Looking for API only beta users - Access AzureAD/Entra Conditional Access Sync

Hello from the Access Product Team :slightly_smiling_face:

I’m looking for AzureAD (Entra) and Access users who are interested in a Conditional Access integration in Cloudflare Access policies. This new feature allows you to require specific AzureAD Authentication Contexts directly in your Access policies.

This feature is currently only available via the API (i.e. it won’t show up on your policies in the dashboard but it will enforce correctly). I will notify this thread when this is available in the Dashboard.

If you would like to test this feature out, here are the setup instructions:

  1. Have an Azure IDP setup in teams dash (Isolate Azure AD risky users · Cloudflare Zero Trust docs)
    a. Add permission Policy.Read.ConditionalAccess to your AzureAD application
  2. In the AzureAD dashboard setup authentication contexts
  3. Update your IDP config via an API PUT and set config.conditional_access_enabled: true

e.g.
"config" : {
"client_id" : "client-id-example" ,
"client_secret" : "client-secret-example" ,
"azure_cloud" : "default" ,
"directory_id" : "directory-id-example" ,
"redirect_url" : "https://test.cloudflareaccess.com/cdn-cgi/access/callback" ,
"support_groups" : false,
"conditional_access_enabled" : true
},

  1. This should pull your authentication contexts from MSGraphAPI
  2. Check your authentication contexts via API endpoint:

curl --request GET \
--url https: //api.cloudflare.com/client/v4/accounts/<ACCOUNT_ID>/access/identity_providers/<IDP_ID>/auth_context

Example response:
{
"result" : [
{
"id" : "auth_context_id" ,
"uid" : "auth_context_id" ,
"ac_id" : "c1" ,
"display_name" : "test_c1" ,
"description" : ""
}
],
"success" : true,
"errors" : [],
"messages" : []
}

  1. Add a require auth_context rule to an application policy via API

"require" : [
{
"auth_context" :{
"id" : <auth_context_id>,
"connection_id" : <azure_idp_id>,
"ac_id" : "c1"
}
}
],

Example:
image

  1. You should now be able to see your auth context applied when visiting your application

Let me know if you have any questions, issues or challenges!

-Kenny J.
Access PM