Understanding how to use policy email ends with DOMAIN

Seeking help in understanding Access licensing using In terms of Zero Trust > My Team > " Your users: Showing 1-5 of 5"

Use case:
I have uptime kuma running on a private VM with cloudflare tunnels and want any of the 8 employees to be able to check anytime status and dashboards on that app. So I have a working CF tunnel and a CF Access application with POLICY rule ALLOW and user with email ending in @MYDOMAIN.com.

Do I need to pay for a batch of user seats?

Seems like you get 5 users on free plan but since Iā€™ve paid for 2, Iā€™m by upgrading to a se of paid licenses Iā€™m limited to just 2 and not 5. Further, thereā€™s another view in Zero Trust that says I get 50 users but have no idea if this relates to the same licensing and access?

I tested with several test users and have manually from this interface, revoked and REMOVED the test users, but they remain greyed out NOT REMOVED and I see no other way to add another user if Iā€™m trying to limit my use of this to just 5 users. I cancelled my paid users as I saw no benefit of this and further by paying for users I donā€™t even get 5 anymore as the email code screen then says Iā€™ve used all my licenses.

Note: UI message upon removal:

Remove dan?

End the userā€™s active session and remove them from the user registry.
This will mark the user as Inactive, and they will no longer occupy a seat unless they re-authenticate. To disable a userā€™s ability to authenticate, modify your Access and device enrollment policies.

If I then try to access a self hosted application, wehre iā€™m using 2 and have 3 greyed out users, and I try to access where email includes ending in @MYDOMAIN.com, yet if I again try to use an new person [email protected], I get message
" Your Cloudflare Access organization has used all of its available seats this month."

QUESTION: What am I doing wrong in the setup where I simple want a few people at my small company to be able to access my self hosted apps using the emails ending in ā€œinclude rule.ā€ as it seems iā€™d need to be paying for a big batch of licenses (to potentially include all 8 people with emails @MYDOMAIN.com to make this work.

I canā€™t believe that I would have to pay $7/month for every potential person [email protected] to allow access to just some small random service.

REQUEST FOR RESOURCES
Is there a good explainer video on this as Iā€™ve read and also used AI to walk me through all the cloudflare docs and neither me or gpt understand how to get this working. That said, I totally understand that at the end of the day, Cloudflare wants me to pay for all 8 people ultimately. But for simple access codes based on emails at a domain (i love this potential) I just must be missing something.

Adding resources I reviewed but didnā€™t get my answer but if it helps others - this is what Iā€™ve reviewed:

and

So I said to myself, ā€˜hey selfā€¦ā€™ just pay for the license and see if you can make this workā€¦ So I did and yesterday I purchase a dozen licenses for Zero Trust Access even though there are only a few people that will use this but a few more that might at some time. And the interface didnā€™t update to the many licenses, is still just hade the two iā€™d purchased prior and cancelled hoping to get back to the 5 in the default no-cost plan.

Now today system status shows up yet after clearing caches and retries I only get an non iD or referenced error:

What I hope occurs: A super smart cloudflare person sees this at the top of Zero Trust posts for a second day and says, hey- I know what needs to be looked into by this small customer (that canā€™t afford paid support); ā€œGo look hereā€¦ or try thisā€¦ā€

Ok, how many other people actually love to find out the problem is not them, itā€™s the vendor.

And to add to this post as someone like me one day will have a similar question or confusion; I now see several more users were able to access my app using [email protected] based on may policy of emails ending in @MYDOMAIN.com, Yet now the USERS page which appeared without an error shows those new user (logs also show them as connected users) and INACTIVE.

Well at least I didnā€™t get the ā€˜contact your admin because you are out of licenses errorā€™ so for now itā€™s working but just doesnā€™t make any sense.

I used the $3/user option so itā€™s only around $40/month for this set of users and I really love cloudflare so I guess itā€™s worth it! Now to go search youtube for cloudflare videos showing me how to host my self hosted apps under WARP! Iā€™ve fed gpt 4 all the cloudflare docs but it still canā€™t rival a good youtube video on how to get things done.

An hour later the new email auth users (email ending in ā€¦) are showing active so it must have been a artifact of the trouble cloudflare is having today around user settings.

I still donā€™t know how others say they have 50 users that can be used in this manner as I could never get more than the 5 default which was frustrating when paying to two that my limit dropped from 5 at the free plan to 2 when I paid for what would be the regularly used licenses.

I recommend to others to just pay for the $3/user team added licenses for as many people as ā€˜might use the accessā€™ as this does seem to be the way the licensing model is meant to work that I didnā€™t understand.

It seems that if you once paid for users $7/ea for example for STANDARD 2 users and then try to add 10 AL LA CARTE users at $3/each, the system calculates the charge and completes but never escalates the seats as it still thinks you want to finish the month of higher level seats. Even when I tried to downgrade back to the free plan previously. Perhaps thereā€™s a trick to flush out the system?

Iā€™m now seeing Iā€™m using 7 of my 2 paid users. And I again tried buying a set of license seats and it even calculates all amounts and letā€™s me hit the pay not button but thereā€™s a bug in the process because it drops back to 2 users.
FIX: Cloudflare needs to program the scenario where a user cancels their plan and the user can still buy a smaller tier that overrides the existing cancelled plan end date. This could be a big problem if they start enforcing. But for all I know Iā€™ll wait til the 2 users ends and the perhaps it will tell me my a la la carte $3 licenses donā€™t work for granting access. Maybe itā€™s time to brush up on my on application authentication if zero trust access canā€™t handle this (as itā€™s working now) due to billing inconsistencies.

Iā€™m going to simplify my situation to see if any other users have recommendations.

USE CASE:
Cloudflare Tunnel active to a self hosted docker app Uptime Kuma (website monitoring)
Application Policy: Allow all emails ending in @MYCOMPANY.com

Anyone at my company can enter their email and get a login code emailed

QUESTION 1) Can I have 50 of these based on the FREE plan or is this considered ā€œservice token supportā€ which would require A la carte?

QUESTION 2) Considering the application itself then requires a login after Zero Trust completes, should I be considering another approach or additional features?

I had assumed that the approach Iā€™m using allows staff to access even if they are traveling and not on an approved IP which is also an additional ā€œincludeā€ policy rule placed in front of the ā€œall emails ending inā€ policy. So the logic is - Is the user at the office policy? Yes > no need to even enter email or NO > the user is not using an allow listed IP and thus enters email for code.

For reference Iā€™m trying to understand the right plan but donā€™t really want to overpay for capabilities Iā€™m not using.

As billing reset today, i was charged and now have the available licenses. A fix for this would be asking the user if they wish to switch their plan now or at then end of the billing period. This would avoid potential and critical capabilities that might be held back due to insufficient licensing when downgrading from a higher tier license cost.

1 Like

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.