When a domain is federated to CSE, the CSE device certificate becomes the primary authentication factor for the user. The user does not type a password. Authentication succeeds when the following are true:

• The device is registered with CSE.
• The CSE desktop app or mobile app is installed and reports the device serial.
• The user identity inside the certificate matches the Entra user, and the certificate has not been revoked.
• The device passes the bound trust profile.

CSE returns a SAML assertion to Entra ID confirming that the user is authenticated. This satisfies the password requirement, which is why the experience is described as passwordless.

Multi-factor authentication is not removed by federation. If Conditional Access in Entra requires MFA for the application the user is reaching, Entra will still prompt for the second factor configured on the user account (Authenticator app, FIDO2 key, OATH token, and so on). The FederatedIdpMfaBehavior value used in the federation command controls how Entra treats MFA claims from CSE.

• rejectMfaByFederatedIdp (recommended). Entra always performs MFA itself and ignores any MFA claim from CSE. This keeps MFA enforcement, policy, and reporting consolidated in Entra Conditional Access, which is the cleanest model for most deployments.
• acceptIfMfaDoneByFederatedIdp. Entra accepts MFA performed at CSE when present, and otherwise prompts the user for MFA at Entra. Use this only when CSE is configured to assert MFA and you want to avoid a second prompt.
• enforceMfaByFederatedIdp. Entra requires MFA to be asserted by CSE. Choose this only if CSE is configured to perform MFA itself and Entra should never prompt.

In short: the CSE device certificate replaces the password, and Entra continues to own MFA.

Once a domain is federated, new users cannot enroll the CSE app the normal way, because their first authentication attempt is redirected to CSE and CSE has no certificate for them yet. Staged Rollout is the supported way out of this loop.

The recommended enrollment flow is:

1. Create or identify an Entra group named, for example, CSE-Staged-Bypass.
2. In Microsoft Entra admin center, navigate to Hybrid management > Microsoft Entra Connect > Connect Sync > Enable staged rollout features, and add the group to the staged rollout scope. This causes members of the group to authenticate against Entra ID directly instead of being redirected to CSE.
3. Add the new user to the CSE-Staged-Bypass group before enrollment begins.
4. Have the user install the CSE desktop app or mobile app and complete the manual enrollment flow with an invite code. Because the user is in the staged rollout group, Entra accepts their password and CSE issues a device certificate.
5. Once enrollment is confirmed and the user can authenticate end to end, remove the user from CSE-Staged-Bypass. The next sign in will follow the federated, passwordless flow.

The same group can host emergency access accounts and short term troubleshooting accounts. Treat membership as privileged and audit it on the same cadence as other privileged group memberships.

Based on current Entra ID operational models, capabilities have the following limitations, listed below.

• With passwordless authentication enabled, devices must be registered using MDM zero touch deployment, or onboarded individually using the Staged Rollout flow described above. See Distribute desktop app.
• Domains in Entra ID must be federated entirely with CSE. Domains cannot be segmented.
• All devices accessing applications federated through Entra ID with passwordless enabled must be registered with CSE.
• User and device groups cannot be segmented by different authentication protocols within a federated domain.

Before proceeding, complete the following:

• Configure Entra ID for CSE services.
• Configure Entra ID for CSE device registration.
• Configure zero touch deployment with your MDM provider.
• Provision break glass admin accounts and a Staged Rollout group as described in "Critical warning: prevent tenant lockout before you federate."

Step 1: Create a web policy

1.1 Open the policy creation screen.

Navigate to Private Access > Access Policies > + Create Policy, then select Web Policy.

1.2 Enter a policy name and description.

1.3 Set the recommended policy attributes.

• Role: ANY (specific user and device assignment for SaaS applications is typically done at the IdP).
• TrustLevel: High or Medium, when all devices are registered with the CSE app.

1.4 Create the policy.

Select Create Policy.

Step 2: Create a SaaS application in CSE

Microsoft does not support OIDC for Entra federation; SAML is required.

2.1 Open the SaaS Apps publisher.

Navigate to Internet Access > SaaS Apps, and select Publish SaaS Application.

2.2 Choose the IDP Routed template.

Select the IDP Routed template for Entra ID to route to CSE.

2.3 Name the app and select the protocol.

Name the SaaS app, and select SAML as the authentication protocol.

2.4 Set the Redirect URL.

Enter https://login.microsoftonline.com/login.srf as the Redirect URL.

2.5 Set the Audience URI.

Enter urn:federation:MicrosoftOnline as the Audience URI.

2.6 Attach the web policy.

Attach the web policy from Step 1 and set it to Enforcing.

2.7 Enable passwordless authentication.

Expand Advanced Configurations (optional) and enable Passwordless Authentication. Although labeled optional, this setting is required for Entra federation. For background, see Passwordless Authentication.

2.8 Register the app.

Select Register.

Step 3: Create CSE as an Identity Provider in Entra ID

These steps assume no prior third party identity provider is configured in the Entra tenant. If one is configured, refer to Microsoft documentation for the current best practices.

3.1 Open the CSE SaaS app.

Navigate to the new CSE SaaS app inside the CSE command center.

3.2 Download the metadata file.

Copy the metadata URL and paste it into a new browser tab. The file should download. Save it as BanyanMetadata.xml. If the file does not download, copy the XML from the page into a new file with the same name.

3.3 Open All identity providers in Entra.

In the Microsoft Entra admin center, navigate to External Identities > All identity providers.

3.4 Add a new SAML/WS-Fed IDP.

Select New SAML/WS-Fed IDP.

3.5 Provide the IDP details.

• Display Name: SonicWall CSE Trust Provider
• Identity Provider Protocol: SAML
• Domain name of federating IDP: <ORG_NAME>.trust.banyanops.com

3.6 Upload the metadata file.

Under Select a method for populating metadata, choose Parse metadata file, then upload BanyanMetadata.xml from Step 2.

3.7 Save the configuration.

Select Save. The CSE Trust Provider will appear in the SAML/WS-Fed identity providers table.

Step 4: Configure the Entra ID custom domain with a federated identity source

Microsoft retired the MSOnline PowerShell module and the Set-MsolDomainFederationSettings cmdlet. The supported replacement is the Microsoft Graph PowerShell SDK cmdlet New-MgDomainFederationConfiguration (module Microsoft.Graph.Identity.DirectoryManagement).

4.1 Install and connect.

Install-Module Microsoft.Graph -Scope CurrentUser
Connect-MgGraph -Scopes "Domain.ReadWrite.All", "Directory.AccessAsUser.All"

The signed in account requires the Global Administrator or Hybrid Identity Administrator role, plus consent to the listed Graph scopes.

4.2 Define variables for the federation.

Replace the example URIs and certificate with values from the CSE metadata generated in Step 3.

$DomainName          = "<your-federated-domain.com>"
$BrandName           = "SonicWall CSE"
$PassiveLogOnUri     = "https://<org>.trust.banyanops.com/v2/saml/sso/<id>"
$IssuerUri           = "https://<org>.trust.banyanops.com/v2/saml/sso/<id>"
$LogOffUri           = "https://login.microsoftonline.com/logout.srf"
$MetadataExchangeUri = "https://<org>.trust.banyanops.com/api/v1/saml_metadata"
$SigningCert         = "<base64 x509 certificate from BanyanMetadata.xml, no headers, single line>"

Notes on the inputs:

• $DomainName is the Entra custom domain being federated, such as contoso.com. The tenant default *.onmicrosoft.com domain cannot and should not be federated.
• $PassiveLogOnUri and $IssuerUri are the SAML SSO endpoint exposed by CSE. Both values come from the metadata downloaded in Step 3.
• $SigningCert is the first X509Certificate value from BanyanMetadata.xml, with no PEM header or footer and no line breaks.
• $MetadataExchangeUri is optional but recommended. It allows Entra to refresh signing certificates from CSE without manual updates.

4.3 Apply the federation configuration.

$params = @{
    DisplayName                     = $BrandName
    IssuerUri                       = $IssuerUri
    MetadataExchangeUri             = $MetadataExchangeUri
    PassiveSignInUri                = $PassiveLogOnUri
    SignOutUri                      = $LogOffUri
    SigningCertificate              = $SigningCert
    PreferredAuthenticationProtocol = "saml"
    FederatedIdpMfaBehavior         = "rejectMfaByFederatedIdp"
}

New-MgDomainFederationConfiguration -DomainId $DomainName -BodyParameter $params

FederatedIdpMfaBehavior = "rejectMfaByFederatedIdp" is recommended so that Entra Conditional Access continues to own MFA enforcement and reporting. See "How passwordless authentication works" for the trade offs between the three accepted values.

This command activates federation immediately. Every user in $DomainName is redirected to CSE for authentication on the next sign in. Confirm that break glass accounts and Staged Rollout are in place before running it.

4.4 Verify.

Get-MgDomainFederationConfiguration -DomainId $DomainName

The returned object should reflect the brand name, issuer URI, and certificate that were supplied.

4.5 Roll back if needed.

To revert the domain to managed authentication and remove the federation:

Update-MgDomain -DomainId $DomainName -AuthenticationType Managed
Remove-MgDomainFederationConfiguration -DomainId $DomainName -InternalDomainFederationId <id>

The federation configuration ID is returned by Get-MgDomainFederationConfiguration.

The admin who runs the cmdlets must consent to the following delegated Graph scopes:

• Domain.ReadWrite.All
• Directory.AccessAsUser.All

Both are required for federation configuration changes. If Connect-MgGraph returns insufficient privileges, request administrator consent for the scopes from the Entra admin center, or run Connect-MgGraph while signed in as a Global Administrator who can grant consent during the prompt.

• Microsoft Learn, New-MgDomainFederationConfiguration.
• Microsoft Learn, Update-MgDomainFederationConfiguration.
• Microsoft Learn, internalDomainFederation resource type.
• Microsoft Learn, Manage emergency access admin accounts.
• Microsoft Learn, Microsoft Entra Connect: Cloud authentication via Staged Rollout.
• Microsoft Learn, Migrate from federation to cloud authentication in Microsoft Entra ID.