Microsoft Azure AD® (Active Directory)
These steps help you set up Azure AD as your identity provider (IdP).
Sign in to the Azure dashboard.
Click Azure Active Directory in the Azure Services section.
On the Azure AD dashboard, click App registrations in the Manage section of the Azure Active Directory pane.
Click + New application registration.
Name your application and enter your Sign-on URL (for example,
https://<your authentication domain>/cdn-cgi/access/callback). Click Register.
Select your new application and copy the Application ID and Directory ID into your Cloudflare dashboard.
In the left hand panel, click Manage > Certificates & Secrets and then click New client secret.
Give it a Description and Expires setting and click Add.
Copy the value to the Application Secret field in your Cloudflare dashboard.
In the left hand panel, select API permissions, and then click Add a permission.
Click Microsoft Graph.
Click Microsoft Graph and then delegated permissions. Add the following permissions.
- openid
- profile
- offline_access
- User.Read
- Directory.Read.All
- Group.Read.All
Click Grant Admin Consent for ....
Return to your Cloudflare dashboard.
If you are using Azure AD groups, toggle Support Groups slider On in the Edit your Azure AD identity provider window.
Click Save and Test to check your connection to the IdP.
Using AzureAD Groups
AzureAD exposes directory groups in a format that consists of random strings, the Object Id, that is distinct from the Name. In the example below, the group named "Admins" has an ID of "61503835-b6fe-4630-af88-de551dd59a2".
When configuring Access to use Azure groups, you must input the Object Id.
Example API Configuration
{ "config": { "client_id": "<your client id>", "client_secret": "<your client secret", "directory_id": "<your azure directory uuid", "support_groups": true }, "type": "azureAD", "name": "my example idp"}