Tutorial: Configure Conditional Access policies in Cloudflare Access

With Conditional Access, administrators enforce policies on application and user policies in Microsoft Entra ID. Conditional Access brings together identity-driven signals, to make decisions, and enforce organizational policies. Cloudflare Access creates access to self-hosted, software as a service (SaaS), or nonweb applications.

Learn more: What is Conditional Access?

Prerequisites

• A Microsoft Entra subscription
  • If you don't have one, get an Azure free account
• A Microsoft Entra tenant linked to the Microsoft Entra subscription
  • See, Quickstart: Create a new tenant in Microsoft Entra ID
• One of the following roles: Global Administrator, Cloud Application Administrator, or Application Administrator.
• Configured users in the Microsoft Entra subscription
• A Cloudflare account
  • Go to dash.cloudflare.com to Get started with Cloudflare

Scenario architecture

• Microsoft Entra ID - Identity Provider (IdP) that verifies user credentials and Conditional Access
• Application - You created for IdP integration
• Cloudflare Access - Provides access to applications

Set up an identity provider

Go to developers.cloudflare.com to set up Microsoft Entra ID as an IdP.

Note

It's recommended you name the IdP integration in relation to the target application. For example, Microsoft Entra ID - Customer management portal.

Configure Conditional Access

Tip

Steps in this article might vary slightly based on the portal you start from.

1. Sign in to the Microsoft Entra admin center as at least a Cloud Application Administrator.

2. Browse to Identity > Applications > App registrations > All applications

3. Select the application you created.

4. Go to Branding & properties.

5. For Home page URL, enter the application hostname.

   

6. Browse to Identity > Applications > Enterprise applications > All applications.

7. Select your application.

8. Select Properties.

9. For Visible to users, select Yes. This action enables the app to appear in App Launcher and in My Apps.

10. Under Security, select Conditional Access.

11. See, Building a Conditional Access policy.

12. Create and enable other policies for the application.

Create a Cloudflare Access application

Enforce Conditional Access policies on a Cloudflare Access application.

1. Go to dash.cloudflare.com to sign in to Cloudflare.

2. In Zero Trust, go to Access.

3. Select Applications.

4. See, Add a self-hosted application.

5. In Application domain, enter the protected application target URL.

6. For Identity providers, select the IdP integration.

7. Create an Access policy. See, Access policies and the following example.

   Note

   Reuse the IdP integration for other applications if they require the same Conditional Access policies. For example, a baseline IdP integration with a Conditional Access policy requiring multifactor authentication and a modern authentication client. If an application requires specific Conditional Access policies, set up a dedicated IdP instance for that application.

Next steps

• What is Conditional Access?
• Secure Hybrid Access with Microsoft Entra ID partner integrations
• Tutorial: Configure Cloudflare with Microsoft Entra ID for secure hybrid access