Allow a global session limit to be configured in WARP settings, not gateway policy!

Trying to have our users daily MFA has proved very tricky with setting up WARP as a Zero Trust client for our large user base. Here’s why:

When configuring the reauthentication frequency from the IDp/Azure side:
WARP gets detected as Sharepoint (because it uses login.microsoftonline.com ??) in Azure Conditional Access so triggers the incorrect policies. The alternative is to ask Sharepoint to reauthenticate but this also signs out Teams and is a big pain for users.

When configuring the reauthentication frequency from the Cloudflare side:
This only seems to be possible by

  • Editing the API to prompt users to log in rather than automatically reauthenticating with Sharepoint session token - just have a simple tickbox in the portal UI! Automatic vs prompt for credentials.
  • Configuring a gateway policy with session limit! This is crazy that this is the only way to have WARP time out.
    In doing this, we found that WARP would block its own authentication - we had to log a ticket and after weeks support finally suggested to exclude IDP hosts from the session limit gateway policy.
    This also causes CONSTANT logs / unecessary CPU usage with Cloudflare checking every piece of traffic against the session limit.
    Most VPN clients allow you to set the session limit in one simple place on the client settings.

Hey @caroline.habgood,

Why not post this under feedback/feature request here:

It will help to bring it to the Product Team’s attention.

Thank you.

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.