Hello TechMassey,

Please clarify because this doesn't sound right. 

While Microsoft by default will funnel an identity through their authentication process, it is still possible to federate the entire authentication (AUTH-N) through another IdP for your own enterprise tenant.  In that process you can institute your own IdP flow which can include Workspace ONE Access.

In this way, you're protecting the SaaS applications with your identity provider (IdP) that are available through Microsoft on every level, web and native.