We have been working with Cloudflare support and Microsoft Support for the Azure component. We want to set up Zero Trust access to a self-hosted app without using an agent (warp client or cloudflared). Details:
-
Authentication through Azure AD. Conditional Access Policies for Cloudflare as well as Microsoft Exchange Online. Note that the EXO is set to prevent access from anyone trying to connect from an IP address outside of our network
-
I set up a Tunnel in ZT, Public hostname is https://.com; private hostname is the /32 of the app
-
Access group created - login method=Azure, selector= specified emails
-
Application created, policy pointing to access group, purpose justification required for JIT access
Desired effect: outside party navigates to the URL specified on the public tunnel, uses AD credentials to logon, email sent for justification and access granted.
Problem: Access is being blocked by our CAP designed for Microsoft Exchange Online. We have excluded Cloudflare from the CAP, but it still blocks. I am not sure if Cloudflare attempts to read any information from EXO to work? I have tried various selectors, but nothing is working. It is a requirement that authentication is done through Azure AD for security purposes.
Microsoft engineers are stumped after hours of troubleshooting, redirecting me back to Cloudflare and I’m awaiting an updated response from Cloudflare. Has anyone run into this before or have any recommended avenues for troubleshooting?