Tutorial: Configure Cloudflare with Microsoft Entra ID for secure hybrid access

In this tutorial, learn to integrate Microsoft Entra ID with Cloudflare Zero Trust. Build rules based on user identity and group membership. Users authenticate with Microsoft Entra credentials and connect to Zero Trust protected applications.


Integrate organization identity providers with Cloudflare Access

Cloudflare Zero Trust Access helps enforce default-deny, Zero Trust rules that limit access to corporate applications, private IP spaces, and hostnames. This feature connects users faster and safer than a virtual private network (VPN). Organizations can use multiple identity providers (IdPs), reducing friction when working with partners or contractors.

To add an IdP as a sign-in method, sign in to Cloudflare on the Cloudflare sign in page and Microsoft Entra ID.

The following architecture diagram shows the integration.

Diagram of the Cloudflare and Microsoft Entra integration architecture.

Integrate a Cloudflare Zero Trust account with Microsoft Entra ID

Integrate Cloudflare Zero Trust account with an instance of Microsoft Entra ID.

  1. Sign in to the Cloudflare Zero Trust dashboard on the Cloudflare sign in page.

  2. Navigate to Settings.

  3. Select Authentication.

  4. For Login methods, select Add new.

    Screenshot of the Login methods option on Authentication.

  5. Under Select an identity provider, select Microsoft Entra ID.

  6. The Add Azure ID dialog appears.

  7. Enter Microsoft Entra instance credentials and make needed selections.

  8. Select Save.

Register Cloudflare with Microsoft Entra ID


Steps in this article might vary slightly based on the portal you start from.

Use the instructions in the following three sections to register Cloudflare with Microsoft Entra ID.

  1. Sign in to the Microsoft Entra admin center as at least a Cloud Application Administrator.
  2. Browse to Identity > Applications > App registrations.
  3. Select New registration.
  4. Enter an application Name.
  5. Enter a team name with callback at the end of the path. For example, https://<your-team-name>.cloudflareaccess.com/cdn-cgi/access/callback
  6. Select Register.

See the team domain definition in the Cloudflare Glossary.

Screenshot of options and selections for Register an application.

Certificates & secrets

  1. On the Cloudflare Access screen, under Essentials, copy and save the Application (Client) ID and the Directory (Tenant) ID.

    Screenshot of the Cloudflare Access screen.

  2. In the left menu, under Manage, select Certificates & secrets.

    Screenshot of the certificates and secrets screen.

  3. Under Client secrets, select + New client secret.

  4. In Description, enter the Client Secret.

  5. Under Expires, select an expiration.

  6. Select Add.

  7. Under Client secrets, from the Value field, copy the value. Consider the value an application password. The example value appears, Azure values appear in the Cloudflare Access configuration.

    Screenshot of Client secrets input.


  1. In the left menu, select API permissions.

  2. Select + Add a permission.

  3. Under Select an API, select Microsoft Graph.

    Screenshot of the Microsoft Graph option under Request API permissions.

  4. Select Delegated permissions for the following permissions:

    • Email
    • openid
    • profile
    • offline_access
    • user.read
    • directory.read.all
    • group.read.all
  5. Under Manage, select + Add permissions.

    Screenshot options and selections for Request API permissions.

  6. Select Grant Admin Consent for ....

    Screenshot of configured permissions under API permissions.

  7. On the Cloudflare Zero Trust dashboard, navigate to Settings > Authentication.

  8. Under Login methods, select Add new.

  9. Select Microsoft Entra ID.

  10. Enter values for Application ID, Application Secret, and Directory ID.

  11. Select Save.


For Microsoft Entra groups, in Edit your Microsoft Entra identity provider, for Support Groups select On.

Test the integration

  1. On the Cloudflare Zero Trust dashboard, navigate to Settings > Authentication.

  2. Under Login methods, for Microsoft Entra ID select Test.

  3. Enter Microsoft Entra credentials.

  4. The Your connection works message appears.

    Screenshot of the Your connection works message.

Next steps