Where's my mystery Login method coming from?

Hello all,

I have been experimenting with the Cloudflare GUI in the early stages of my setup, and gradually replacing it with Terraform.

I have two active tunnels and maybe 10 deleted tunnels which can be seen using the CLI command “cloudflared tunnel list -d”

I previously had per-tunnel Azure AD login methods defined using this block:

resource “cloudflare_access_identity_provider” “aad” {
zone_id = data.cloudflare_zone.this.id
name = “Azure AD”
type = “azureAD”
config {
client_id = data.hcp_vault_secrets_app.cloudflare.secrets.aadclientid
client_secret = data.hcp_vault_secrets_app.cloudflare.secrets.aadclientsecret
directory_id = data.hcp_vault_secrets_app.cloudflare.secrets.aaddirectoryid
}
}

…except when testing an app defined in one of the tunnels I saw not 2 but 3 choices when connecting under the “Sign in with:” banner. That is, it seems I have 3 IdP configs defined rather that the 2 I was expecting.

When I change the Terraform to remove the per-tunnel definitions, I’m still left with 1.

How do I find where that’s defined? Looking at the docs it seems I can define access_identity_provider resources either by associating them with a zone or with an account:

https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/access_identity_provider

So maybe my question should be: where in the GUI do I find account-scoped access_identity_provider definitions?

Thanks!

Actually I can probably put it more simply. It seems I have an orphan Identity Provider configuration entry.

When I go to Zero Trust/Applications and click on one of them, then Configure/Authentication, I see the prompt “Configure your first Identity Provider” - but when I visit that app’s URI I see “Sign in with:” and a single-item list with Azure AD, and that’s correctly configured for my tenant.