Grant CSE Access to 3rd-Party Contractors Using Entra ID B2B

  • Updated on Nov 24, 2025

Overview

Use this guide to onboard 3rd-party contractors (e.g., vendors, partners) to Cloud Secure Edge (CSE) using Entra ID’s B2B Collaboration. This approach allows you to grant, manage, and revoke access for a single group in your Entra ID tenant without incurring additional licensing fees, using Entra ID’s External Identities Monthly Active Users (MAU) model. Admins can then onboard thousands of contractors with no license cost, provided that the number of unique contractors signing in per month remains below 50,000.

Pre-requisites

  • Entra External Identities licensing model (offered with all Microsoft Entra ID tenants, including the Free tier, and provides a free tier of 50,000 monthly active users).

Steps

Step 1: Create an access group for contractors.

Step 2: Invite contractors as guest users, and add them to an access group.

Step 3: Configure an Enterprise Application in Entra ID for SAML Single Sign-On (SSO).

Step 4: Configure Group-Based Access in Cloud Secure Edge.

Step 1: Create an access group in Entra ID

Create a single group that will be used to grant access. All contractors added to this group will be given access to CSE.

1.1 In the Entra admin center, navigate from Groups > All groups.

1.2 Select + New group.

1.3 Select the Group type: Security (recommended) or Microsoft 365.

1.4 Enter a Group Name (e.g., SEC-ZTNA-Contractors-Access or M365-ZTNA-Contractors).

1.5 Set Membership type to Assigned.

1.6 Select Create.

Step 2: Invite contractors as guest users

Invite your contractors, and add them directly to the access group you created in Step 1.

2.1 In the Entra admin center, navigate from Users > All users.

2.2 Select + New user > Invite external user.

2.3 Enter the contractor’s email address (e.g., contractor@their-company.com).

2.4 Enter their Display name.

2.5 Under the Groups and Roles tab, select + Add group, and search for and select the SEC-ZTNA-Contractors-Access group (created in Section 1); Select this group.

2.6 Select Invite. The contractor will receive an email to accept the invitation.

Step 3: Configure the Entra ID Enterprise Application (SAML)

This section establishes the trust integration between Entra ID (your Identity Provider) and Cloud Secure Edge (your Service Provider).

Create the Enterprise Application

3.1 In the Entra admin center, navigate to Enterprise applications.

3.2 Select + New application, then + Create your own application.

3.3 Name the application (e.g., SonicWall CSE TrustProvider).

3.4 Select Integrate any other application you don’t find in the gallery (Non-gallery).

3.5 Select Create.

Configure SAML SSO

3.6 Set up auto-configuration for Entra ID to create a SAML integration between Entra ID and CSE. Follow Set up Auto-Configuration for Entra ID (Azure AD) to complete the SAML integration.

Note: Ensure that your guest Users and/or guest groups are part of the Enterprise Application and that group claims are set up.

Step 4: Configure Role-Based Access

CSE role configuration prompts Entra ID to send the contractor’s group membership to CSE.

Configure CSE to map the Group to the Role, and the Role to the Access Policy

4.1 In the CSE Command Center, navigate from Directory & Infrastructure > Roles.

4.2 Select + Add Role, and enter a Role Name (e.g., Contractors).

4.3 In the Role configuration, select + Add Role Attribute, and then select By Group from the dropdown menu.

4.4 Select + Add Groups, and enter the Object ID (i.e., the exact name) of the Entra ID group that you created in Step 1.4 (i.e., SEC-ZTNA-Contractors-Access). Select Add “SEC-ZTNA-Contractors-Access”.

4.5 Save the Role configuration.

4.6 In the CSE Command Center, navigate from Private Access > Access Policies.

4.7 Create or edit the relevant access policy (e.g., the policy that grants access to your ZTNA resources).

4.8 In the policy, assign the role you created in Step 4.2 (e.g., Contractors).

4.9 Select Create Policy or Submit changes to your existing policy.

If you have multiple contractor teams (e.g., from Company A and Company B) and you want to grant them different levels of access, you can extend the above model as follows:

  1. Create Groups (Entra ID): Create separate Security Groups for each contractor team (e.g., SEC-ZTNA-Contractors-CompanyA, SEC-ZTNA-Contractors-CompanyB).

  2. Assign Groups (Entra ID): In the SonicWall CSE TrustProvider Enterprise App, navigate to Users and groups, and add both (or all) new groups.

  3. Configure Roles in CSE: Create a CSE Role named Company A. Map it to the Object ID of the SEC-ZTNA-Contractors-CompanyA group; Create a CSE Role named Company B. Map it to the Object ID of the SEC-ZTNA-Contractors-CompanyB group.

  4. Configure Policies in CSE: Create an access policy that grants access to Server-Cluster-A and assign it the Company A role; Create another access policy that grants access to Server-Cluster-B and assign it the Company B role.

Note: The above configuration allows you to manage access for all external partners centrally from Entra ID by simply adding and removing contractors from their respective groups.

Summary

  1. Contractor(s) receives and accepts the Entra ID B2B invitation.

  2. Admin adds the contractor’s Guest User account to the SEC-ZTNA-Contractors-Access group.

  3. Contractor opens the SonicWall client and attempts to log in: They are redirected to the Microsoft sign-in page; They enter their email (contractor@their-company.com). Entra ID redirects them to their own company’s sign-in page to authenticate.

  4. After successful login, Entra ID generates a SAML token containing their membership in the SEC-ZTNA-Contractors-Access group.

  5. Cloud Secure Edge receives the token, finds the matching Group ID, assigns the user the Role Contractors, and grants access based on the access policy for that role.

  6. Optional: To revoke access, admins can remove the Guest User from the SEC-ZTNA-Contractors-Access group.