Using Cloud Secure Edge with Microsoft 365

Learn which Microsoft licenses are required for CSE security features

  • Updated on Oct 09, 2025

Overview

Cloud Secure Edge (CSE) integrates with Microsoft 365 (and Entra ID, as part of a bundle) to enforce policy-based access to cloud apps and data. Microsoft 365 licenses include different tiers of Entra ID, and the specific features available for the CSE integration depend on which Microsoft licenses your org uses.

This guide lays out how CSE interacts with the various Microsoft license tiers, outlining which Entra ID features are required for specific CSE capabilities, and it identifies any added security value that CSE provides.

CSE Capabilities with Free Microsoft 365 Licenses

CSE can be used with the Microsoft 365 Basic and Business Standard licenses (Entra ID Free Tiers) to offer a single sign-on (SSO) and a Multi-factor Authentication (MFA) solution. Use the free Entra ID tiers with CSE to check device security posture, to set up remote access or ZTNA, and to block malicious internet content.

For organizations using Microsoft 365 Basic or Standard (non-Premium) licenses, CSE extends Microsoft’s native security and access capabilities:

Security Feature Microsoft 365 Basic (Free) CSE Advantage
Zero Trust Network Access (ZTNA) Limited; basic auth and MFA Identity-based secure access to private and SaaS apps
Web Security and Traffic Inspection No built-in content filtering or network threat protection Secure Web Gateway for threat protection, URL filtering, and malware inspection
Device Posture Enforcement Minimal Continuous device posture checks to ensure device security and compliance
Network Visibility Limited insight beyond sign-ins Full visibility into user, device and app traffic across all sites and cloud apps
Remote Access VPN Requires separate VPN solution Direct, secure VPN access to corporate apps without VPN complexity
Centralized Access Policy Management Separate controls for each service Unified policy engine for internal and SaaS apps

CSE Capabilties with Paid Microsoft 365 Licenses (i.e., Entra P1)

To restrict and manage SaaS apps using CSE (e.g., IP allowlisting), a Microsoft Business Premium (P1) license is required.

Reference - Microsoft 365 license bundles and corresponding Entra ID Tiers

Microsoft 365 Plan Included Entra ID Tier Key Highlights
Business Basic; Standard Free Basic user management, SSO for Microsoft apps
Business Premium; E3 P1 Conditional access, MFA, and Intune integration (Premiume) + Enterprise app suite and security management (E3)

CSE Differentiation for Microsoft 365 Premium License Users

CSE differentiates by offering network-level enforcement and multi-cloud visibility, instead of just identity-based access inside Microsoft’s ecosystem.

For customers who already subscribe to Microsoft 365 Business Premium, E3, or E5, many core identity and endpoint protection capabilities are built in. However, CSE can still deliver value in several complementary areas:

Security Feature Microsoft 365 Premium CSE Advantage
Multi-Cloud and Hybrid Coverage Focused on Microsoft 365 and Azure Extends Zero Trust access and inspection to any SaaS app, data center, or on-prem network
Network Security Layer App-level controls only Packet inspection, secure web gateway, and threat protection at the network edge
Consistent Policy Enforcement Policies limited to Microsoft ecosystem Policy model for Microsoft and non-Microsoft apps
Integration with SonicWall ecosystem N/A Works seamlessly with SonicWall firewalls and endpoint clients for layered protection
Deployment flexibility Cloud-only Support hybrid environments and migrations from on-premise infrastructure
Compliance / Logging Microsoft 365 audit logging only Centralized logging and analytics across all apps and sites, with customizable visibility