Cloudflare Docs
Cloudflare Zero Trust
Cloudflare Docs
Cloudflare Zero Trust
Search icon (depiction of a magnifying glass)
GitHub icon
Visit Cloudflare Zero Trust on GitHub
Set theme to dark (⇧+D)

Microsoft Azure AD®

You can integrate Microsoft Azure AD® (Active Directory) with Cloudflare Zero Trust and build rules based on user identity and group membership. Users will authenticate with their Azure AD credentials and connect to Zero Trust.

​​ Set up Azure AD as an identity provider

  1. Log in to the Azure dashboard.

  2. Click Azure Active Directory in the Azure Services section.

Navigating to Azure Active Directory on the Azure dashboard

  1. Navigate to Manage > App registrations and click + New registration.

Adding a new app in Azure

  1. Name your application and select Web from the Select a platform dropdown.

  2. Enter your team domain followed by this callback at the end of the path: /cdn-cgi/access/callback. For example:

    https://<your-team-name>.cloudflareaccess.com/cdn-cgi/access/callback

  3. Click Register.

Registering an application in Azure

  1. Copy the Application (client) ID and Directory (tenant) ID. You will need to input these values into the Cloudflare dashboard.

Application and Directory IDs in Azure

  1. To create an Application Secret, navigate to Certificates & Secrets and click + New client secret.

  2. Name the client secret and choose an expiration. Click Add.

Adding a client secret in Azure

  1. Copy the Value field of the client secret. Treat this value like a password. This example leaves the value visible so the values in Azure can be seen in the Access configuration.

Viewing client secret in Azure

  1. Navigate to API permissions and click Add a permission.

Adding an API permission in Azure

  1. Click Microsoft Graph.

Selecting Microsoft Graph API in Azure

  1. Select Delegated permissions. You will need to toggle 7 specific permissions in the next page. Once toggled, click Add permissions.

    • email
    • openid
    • profile
    • offline_access
    • User.Read
    • Directory.Read.All
    • Group.Read.All

Configuring Microsoft Graph API permissions in Azure

  1. Click Grant Admin Consent for .

Configured permissions list in Azure

  1. On the Zero Trust dashboard, navigate to Settings > Authentication.

  2. Under Login methods, click Add new.

  3. Click Azure AD.

  4. Input the Application ID, Application secret, and Directory ID values from Azure.

  5. (Optional) If you are using Azure AD groups, toggle Support Groups slider On in the Edit your Azure AD identity provider window.

  6. (Optional) Enable Proof of Key Exchange (PKCE). PKCE will be performed on all login attempts.

  7. Click Save.

To test that your connection is working, navigate to Authentication > Login methods and click Test next to Azure AD.

​​ Use Azure AD groups

Azure AD exposes directory groups in a format that consists of random strings, the Object Id, that is distinct from the Name. To use Azure groups in Cloudflare Access:

  1. Make sure you toggle on the Support groups switch as you set up Azure AD on your Zero Trust dashboard.

  2. On your Azure dashboard, note the Object Id for the Azure group. In the example below, the group named Admins has an ID of 61503835-b6fe-4630-af88-de551dd59a2.

Viewing the Azure group IDs on the Azure dashboard

  1. When you create a Zero Trust policy for an Azure group, you will be prompted to enter the Azure group ID. Enter the Object Id for the Azure group.

Entering an Azure group ID on the Zero Trust dashboard

​​ Example API Configuration

{
  "config": {
    "client_id": "<your client id>",
    "client_secret": "<your client secret>",
    "directory_id": "<your azure directory uuid>",
    "support_groups": true
  },
  "type": "azureAD",
  "name": "my example idp"

}