Enforce Zero Trust Security Policies for Public Applications integrated with Azure AD

  • Last validated: Jul 8, 2026

This section describes how to enforce Cloud Secure Edge (CSE) zero-trust security policies for public (SaaS) applications integrated with Azure AD. If instead you want your end users to use Azure AD SSO to authenticate into CSE, see configuring your Azure AD IdP to manage your directory of users.

As described in the Securing Public Applications overview, CSE secures SaaS applications with two independent techniques. They are alternatives or complements — use either on its own, or both together:

  • IdP Federation — route Azure AD authentication through CSE so device trust is validated at sign-in, across all applications behind Azure AD. The strongest control.

  • IP Allowlisting — require traffic to egress through CSE (Service Tunnel) before Azure AD or the application grants access. Lighter, per-application, and also works for apps not federated with Azure AD.

Was this page helpful?