Cloudflare Docs
Cloudflare Zero Trust
Edit this page on GitHub
Set theme to dark (⇧+D)

Use Azure AD Conditional Access policies in Cloudflare Access

With Azure Active Directory (AD)’s Conditional Access, administrators can enforce policies on applications and users directly in Azure AD. Conditional Access has a set of checks that are specialized to Windows and are often preferred by organizations with Windows power users.

​​ Before you begin

Make sure you have:

  • Global admin rights to an Azure AD account
  • Configured users in the Azure AD account

​​ Set up an identity provider for your application

Refer to our IdP setup instructions for Azure AD.

​​ Add API permission in Azure AD

Once the base IdP integration is tested and working, grant permission for Cloudflare to read Conditional Access policies from Azure AD.

  1. In Azure Active Directory, go to App registrations.

  2. Select the application you created for the IdP integration.

  3. Go to API permissions and select Add a permission.

  4. Select Microsoft Graph.

  5. Select Application permissions and add Policy.Read.ConditionalAccess.

  6. Select Grant admin consent.

​​ Configure Conditional Access in Azure AD

  1. In Azure Active Directory, go to Enterprise applications > Conditional Access.
  2. Go to Authentication Contexts.
  3. Create an authentication context to reference in your Cloudflare Access policies. Give the authentication context a descriptive name (for example, Require compliant devices).
  4. Next, go to Policies.
  5. Create a new Conditional Access policy or select an existing policy.
  6. Assign the conditional access policy to an authentication context:
    1. In the policy builder, select Target resources.
    2. In the Select what this policy applies to dropdown, select Authentication context.
    3. Select the authentication context that will use this policy.
    4. Save the policy.

​​ Sync Conditional Access with Zero Trust

To import your Conditional Access policies into Cloudflare Access:

  1. In Zero Trust, go to Settings > Authentication.
  2. Find your Azure AD integration and select Edit.
  3. Enable Azure AD Policy Sync.
  4. Select Save.

​​ Create an Access application

To enforce your Conditional Access policies on a Cloudflare Access application:

  1. In Zero Trust, go to Access > Applications.

  2. Create a new self-hosted application.

  3. In Application domain, enter the target URL of the protected application.

  4. For Identity providers, select your Azure AD integration.

  5. Finally, create an Access policy using the Azure AD - Auth context selector. For example:

    ActionRule typeSelectorValue
    AllowIncludeEmails ending in@example.com
    RequireAzure AD - Auth contextRequire compliant devices

Users will only be allowed access if they pass the Azure AD Conditional Access policies associated with this authentication context.