I configured AzureAD as my authentication provider, enabled groups support and am able to see my AAD groups when performing authentication test in Cloudflare Teams.
Assuming, I create a Cloudflare group that is populated with "include Azure group " as per the documentation and I add a user to the AAD group, when can I expect this change to be reflected on the Cloudflare side? Should I revoke user’s access and force them to re-authenticate in their WARP clients? Or is this controlled by the “Global session timeout” setting? Thank you.
Response from support for anyone else who may find this helpful:
Sorry for the delay in responding back! We are experiencing an unprecedented demand for our Free service which is causing delays for our Free customers., (I am actually a paying customer, but whatever - emeliyanov)
“as per the documentation and I add a user to the AAD group, when can I expect this change to be reflected on the Cloudflare side? Should I revoke user’s access and force them to re-authenticate in their WARP clients? Or is this controlled by the “Global session timeout” setting? Thank you.”
Yes, once you enforce the WARP, the change should be immediate. But, however if you’ve like active sessions, it would not affect those and once the Session timeout is completed - then the new sessions will have the new policies applied.
So, we suggest revoking all the active sessions after making any changes to your policies and you should be good.
Hope this helps, and I will mark this ticket as solved but do let us know if you have any further questions or issues by replying to this e-mail or ticket, which will then reactivate the ticket for us to investigate or answer any outstanding queries.