Isolate Azure AD risky users
Azure Active Directory (AD) calculates a user’s based on the probability that their account has been compromised. With Cloudflare Zero Trust, you can synchronize the Azure AD risky users list with Cloudflare Access and apply more stringent Zero Trust policies to users at higher risk.
This tutorial demonstrates how to automatically redirect users to a remote browser when they are deemed risky by Azure.
Time to complete:
1. Set up Azure AD as an identity provider
2. Add Azure AD API permissions
Once the base IdP integration is tested and working, enable additional permissions that will allow a script to create and update risky user groups in Azure AD:
In Azure Active Directory, go to App registrations.
Select the application you created for the IdP integration.
Navigate to API permissions and select Add a permission.
Select Microsoft Graph.
Select Grant admin consent.
You will see the list of enabled permissions.
3. Add risky users to Azure AD group
Next, configure an automated script that will populate an Azure AD security group with risky users.
wrangler.$ wrangler login
Open a terminal and clone our example project.$ wrangler generate risky-users https://github.com/cloudflare/msft-risky-user-ad-sync
Navigate to the project directory.$ cd risky-users
wrangler.tomlto include the following values:
<ACCOUNT_ID>: your Cloudflare account ID, shown in the in the Workers tab.
<TENANT_ID>: your Azure AD Directory (tenant) ID, obtained when .
<CLIENT_ID>: your Azure AD Application (client) ID, obtained when .
wrangler.tomlname = "risky-users"compatibility_date = "2023-01-04"main = "src/index.js"workers_dev = falseaccount_id = "<ACCOUNT-ID>"[vars]AZURE_AD_TENANT_ID = "<TENANT-ID>"AZURE_AD_CLIENT_ID = "<CLIENT-ID>"[triggers]crons = ["* * * * *"]
Publish the Worker to your Workers account.$ wrangler publish
Create a secret variable named
AZURE_AD_CLIENT_SECRET.$ wrangler secret put AZURE_AD_CLIENT_SECRET
The Worker script will begin executing once per minute. To view realtime logs, run the following command and wait for the script to execute:
$ wrangler tail --format pretty
After the initial run, the auto-generated groups will appear in the Azure AD dashboard.
4. Synchronize risky user groups
Next, synchronize Azure AD risky user groups with Cloudflare Access:
In Azure AD, assign the following groups to your SCIM enterprise application:
Cloudflare Access will now synchronize changes in group membership with Azure AD. You can verify the synchronization status on the SCIM application’s Provisioning page.
5. Create a browser isolation policy
Select Create a policy.
Policy name Isolate risky users Selector Operator Value Domain In
User Group Names in