|Operating Systems||WARP mode required||Zero Trust plans|
|Windows||WARP with Gateway||All plans|
Cloudflare Access can integrate with Azure AD’s Conditional Access feature to require that users connect to certain applications from managed devices. To enable, you must integrate Azure AD with Cloudflare Access as a cloud app that requires managed device connections. You can configure per-app identity providers to segment which Access applications require Azure AD with managed devices and which only require Azure AD logins.
Enforce Azure AD device posture in Access
Follow these instructions to add Azure AD as an identity provider.
(Optional) If you want to allow users to reach certain applications with only Azure AD logins, and no device requirement, repeat Step 1 to create another identity provider. You will need to maintain two distinct integrations: one integration will require device management and the other will only require Azure AD logins. We recommend giving each identity provider a distinct name, for example
Azure AD (device posture)and
Azure AD (login only).
Next, create a new Conditional Access policy in Azure AD. In that policy, you can require that users connect from Managed, Hybrid, or compliant devices.
In Azure AD, apply your Conditional Access policy to the
Azure AD (device posture)integration.
You can now enable the Conditional Access policy for an Access application:
- In Zero Trust, go to Access > Applications.
- Select Edit for the application that requires managed device connections.
- Open the Authentication tab.
- Enable the
Azure AD (device posture)identity provider.
- Save the application.