aixlabDocs
GitHub Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage
  1. aixlabDocs
  2. /
  3. Products
  4. /
  5. Cloudflare
  6. /
  7. Azure AD as an identity provider

Azure AD as an identity provider

2 minutes to read Azure AD cloud cloudflare Identity Provider

Obtain Azure AD settings

The following Azure AD values are required to set up the integration:

  • Application (client) ID
  • Directory (tenant) ID
  • Client secret

To retrieve those values:

  1. Log in to the Azure dashboard.
  2. Navigate to All services > Azure Active Directory.
  3. In the Azure Active Directory menu, go to Enterprise applications.
  4. Select New application > Create your own application.
  5. Name your application.
  6. Select Register an application to integration with Azure AD (App you’re developing) and then select Create.
  7. Under Redirect URI, select the Web platform and enter the following URL:
https://<your-team-name>.cloudflareaccess.com/cdn-cgi/access/callback
You can find your team name in Zero Trust under Settings > General.

Register an application

  1. Select Register.
  2. Next, return to the Azure Active Directory menu and go to App registrations.
  3. Select the app you just created. Copy the Application (client) ID and Directory (tenant) ID.

Viewing the Application ID and Directory ID in Azure

  1. Navigate to Certificates & secrets and select New client secret.
  2. Name the client secret and choose an expiration period.
  3. After the client secret is created, copy its Value field. Store the client secret in a safe place, as it can only be viewed immediately after creation.

Configure API permissions in Azure

  1. From the App registrations page for your application, navigate to API permissions.
  2. Select Add a permission.
  3. Select Microsoft Graph.
  4. Select Delegated permissions and enable the following permissions:
    • email
    • offline_access
    • openid
    • profile
    • User.Read
    • Directory.Read.All
    • GroupMember.Read.All
More narrow permissions may be used, however this is the set of permissions that are tested and supported by Cloudflare.
  1. Once all seven permissions are enabled, select Add permissions.
  2. Select Grant admin consent.

Add Azure AD as an identity provider

  1. In Zero Trust, navigate to Settings > Authentication.
  2. Under Login methods, select Add new.
  3. Select Azure AD.
  4. Enter the Application (client) ID, Client secret, and Directory (tenant) ID obtained from the Azure dashboard.
  5. (Optional) Enable Proof of Key Exchange (PKCE). PKCE will be performed on all login attempts.
  6. (Optional) If you are using Azure AD groups, enable Support Groups.
  7. Select Save.
  8. To test if an IdP is correctly configured, navigate to Settings > Authentication. Next, click Test next to the IdP you would like to test. This will attempt to connect to the IdP to verify if a valid connection is established.

Based on cloudflare Docs from May 2023