Cloudflare Docs
Cloudflare Zero Trust
Edit this page on GitHub
Set theme to dark (⇧+D)

Microsoft Azure AD®

You can integrate Microsoft Azure AD® (Active Directory) with Cloudflare Zero Trust and build policies based on user identity and group membership. Users will authenticate to Zero Trust using their Azure AD credentials.

​​ Set up Azure AD as an identity provider

​​ 1. Obtain Azure AD settings

The following Azure AD values are required to set up the integration:

  • Application (client) ID
  • Directory (tenant) ID
  • Client secret

To retrieve those values:

  1. Log in to the Azure dashboard.

  2. Go to All services > Azure Active Directory.

  3. In the Azure Active Directory menu, go to Enterprise applications.

  4. Select New application > Create your own application.

  5. Name your application.

  6. Select Register an application to integrate with Azure AD (App you’re developing) and then select Create.

  7. Under Redirect URI, select the Web platform and enter the following URL:

    https://<your-team-name>.cloudflareaccess.com/cdn-cgi/access/callback

    You can find your team name in Zero Trust under Settings > Custom Pages.

    Registering an application in Azure
  8. Select Register.

  9. Next, return to the Azure Active Directory menu and go to App registrations.

  10. Select the app you just created. Copy the Application (client) ID and Directory (tenant) ID.

    Viewing the Application ID and Directory ID in Azure
  11. Go to Certificates & secrets and select New client secret.

  12. Name the client secret and choose an expiration period.

  13. After the client secret is created, copy its Value field. Store the client secret in a safe place, as it can only be viewed immediately after creation.

    Location of client secret in Azure

​​ 2. Configure API permissions in Azure

  1. From the App registrations page for your application, go to API permissions.

  2. Select Add a permission.

  3. Select Microsoft Graph.

  4. Select Delegated permissions and enable the following permissions:

    • email
    • offline_access
    • openid
    • profile
    • User.Read
    • Directory.Read.All
    • GroupMember.Read.All
  1. Once all seven permissions are enabled, select Add permissions.

  2. Select Grant admin consent.

    Configured permissions list in Azure

​​ 3. Add Azure AD as an identity provider

  1. In Zero Trust, go to Settings > Authentication.

  2. Under Login methods, select Add new.

  3. Select Azure AD.

  4. Enter the Application (client) ID, Client secret, and Directory (tenant) ID obtained from the Azure dashboard.

  5. (Optional) Configure the following settings:

  6. Select Save.

To test that your connection is working, select Test.

​​ Synchronize users and groups

The Azure AD integration supports the System for Cross-domain Identity Management (SCIM) protocol. With SCIM, Cloudflare Access can automatically deprovision users after they are deactivated in the identity provider and display synchronized group names in the Access policy builder.

To synchronize users and groups between Access and Azure:

​​ 1. Enable SCIM in Zero Trust

  1. In Zero Trust, go to Settings > Authentication.

  2. Locate the IdP you want to synchronize and select Edit.

  3. Select Support groups and Enable SCIM.

  4. (Optional) Enable the following settings:

  • Enable user deprovisioning: Revoke a user’s active session when they are removed from the SCIM application in the IdP.
  • Remove user seat on deprovision: Remove a user’s seat from your Zero Trust account when they are removed from the SCIM application in the IdP.
  • Enable group membership change reauthentication: Revoke a user’s active session when their group membership changes in the IdP. This will revoke all active Access sessions and prompt for reauthentication for any Gateway WARP session policies. Access will read the user’s updated group membership when they reauthenticate.
  1. Select Save.

  2. Copy the SCIM Endpoint and SCIM Secret. You will need to enter these values into the IdP.

​​ 2. Configure SCIM in Azure

  1. In the Azure Active Directory menu, go to Enterprise applications.

  2. Select New application > Create your own application.

  3. Name your application (for example, Cloudflare Access SCIM).

  4. Select Integrate any other application you don’t find in the gallery (Non-gallery).

  5. Once the SCIM application is created, assign users and groups to the application.

  6. Go to Provisioning and select Get started.

  7. For Provisioning Mode, choose Automatic.

  8. In the Tenant URL field, enter the SCIM Endpoint obtained from Zero Trust.

  9. In the Secret Token field, enter the SCIM Secret obtained from Zero Trust.

  10. Select Test Connection to ensure that the credentials were entered correctly.

  11. Select Save.

  12. On the Provisioning page, select Start provisioning. You will see the synchronization status in Azure.

To check which users and groups were synchronized, select View provisioning logs.

​​ Azure groups in Zero Trust policies

​​ Automatic entry

When SCIM synchronization is enabled, the Azure group names will appear in the Values dropdown when you choose the Azure Groups selector.

Azure group names displayed in the Access policy builder

​​ Manual entry

You can create Access and Gateway policies for groups that are not synchronized with SCIM. Azure AD exposes directory groups in a format that consists of random strings, the Object Id, that is distinct from the Name.

  1. Make sure you enable Support groups as you set up Azure AD in Zero Trust.

  2. On your Azure dashboard, note the Object Id for the Azure group. In the example below, the group named Admins has an ID of 61503835-b6fe-4630-af88-de551dd59a2.

    Viewing the Azure group ID on the Azure dashboard
  3. If building an Access policy, choose the Azure Groups selector. If building a Gateway policy, choose the User Group IDs selector.

  4. In the Value field, enter the Object Id for the Azure group.

    Entering an Azure group ID in Zero Trust

​​ Nested groups

Access and Gateway policies for an Azure group will also apply to all nested groups. For example, if a user belongs to the group US devs, and US devs is part of the broader group Devs, the user would be allowed or blocked by all policies created for Devs.

​​ Force user interaction during WARP reauthentication

You can require users to re-enter their credentials into Azure AD whenever they re-authenticate their WARP session. To configure this setting, make a PUT request and set the prompt parameter to either login or select_account.

​​ Example API Configuration

{
"config": {
"client_id": "<your client id>",
"client_secret": "<your client secret>",
"directory_id": "<your azure directory uuid>",
"support_groups": true
},
"type": "azureAD",
"name": "my example idp"
}