Microsoft Entra ID

You can integrate Microsoft Entra ID (formerly Azure Active Directory) with Cloudflare Zero Trust and build policies based on user identity and group membership. Users will authenticate to Zero Trust using their Entra ID credentials.

Set up Entra ID as an identity provider

1. Obtain Entra ID settings

The following Entra ID values are required to set up the integration:

• Application (client) ID
• Directory (tenant) ID
• Client secret

To retrieve those values:

1. Log in to the Azure dashboard ↗.

2. Go to All services > Microsoft Entra ID.

3. In the sidebar, go to Manage > Enterprise applications.

4. Select New application, then select Create your own application.

5. Name your application.

6. Select Register an application to integrate with Microsoft Entra ID (App you’re developing) and then select Create.

7. Under Redirect URI, select the Web platform and enter the following URL:

   https://<your-team-name>.cloudflareaccess.com/cdn-cgi/access/callback

   You can find your team name in Zero Trust under Settings > Custom Pages.

   

8. Select Register.

9. Next, return to Microsoft Entra ID and go to go to Manage > App registrations.

10. Select the app you just created. Copy the Application (client) ID and Directory (tenant) ID.

    

11. Under Client credentials, go to Add a certificate or secret. Select New client secret.

12. Name the client secret and choose an expiration period.

13. After the client secret is created, copy its Value field. Store the client secret in a safe place, as it can only be viewed immediately after creation.

    

2. Configure API permissions in Entra ID

1. From the App registrations page for your application, go to API permissions.

2. Select Add a permission.

3. Select Microsoft Graph.

4. Select Delegated permissions and enable the following permissions ↗:

   • email
   • offline_access
   • openid
   • profile
   • User.Read
   • Directory.Read.All
   • GroupMember.Read.All

Note

More narrow permissions may be used, however this is the set of permissions that are tested and supported by Cloudflare.

5. Once all seven permissions are enabled, select Add permissions.

6. Select Grant admin consent.

   

3. Add Entra ID as an identity provider

1. In Zero Trust ↗, go to Settings > Authentication.

2. Under Login methods, select Add new.

3. Select Azure AD.

4. Enter the Application (client) ID, Client secret, and Directory (tenant) ID obtained from Microsoft Entra ID.

5. (Optional) Configure the following settings:

   • Proof Key for Code Exchange: Perform PKCE ↗ on all login attempts.
   • Support Groups: Allow Cloudflare to read a user’s Entra ID group membership.
   • Entra ID Policy Sync: Refer to our Entra ID Conditional Access tutorial.
   • Enable SCIM: Refer to Synchronize users and groups.
   • Email claim: Enter the Entra ID claim that you wish to use for user identification (for example, preferred_username).
   • OIDC Claims: Enter custom OIDC claims that you wish to add to your users’ identity. This information will be available in the user identity endpoint.

6. Select Save.

To test that your connection is working, select Test.

Synchronize users and groups

The Microsoft Entra ID integration allows you to synchronize IdP groups and automatically deprovision users using SCIM.

Prerequisites

• Microsoft Entra ID P1 or P2 license

1. Enable SCIM in Zero Trust

1. In Zero Trust ↗, go to Settings > Authentication.

2. Locate the IdP you want to synchronize and select Edit.

3. Select Enable SCIM and Support groups.

4. (Optional) Enable the following settings:

• Enable user deprovisioning: Revoke a user’s active session when they are removed from the SCIM application in the IdP. This will invalidate all active Access sessions and prompt for reauthentication for any Gateway WARP session policies.
• Remove user seat on deprovision: Remove a user’s seat from your Zero Trust account when they are removed from the SCIM application in the IdP.
• Enable group membership change reauthentication: Revoke a user’s active session when their group membership changes in the IdP. This will invalidate all active Access sessions and prompt for reauthentication for any Gateway WARP session policies. Access will read the user’s updated group membership when they reauthenticate.

5. Select Save.

6. Copy the SCIM Endpoint and SCIM Secret. You will need to enter these values into the IdP.

The SCIM secret never expires, but you can manually regenerate the secret at any time.

2. Configure SCIM in Entra ID

Note

SCIM requires a separate enterprise application from the one created during initial setup.

1. In the Microsoft Entra ID menu, go to Enterprise applications.

2. Select New application > Create your own application.

3. Name your application (for example, Cloudflare Access SCIM).

4. Select Integrate any other application you don’t find in the gallery (Non-gallery).

5. Once the SCIM application is created, assign users and groups to the application ↗.

   Note

   Groups in this SCIM application should match the groups in your other Cloudflare Access enterprise application. Because SCIM group membership updates will overwrite any groups in a user’s identity, assigning the same groups to each app ensures consistent policy evaluation.

6. Go to Provisioning and select Get started.

7. For Provisioning Mode, choose Automatic.

8. In the Tenant URL field, enter the SCIM Endpoint obtained from Zero Trust.

9. In the Secret Token field, enter the SCIM Secret obtained from Zero Trust.

10. Select Test Connection to ensure that the credentials were entered correctly.

11. Select Save.

12. On the Provisioning page, select Start provisioning. You will see the synchronization status in Entra ID.

To check which users and groups were synchronized, select View provisioning logs.

Provisioning attributes

Provisioning attributes define the user properties that Entra ID will synchronize with Cloudflare Access. To modify your provisioning attributes, go to the Provisioning page in Entra ID and select Edit attribute mappings.

We recommend enabling the following user attribute mappings:

customappsso Attribute	Entra ID Attribute	Recommendation
emails[type eq "work"].value	mail	Required
name.givenName	givenName	Recommended
name.familyName	surname	Recommended

Entra groups in Zero Trust policies

Automatic entry

When SCIM synchronization is enabled, your Entra group names will automatically appear in the Access and Gateway policy builders.

If building a Gateway policy, choose the User Group Names selector.

Manual entry

You can create Access and Gateway policies for groups that are not synchronized with SCIM. Entra ID exposes directory groups in a format that consists of random strings, the Object Id, that is distinct from the Name.

1. Make sure you enable Support groups as you set up Microsoft Entra ID in Zero Trust.

2. On your Azure dashboard, note the Object Id for the Entra group. In the example below, the group named Admins has an ID of 61503835-b6fe-4630-af88-de551dd59a2.

   

3. If building an Access policy, choose the Azure Groups selector. If building a Gateway policy, choose the User Group IDs selector.

4. In the Value field, enter the Object Id for the Entra group.

   

Nested groups

Access and Gateway policies for an Entra group will also apply to all nested groups ↗. For example, if a user belongs to the group US devs, and US devs is part of the broader group Devs, the user would be allowed or blocked by all policies created for Devs.

Force user interaction during WARP reauthentication

You can require users to re-enter their credentials into Entra ID whenever they re-authenticate their WARP session. To configure this setting, make a PUT request and set the prompt parameter to either login or select_account.

Example API Configuration

{
  "config": {
    "client_id": "<your client id>",
    "client_secret": "<your client secret>",
    "directory_id": "<your azure directory uuid>",
    "support_groups": true
  },
  "type": "azureAD",
  "name": "my example idp"
}