Isolate risky Entra ID users
Microsoft Entra ID (formerly Azure Active Directory) calculates a user’s risk level ↗ based on the probability that their account has been compromised. With Cloudflare Zero Trust, you can synchronize the Entra ID risky users list with Cloudflare Access and apply more stringent Zero Trust policies to users at higher risk.
This tutorial demonstrates how to automatically redirect users to a remote browser when they are deemed risky by Entra ID.
Time to complete:
1 hour
Prerequisites
- Microsoft Entra ID Premium P2 license
- Cloudflare Browser Isolation add-on
- Gateway HTTP filtering enabled on your devices
- npm ↗ installation
- Node.js ↗ installation
1. Set up Entra ID as an identity provider
Refer to our IdP setup instructions for Entra ID.
2. Add Entra ID API permissions
Once the base IdP integration is tested and working, enable additional permissions that will allow a script to create and update risky user groups in Entra ID:
-
In Microsoft Entra ID, go to App registrations.
-
Select the application you created for the IdP integration.
-
Go to API permissions and select Add a permission.
-
Select Microsoft Graph.
-
Select Application permissions and add the following permissions ↗:
IdentityRiskyUser.ReadAll
Directory.ReadWriteAll
Group.Create
Group.ReadAll
GroupMember.ReadAll
GroupMember.ReadWriteAll
-
Select Grant admin consent.
You will see the list of enabled permissions.
3. Add risky users to Entra ID group
Next, configure an automated script that will populate an Entra ID security group with risky users.
To get started quickly, deploy our example Cloudflare Workers script by following the step-by-step instructions below. Alternatively, you can implement the script using Azure Functions ↗ or any other tool.
-
Open a terminal and clone our example project.
-
Go to the project directory.
-
Modify
wrangler.toml
to include the following values:<ACCOUNT_ID>
: your Cloudflare account ID.<TENANT_ID>
: your Entra ID Directory (tenant) ID, obtained when setting up Entra ID as an identity provider.<CLIENT_ID>
: your Entra ID Application (client) ID, obtained when setting up Entra ID as an identity provider.
-
Deploy the Worker to Cloudflare’s global network.
-
Create a secret variable named
AZURE_AD_CLIENT_SECRET
.You will be prompted to input the secret’s value. Enter the Client secret obtained when setting up Microsoft Entra ID as an identity provider.
The Worker script will begin executing once per minute. To view realtime logs, run the following command and wait for the script to execute:
After the initial run, the auto-generated groups will appear in the Entra ID dashboard.
4. Synchronize risky user groups
Next, synchronize Entra ID risky user groups with Cloudflare Access:
-
In Entra ID, assign the following groups to your SCIM enterprise application:
IdentityProtection-RiskyUser-RiskLevel-high
IdentityProtection-RiskyUser-RiskLevel-medium
IdentityProtection-RiskyUser-RiskLevel-low
Cloudflare Access will now synchronize changes in group membership with Entra ID. You can verify the synchronization status on the SCIM application’s Provisioning page.
5. Create a browser isolation policy
Finally, create a Gateway HTTP policy to isolate traffic for risky user groups.
-
In Zero Trust ↗, go to Gateway > Firewall policies > HTTP.
-
Select Add a policy.
-
Build an Isolate policy that contains a User Group Names rule. For example, the following policy serves
app1.example.com
andapp2.example.com
in a remote browser for all members flagged as high risk:Selector Operator Value Logic Action Domain in app1.example.com
,app2.example.com
And Isolate User Group Names in IdentityProtection-RiskyUser-RiskLevel-high
To test the policy, refer to the Microsoft documentation for simulating risky detections ↗.