Zero Trust, Agentless access to Self-Hosted application?

We have been working with Cloudflare support and Microsoft Support for the Azure component. We want to set up Zero Trust access to a self-hosted app without using an agent (warp client or cloudflared). Details:

  • Authentication through Azure AD. Conditional Access Policies for Cloudflare as well as Microsoft Exchange Online. Note that the EXO is set to prevent access from anyone trying to connect from an IP address outside of our network

  • I set up a Tunnel in ZT, Public hostname is https://.com; private hostname is the /32 of the app

  • Access group created - login method=Azure, selector= specified emails

  • Application created, policy pointing to access group, purpose justification required for JIT access

Desired effect: outside party navigates to the URL specified on the public tunnel, uses AD credentials to logon, email sent for justification and access granted.

Problem: Access is being blocked by our CAP designed for Microsoft Exchange Online. We have excluded Cloudflare from the CAP, but it still blocks. I am not sure if Cloudflare attempts to read any information from EXO to work? I have tried various selectors, but nothing is working. It is a requirement that authentication is done through Azure AD for security purposes.

Microsoft engineers are stumped after hours of troubleshooting, redirecting me back to Cloudflare and I’m awaiting an updated response from Cloudflare. Has anyone run into this before or have any recommended avenues for troubleshooting?

Access doesn’t require anything in EXO/Conditional Access policy. It will just send a OIDC request to AzureAD and wait for the response. Are you getting an AzureAD error/block screen when the authentication fails?

Hi, yes I am getting a response saying that “sign-in was successful but does not meet criteria to access this resource.” When I check Azure AD sign-in logs, it is showing that it is blocked by EXO CAP.

  • Cloudflare has been added as an exception for this cap and we have created one specifically for Cloudflare to allow access
  • ‘Whatif’ scenarios do not trigger EXO cap
  • Although it is added as an exception, it still triggers which led us to consider if Cloudflare requires EXO access for some reason…