’s email address (e.g., contractor@their-company.com).

2.4 Enter their Display name.

2.5 Under the Groups and Roles tab, select + Add group, and search for and select the SEC-ZTNA-Contractors-Access group (created in Section 1); Select this group.

2.6 Select Invite. The contractor will receive an email to accept the invitation.

Step 3: Configure the Entra ID Enterprise Application (SAML) #

This section establishes the trust integration between Entra ID (your Identity Provider) and Cloud Secure Edge (your Service Provider).

Create the Enterprise Application

3.1 In the Entra admin center, navigate to Enterprise applications.

3.2 Select + New application, then + Create your own application.

3.3 Name the application (e.g., SonicWall CSE TrustProvider).

3.4 Select Integrate any other application you don’t find in the gallery (Non-gallery).

3.5 Select Create.

Configure SAML SSO

3.6 Set up auto-configuration for Entra ID to create a SAML integration between Entra ID and CSE. Follow Set up Auto-Configuration for Entra ID (Azure AD) to complete the SAML integration.

Note: Ensure that your guest Users and/or guest groups are part of the Enterprise Application and that group claims are set up.

Step 4: Configure Role-Based Access #

CSE role configuration prompts Entra ID to send the contractor’s group membership to CSE.

Configure CSE to map the Group to the Role, and the Role to the Access Policy

4.1 In the CSE Command Center, navigate from Directory & Infrastructure > Roles.

4.2 Select + Add Role, and enter a Role Name (e.g., Contractors).

4.3 In the Role configuration, select + Add Role Attribute, and then select By Group from the dropdown menu.

4.4 Select + Add Groups, and enter the Object ID (i.e., the exact name) of the Entra ID group that you created in Step 1.4 (i.e., SEC-ZTNA-Contractors-Access). Select Add “SEC-ZTNA-Contractors-Access”.

4.5 Save the Role configuration.

4.6 In the CSE Command Center, navigate from Private Access > Access Policies.

4.7 Create or edit the relevant access policy (e.g., the policy that grants access to your ZTNA resources).

4.8 In the policy, assign the role you created in Step 4.2 (e.g., Contractors).

4.9 Select Create Policy or Submit changes to your existing policy.

Summary #

1. Contractor(s) receives and accepts the Entra ID B2B invitation.

2. Admin adds the contractor’s Guest User account to the SEC-ZTNA-Contractors-Access group.

3. Contractor opens the SonicWall client and attempts to log in: They are redirected to the Microsoft sign-in page; They enter their email (contractor@their-company.com). Entra ID redirects them to their own company’s sign-in page to authenticate.

4. After successful login, Entra ID generates a SAML token containing their membership in the SEC-ZTNA-Contractors-Access group.

5. Cloud Secure Edge receives the token, finds the matching Group ID, assigns the user the Role Contractors, and grants access based on the access policy for that role.

6. Optional: To revoke access, admins can remove the Guest User from the SEC-ZTNA-Contractors-Access group.