Azure IdP - that account does not have access

user19050 · January 31, 2022, 5:54pm

Hello, I’m setting up Azure AD IdP for my domain. After completing Auth flow for Azure AD, Cloudflare reports error ‘That account does not have access’. Is there any additional config that might be needed? Any tips on the approach I can take to resolve this, thanks much.

Cyb3r-Jak3 · February 1, 2022, 3:09am

Has the user been granted permission to the application in Azure?

user19050 · February 1, 2022, 5:50pm

@Cyb3r-Jak3 yes, I even tried Github as IdP, same issue there as well : That account does not exist.

Cyb3r-Jak3 · February 1, 2022, 11:01pm

Did you test in Azure that the connections is working?

user19050 · February 3, 2022, 4:16am

HI @Cyb3r-Jak3 yes the connection is working. That’s why I verified both with Azure and GitHub IdP, in both cases Cloudflare is reporting the same error, I understand some users have reported it in the past and it was fixed by Cloudflare, but then I’m still getting it.

Any further clues on how to proceed?

Cyb3r-Jak3 · February 4, 2022, 12:38am

I don’t but maybe another @MVP can provide further debugging.

erictung · February 4, 2022, 5:00am

Can you show us your application policy i.e. how you allow your users to access your application?

edin.cajo · April 25, 2023, 3:20pm

How should be the policy configured?What is the best option?

Thank you

KR

Edin

edin.cajo · April 27, 2023, 1:01pm

Hi user 19055,

have you managed to solve the problem?I have the same issue. Is it related to the Plan?

KR
Edin

user14686 · May 8, 2023, 3:11am

I had the same issue (“that account does not have access”) when trying to login to the Cloudflare Access App Launcher with Azure AD as IDP (SAML 2.0).
I fixed it by looking at the Cloudflare Access logs for the access denied attempts.
In my case I had to go to Cloudflare Access admin>Settings>Authentication>App Launcher Manage>
and you have to add a separate policy for each login method you want. i.e. I had another SSO IDP that already had a policy so I thought I could add the Azure SAML IDP under the include/require of that existing policy (Login Methods) but it didn’t work because in the logs it showed that it was only checking the first value of the policy.
I added a second policy with include/require for Azure SSO login method and it worked.
p.s. you can go to Logs>Access and view reasons for the errors like ‘that account does not have access’. After I checked the log it told me that the issue was exactly with the app launcher allowed login methods policy and showed me exactly what logic it performed to check permissions.

Also, I set these settings in Azure AD under the SAML SSO settings:
Under ‘SAML Certificates’ click Edit and set ‘Signing Option’ to ‘Sign SAML Assertion’, set ‘Signing Algorithm’ to ‘SHA1’, save those settings.

froblesmartin · June 5, 2023, 9:05pm

In my case, I just had to add a policy/rule. I guess by default it just denies everything, so you need to allow something.

Topic		Replies	Views
That account does not have access Access	6	10361	January 31, 2022
Cloudflared Zero Trust Access OIDC Provider Configuration not working Access	8	45	March 7, 2025
Azure AD IDP Login Issues Access	0	11	April 14, 2025
Cloudflare Access not working properly when logging in Access	5	176	November 8, 2024
Can't authenticate to WARP client with EntraID(AzureAD) Zero Trust	1	34	January 23, 2025

Azure IdP - that account does not have access

Related topics