This tutorial is deprecated in favour of Self-hosted applications · Cloudflare Zero Trust docs
Archive
This tutorial will be retired on May 15th 2022 when the legacy configuration in the dashboard will be removed → Retiring the legacy Access configuration tab
For a tutorial setting this up with the new workflow, see the official developer docs → Self-hosted applications · Cloudflare Zero Trust docs
This tutorial covers the basics of Cloudflare Access and how to protect an admin or other area of your website using this feature.
Please note: This tutorial covers the setup on Cloudflare, you also need to protect your origin server to prevent people being able to bypass Cloudflare to get around the login. You can enable Argo Tunnel or restrict connections to Cloudflare IPs only (contact your host for help with this).
Pricing:
Access is free for up to 5 ‘seats’ or users, after that, there is a fee for each new ‘seat’.
You can read about the pricing here
Please note: You must have a payment method added to your account to be able to use Cloudflare Access. You can read how to do this in this help article.
-
Go to the Access app in your Cloudflare Dashboard
-
Enable Access and choose your plan, add a payment method here if you don’t already have one.
-
Choose your Login Page Subdomain, this will be
XXXXX.Cloudflareaccess.com, where you can choose the value of XXXXX. This subdomain will be used across all the sites in your account that use Access and is what users will see when they go to login. -
Add a Login Method (or multiple), under ‘Login Methods’, you will automatically have the
option which will allow users to enter their email and receive a pin which will only work once to login. You can click 
to add support for other login methods such as Google, Facebook, Github etc. on the basic plan and GSuite etc. on the premium plan. This will allow your users to login quickly, especially if you use GSuite, for example, for all yuour users and they can log in with that. When you add each one, instructions will be shown for how to configure them. -
Create your Access Policy (or more than one!) - here you can choose what areas of your website to restrict, for example, if you use WordPress you may want to restrict the
/wp-adminpath. In the example below, I have restricteddomjh.net/admin
You can restrict by subdomain and by path. You can also select how long each user stays logged in for before having to authenticate again.
You now need to set who can access this area, this may be one of the following:
- a list of emails
- All emails on a certain domain
*An Access Group (Please see Below)
And more!
Access Groups
Access groups can be very useful should you want to group your users and manage them easily. For example, you may have an access group for marketing, one for sales, one for IT etc.
e.g.
or
You can then use these in conjunction with Access Policies to allow different departments to access different areas.
E.g.:
or
You can then quickly manage the staff within the Access Groups without having to add them manually to all the relevant Access Policies.
Useful Links:
Identity · Cloudflare Zero Trust docs
Tutorial Reference: CT-06
Reviewed: 07/21
This is a Community Tutorial, most are wiki posts, so can be contributed to by Regulars and MVPs here. If there is a tutorial you would like to see, you can request one here.
If you would like to provide any feedback on this tutorial, please post in the #Meta category, tag your post #TutorialFeedback and let us know the Tutorial Reference above.
Other great resources on this community include the Community Tips . These address best practices when configuring Cloudflare, how to fix issues you may see, and tools to troubleshoot. Also you can view Expert Tips, great posts on the community from people in the know that may help you with your issue.
We encourage users to check out these great resources and the Cloudflare Support Centre before posting