Use Azure AD Conditional Access policies in Cloudflare Access
With Azure Active Directory (AD)’s Conditional Access, administrators can enforce policies on applications and users directly in Azure AD. Conditional Access has a set of checks that are specialized to Windows and are often preferred by organizations with Windows power users.
Before you begin
Make sure you have:
- Global admin rights to an Azure AD account
- Configured users in the Azure AD account
Set up an identity provider for your application
Add API permission in Azure AD
Once the base IdP integration is tested and working, grant permission for Cloudflare to read Conditional Access policies from Azure AD.
In Azure Active Directory, go to App registrations.
Select the application you created for the IdP integration.
Go to API permissions and select Add a permission.
Select Microsoft Graph.
Select Application permissions and add
Policy.Read.ConditionalAccess
.Select Grant admin consent.
Configure Conditional Access in Azure AD
- In Azure Active Directory, go to Enterprise applications > Conditional Access.
- Go to Authentication Contexts.
- Create an authentication context to reference in your Cloudflare Access policies. Give the authentication context a descriptive name (for example,
Require compliant devices
). - Next, go to Policies.
- Create a new Conditional Access policy or select an existing policy.
- Assign the conditional access policy to an authentication context:
- In the policy builder, select Target resources.
- In the Select what this policy applies to dropdown, select Authentication context.
- Select the authentication context that will use this policy.
- Save the policy.
Sync Conditional Access with Zero Trust
To import your Conditional Access policies into Cloudflare Access:
- In Zero Trust, go to Settings > Authentication.
- Find your Azure AD integration and select Edit.
- Enable Azure AD Policy Sync.
- Select Save.
Create an Access application
To enforce your Conditional Access policies on a Cloudflare Access application:
In Zero Trust, go to Access > Applications.
Create a new self-hosted application.
In Application domain, enter the target URL of the protected application.
For Identity providers, select your Azure AD integration.
Finally, create an Access policy using the Azure AD - Auth context selector. For example:
Action Rule type Selector Value Allow Include Emails ending in @example.com
Require Azure AD - Auth context Require compliant devices
Users will only be allowed access if they pass the Azure AD Conditional Access policies associated with this authentication context.