Managing Authentication and Device Enrollment Permissions with Azure Entra AD and C

Hey everyone,

I’m currently managing a setup where Azure Entra AD IdP is connected with Cloudflare Zero Trust at my company, and I’m looking to better understand the necessary permissions for optimal security and functionality.

We use Azure AD to manage user authentication, with an AD group specifically for users who have access to the Zero Trust environment. These users are provisioned in Cloudflare through SCIM, ensuring only authorized personnel have access. When a user is offboarded, they are also removed from this group, automatically revoking their access.

Here’s where I need some guidance:

  1. Authentication Permissions: Are the basic authentication permissions sufficient for managing access, or are there additional layers or settings I should consider?
  2. Device Enrollment Permissions: Currently, I’m uncertain how to set the device enrollment permissions. Should I apply the ‘everyone’ rule for device checks, or is it more secure to align these permissions with the Azure AD group once again?

Any insights, experiences, or recommendations on managing these settings effectively would be greatly appreciated. Looking forward to your thoughts!

Thank you!

1 Like