Edit

Share via

Configure Cloudflare Web Application Firewall with Microsoft Entra External ID

Applies to: Green circle with a white check mark symbol that indicates the following content applies to external tenants. External tenants (learn more)

In this article, you learn how to configure Cloudflare Web Application Firewall (Cloudflare WAF) to protect your organization from attacks, such as distributed denial of service (DDoS), malicious bots, Open Worldwide Application Security Project (OWASP) Top-10 security risks, and others.

Prerequisites

To get started, you need:

Learn about tenants and securing apps for consumers and customers with Microsoft Entra External ID.

Scenario description

  • Microsoft Entra External ID tenant – The identity provider (IdP) and authorization server that verifies user credentials with custom policies defined for the tenant.
  • Azure Front Door – Enables custom URL domains for Microsoft Entra External ID. Traffic to custom URL domains goes through Cloudflare WAF, it then goes to AFD, and then to the Microsoft Entra External ID tenant.
  • Cloudflare WAF – Security controls to protect traffic to the authorization server.

Cloudflare setup steps

First you need to set up Cloudflare WAF to protect your custom URL domains for Microsoft Entra External ID. Follow these steps to configure Cloudflare WAF.

Enable custom URL domains

The first step is to enable custom domains with AFD. Use the instructions in, Enable custom URL domains for apps in external tenants.

Create a Cloudflare account

  1. Go to Cloudflare.com/plans to create an account.
  2. To enable WAF, on the Application Services tab, select Pro.

Configure the ___domain name server (DNS)

Enable WAF for a ___domain.

  1. In the DNS console, for CNAME, enable the proxy setting.

Screenshot of CNAME options.

  1. Under DNS, for Proxy status, select Proxied.

  2. The status turns orange.

    Screenshot of proxied status.

Note

Azure Front Door-managed certificates aren't automatically renewed if your custom ___domain’s CNAME record points to a DNS record other than the Azure Front Door endpoint’s ___domain (for example, when using a third-party DNS service like Cloudflare). To renew the certificate in such cases, follow the instructions in the Renew Azure Front Door-managed certificates article.

Cloudflare security controls

For optimal protection, we recommend you enable Cloudflare security controls.

DDoS protection

  1. Go to the Cloudflare dashboard.
  2. Expand the Security section.
  3. Select DDoS.
  4. A message appears.

Screenshot of bot protection options.

Bot protection

  1. Go to the Cloudflare dashboard.
  2. Expand the Security section.
  3. Under Configure Super Bot Fight Mode, for Definitely automated, select Block.
  4. For Likely automated, select Managed Challenge.
  5. For Verified bots, select Allow.

Screenshot of bot protection options.

Firewall rules: Traffic from the Tor network

We recommend you block traffic that originates from the Tor proxy network, unless your organization needs to support the traffic.

Note

If you can't block Tor traffic, select Interactive Challenge, not Block.

Block traffic from the Tor network

  1. Go to the Cloudflare dashboard.
  2. Expand the Security section.
  3. Select WAF.
  4. Select Create rule.
  5. For Rule name, enter a relevant name.
  6. For If incoming requests match, for Field, select Continent.
  7. For Operator, select equals.
  8. For Value, select Tor.
  9. For Then take action, select Block.
  10. For Place at, select First.
  11. Select Deploy.

Screenshot of the create rule dialog.

Note

You can add custom HTML pages for visitors.

Firewall rules: Traffic from countries or regions

We recommended strict security controls on traffic from countries or regions where business is unlikely to occur, unless your organization has a business reason to support traffic from all countries or regions.

Note

If you can't block traffic from a country or region, select Interactive Challenge, not Block.

Block traffic from countries or regions

For the following instructions, you can add custom HTML pages for visitors.

  1. Go to the Cloudflare dashboard.
  2. Expand the Security section.
  3. Select WAF.
  4. Select Create rule.
  5. For Rule name, enter a relevant name.
  6. For If incoming requests match, for Field, select Country/Region or Continent.
  7. For Operator, select equals.
  8. For Value, select the country/region or continent to block.
  9. For Then take action, select Block.
  10. For Place at, select Last.
  11. Select Deploy.

Screenshot of the name field on the create rule dialog.

OWASP and managed rulesets

  1. Select Managed rules.
  2. For Cloudflare Managed Ruleset, select Enabled.
  3. For Cloudflare OWASP Core Ruleset, select Enabled.

Screenshot of rule sets.

Set up a web application firewall (WAF) in External ID

After you set up your Cloudflare account, connect it to Microsoft Entra External ID. Use your Cloudflare API token and Zone ID to complete the connection. You can do this in the admin center or by using Microsoft Graph API.

WAF provider configuration

  1. Sign in to the Microsoft Entra admin center as at least a Security Reader.
  2. If you have access to multiple tenants, use the Settings icon in the top menu to switch to the external tenant you created earlier from the Directories + subscriptions menu.
  3. Browse to Entra ID > Security Store.
  4. Select the Protect apps from DDoS with WAF tile by selecting Get started.
  5. Under Choose a WAF Provider select Cloudflare and then select Next.

Screenshot of the choose WAF provider page.

  1. Under Configure Cloudflare WAF, you can select an existing configuration or create a new one. If you're creating a new configuration add the following information:
    • Configuration name: A name for the WAF configuration.
    • API token: The API token from your Cloudflare dashboard.
    • Zone ID: The Zone ID for your ___domain, from your Cloudflare dashboard.

Screenshot of the configure WAF provider page.

  1. Select Next to save your changes.

Domain verification

Select the custom URL domains that are enabled through Azure Front Door (AFD) to verify and connect them to your Cloudflare WAF configuration. This step ensures that the selected domains are protected with advanced security features.

  1. Select Verify ___domain to start the verification process.
  2. Select the custom URL domains you want to protect with Cloudflare WAF and then select Verify.

Screenshot of the verify ___domain page.

  1. After verification, select Done.

Test the configuration

Once you’ve connected Cloudflare WAF with Microsoft Entra External ID, it’s important to test the configuration to ensure everything is working as expected.

Screenshot showing configuration test results.

Troubleshooting

The following table lists common issues you might encounter when integrating Cloudflare WAF with Microsoft Entra External ID, along with their details and resolutions.

Issue Details Resolution
Bad Request Response "The provided API Key has insufficient permissions. Please reauthenticate and try again.\r\n CloudFlare Request ID: {CF-Ray-value}\r\nCorrelation ID: random-id-entry-value\r\nTimestamp: 2024-08-25 21:32:40Z" Check the permission level mentioned in the above steps.
Couldn't reach the external tenant's well-known endpoint "Could not reach the tenant's well-known endpoint via custom ___domain. Please check that your custom ___domain has been properly configured to route traffic."
At the Graph level, you might see HTTP 200 OK with status failure when Cloudflare returns error code 403. This check is performed on our side before any API calls to Cloudflare.		 Disable the captcha on the Cloudflare portal (change the wildcard to disable), then rerun the POST request.

Additional resources

Related content

  • Last updated on