Tutorial: Configure Conditional Access policies in Cloudflare Access

With Conditional Access, administrators enforce policies on application and user policies in Microsoft Entra ID. Conditional Access brings together identity-driven signals, to make decisions, and enforce organizational policies. Cloudflare Access creates access to self-hosted, software as a service (SaaS), or nonweb applications.

Learn more: What is Conditional Access?


Scenario architecture

  • Microsoft Entra ID - Identity Provider (IdP) that verifies user credentials and Conditional Access
  • Application - You created for IdP integration
  • Cloudflare Access - Provides access to applications

Set up an identity provider

Go to developers.cloudflare.com to set up Microsoft Entra ID as an IdP.


It's recommended you name the IdP integration in relation to the target application. For example, Microsoft Entra ID - Customer management portal.

Configure Conditional Access


Steps in this article may vary slightly based on the portal you start from.

  1. Sign in to the Microsoft Entra admin center as at least a Cloud Application Administrator.

  2. Browse to Identity > Applications > App registrations > All applications

  3. Select the application you created.

  4. Go to Branding & properties.

  5. For Home page URL, enter the application hostname.

    Screenshot of options and entries for branding and properties.

  6. Browse to Identity > Applications > Enterprise applications > All applications.

  7. Select your application.

  8. Select Properties.

  9. For Visible to users, select Yes. This action enables the app to appear in App Launcher and in My Apps.

  10. Under Security, select Conditional Access.

  11. See, Building a Conditional Access policy.

  12. Create and enable other policies for the application.

Create a Cloudflare Access application

Enforce Conditional Access policies on a Cloudflare Access application.

  1. Go to dash.cloudflare.com to sign in to Cloudflare.

  2. In Zero Trust, go to Access.

  3. Select Applications.

  4. See, Add a self-hosted application.

  5. In Application domain, enter the protected application target URL.

  6. For Identity providers, select the IdP integration.

    Screenshot of the IdP integration selection on Identity providers.

  7. Create an Access policy. See, Access policies and the following example.

    Screenshot of an example policy.


    Reuse the IdP integration for other applications if they require the same Conditional Access policies. For example, a baseline IdP integration with a Conditional Access policy requiring multifactor authentication and a modern authentication client. If an application requires specific Conditional Access policies, set up a dedicated IdP instance for that application.

Next steps