Issue with Access Policy and Group Setup in Cloudflare Access

Hello Cloudflare Community,

I am seeking advice on a perplexing issue I encountered while setting up Access Policies and Groups in Cloudflare Access for a preview deployment of a Next.js project on Cloudflare Pages.

Setup and Initial Configuration: I have two deployments: a production deployment linked to a custom domain and a preview deployment. My goal was to restrict access to the preview deployment to specific emails, starting with my own.

Steps and Observations:

  1. Initial Access Policy Setup:
  • In the ‘Manage’ section of my Cloudflare Pages project, I added an Access Policy that automatically applied to my business email (the one used for my Cloudflare account). This initial setup allowed me to access the preview deployment without issues.
  1. Creating and Applying Access Group:
  • I created an Access Group named “Myself,” which included only my personal email.
  • I then went to configure an application in Cloudflare Access and set up a policy (“Policy for Me”) linked to the “Myself” Access Group.

Issue Encountered:

  • The access using the “Myself” Access Group did not work initially. The policy tests indicated that a login attempt was necessary, but my login attempts didn’t seem to be recognized.
  1. Modification and Temporary Solution:
  • I modified the application policy to directly include my personal email, bypassing the Access Group. This change allowed me to log in successfully.
  1. Further Problem:
  • After successfully logging in with the direct email rule and subsequently removing this rule, I could still access the preview using the policy linked to the Access Group. It appears that the policy involving the Access Group only functioned correctly after logging in with the direct email rule.

Questions and Assistance Requested:

  • Why did the policy associated with the Access Group only become effective after a successful login using a direct rule policy?
  • How can I ensure consistent and reliable policy enforcement when using Access Groups in Cloudflare Access?

I used an incognito session for testing to avoid issues with persistent sessions and ensure that the problem was not related to caching or existing cookies.

Thank you for your insights and any help you can provide in resolving this issue!