Cloudflare Access Federation with Entra ID
Background
I wanted to better understand how federation, provisioning and Zero Trust access work in practice between Microsoft Entra ID and Cloudflare Access.
The goal was to explore how identity can be used as the primary security boundary and how access can be managed through groups rather than individual users.
What I Built
In this lab I integrated Microsoft Entra ID with Cloudflare Access using:
- OpenID Connect (OIDC)
- SCIM provisioning
- Group-based access control
- Automated user and group synchronization
Architecture:
Entra ID → OIDC → Cloudflare Access
Entra ID → SCIM → Cloudflare
What I Tested
I configured Entra ID as the Identity Provider and validated the complete authentication flow between the two platforms.
I also tested:
- User provisioning
- User deprovisioning
- Group synchronization
- Group-based access policies
- Automated lifecycle management
Results
The integration allowed:
- Centralized authentication through Entra ID
- Automatic provisioning of users and groups
- Automated deprovisioning when access was removed
- Group-based authorization within Cloudflare Access
- Reduced manual administration
Challenges
During the implementation I encountered several common federation issues, including:
- Redirect URI mismatches
- Incorrect secret usage (Secret ID vs Secret Value)
- Permission and consent configuration
Troubleshooting these issues provided a much better understanding of how federation flows work in practice.
Reflection
The most interesting part of this project was seeing how SCIM and group-based access simplify lifecycle management.
Instead of managing users manually in multiple systems, identity and access could be controlled centrally from Entra ID, while Cloudflare automatically reflected those changes.
The project also helped me better understand the relationship between authentication, provisioning and Zero Trust access models.