Skip to content
Access
Visit Access on GitHub
Set theme to dark (⇧+D)

Microsoft Azure AD® (Active Directory)

You can integrate Microsoft Azure AD® (Active Directory) with Cloudflare for Teams and build rules based on user identity and group membership. Users will authenticate with their Azure AD credentials and login to resources protected by Cloudflare Access or enroll into Cloudflare Gateway.

  1. Sign in to the Azure dashboard.

Azure AD Portal

  1. Click Azure Active Directory in the Azure Services section.

Azure AD Select AD

  1. On the Azure AD dashboard, click App registrations in the Manage section of the Azure Active Directory pane.

Azure AD App Registration

  1. Click + New registration.

Azure AD New Registration

  1. Name your application and enter your Cloudflare Authentication Domain. The format of the authentication domain will be https://<your authentication domain>/cdn-cgi/access/callback). Click Register.

Azure AD Cloudflare Access App

  1. On the following screen, copy the Application (client) ID and Directory (tenant ID. You will need to input these values into the Cloudflare dashboard.

Azure AD IDs

  1. In the left hand panel, click Certificates & Secrets to create an Application Secret.

Azure AD Certs and Secrets

  1. Click + New client secret. Name the client secret and choose an expiration. Click Add.

Azure AD Certs and Secrets

Copy the Value field of the client secret. Treat this value like a password. This example leaves the value visible so the values in Azure can be seen in the Access configuration.

Azure AD Certs and Secrets

  1. In the left hand panel, select API permissions. Click Add a permission.

Azure AD API Permissions

  1. Click Microsoft Graph.

Azure AD API Permissions

  1. Select Delegated permissions. You will need to toggle 7 specific permissions in the next page. Once toggled, click Add permissions.

    • email
    • openid
    • profile
    • offline_access
    • User.Read
    • Directory.Read.All
    • Group.Read.All

Azure AD API Permissions

  1. On the next page, click the button that begins Grant Admin Consent for ....

Azure AD API Permissions

  1. Return to the Cloudflare for Teams dashboard. Select Authentication under the Access section of the sidebar. In the Login tab, click + Add. Choose Azure AD on the next page.

Azure AD Add Identity

  1. Input the Application ID, Application secret, and Directory ID values from Azure.

If you are using Azure AD groups, toggle Support Groups slider On in the Edit your Azure AD identity provider window.

Azure AD Add Identity

  1. Click Save and Test to check your connection to the IdP.

Azure AD Test

Using AzureAD Groups

AzureAD exposes directory groups in a format that consists of random strings, the Object Id, that is distinct from the Name. In the example below, the group named "Admins" has an ID of "61503835-b6fe-4630-af88-de551dd59a2".

Azure AD Test Connection

When configuring Access to use Azure groups, you must input the Object Id.

Azure AD Test Connection

Example API Configuration

{    "config": {        "client_id": "<your client id>",        "client_secret": "<your client secret",        "directory_id": "<your azure directory uuid",        "support_groups": true    },    "type": "azureAD",    "name": "my example idp"}