Skip to content

Access & configuration

This page puts a login screen in front of the app so only your staff can reach it, using their Microsoft 365 accounts. It assumes no prior Cloudflare Zero Trust experience.

There are three parts: (A) tell Microsoft to trust Cloudflare, (B) tell Cloudflare to use Microsoft for login, (C) put the login in front of your app. Do them in order.

This Entra registration is separate from the mail one

The registration you create in Part A is only for login. It is not the same as the mail-sending registration in Microsoft 365 connection. Keep them separate.

Part A — Register Cloudflare in Microsoft Entra

  1. Go to https://entra.microsoft.comIdentityApplicationsApp registrations+ New registration.
  2. Name: Cloudflare Access – Login.
  3. Supported account types: Accounts in this organizational directory only.
  4. Redirect URI: choose Web in the dropdown and enter (you'll get your team name in Part B — for now use a placeholder and fix it after, or set your known team name):

    https://<your-team-name>.cloudflareaccess.com/cdn-cgi/access/callback
    
    5. Click Register. 6. On the Overview page, copy the Application (client) ID and Directory (tenant) ID. 7. In the left menu select Certificates & secrets+ New client secret → give it a name, choose an expiry, Add. Immediately copy the secret's Value (it's only shown once). 8. In the left menu select API permissions+ Add a permissionMicrosoft GraphDelegated → add email, openid, profile, offline_access, User.ReadAdd permissionsGrant admin consent.

Keep the client ID, tenant ID, and secret value handy for Part B.

Part B — Add Microsoft as a login method in Cloudflare

  1. Go to https://one.dash.cloudflare.com (Cloudflare Zero Trust). If it's your first time, follow the prompt to choose a team name — write this down; it becomes https://<your-team-name>.cloudflareaccess.com (your team domain).
  2. In the left menu select SettingsAuthentication.
  3. Under Login methods, click Add new.
  4. Choose Azure AD (Microsoft Entra ID).
  5. Fill in:
    • App ID = the Application (client) ID from Part A.
    • Client secret = the secret Value from Part A.
    • Directory (tenant) ID = from Part A.
  6. Click Save, then Test — sign in with a Microsoft account and confirm you see "Your connection works."

Tip

If you used a placeholder redirect URI in Part A step 4, go back to Entra now and set it to your real https://<your-team-name>.cloudflareaccess.com/cdn-cgi/access/callback.

Part C — Put login in front of the app

  1. In Cloudflare Zero Trust, left menu → AccessApplications+ Add an application.
  2. Choose Self-hosted.
  3. Application name: Cove Audit Reporter.
  4. Session duration: leave default (e.g. 24 hours).
  5. Under Application domain, enter your app's domain, e.g. backup-audit.totlcom.com (leave the path blank so the whole app is protected).
  6. Under Identity providers, make sure Azure AD (from Part B) is selected. Click Next.
  7. Add a policy for normal access:
    • Policy name: Company users.
    • Action: Allow.
    • Configure rules: add an Include rule — for example Emails ending in @totlcom.com (or Login Methods → Azure AD).
  8. Save the application.

Lock down the admin area

Add a second application that covers only the admin path, allowing just you:

  1. Access → Applications → + Add an application → Self-hosted.
  2. Name: Cove Audit Reporter – Admin.
  3. Application domain: your domain with the path /admin (and add another for /api/v1/admin if the form allows a second domain/path).
  4. Policy: Allow, Include → Emails → your admin email(s) only.
  5. Save.

Note

Cloudflare matches the most specific application first, so the /admin app's stricter policy applies to admin pages while the main app covers everything else.

In-app admins vs. the Access policy

You can add more admins inside the app (Admin → Admins), but Cloudflare Access is a separate gate in front of /admin. A newly added admin also needs to satisfy the /admin Access policy to reach those pages. Two options: (1) make the /admin Access policy allow all your org users and let the app enforce who's an admin (simplest — the app already blocks non-admins), or (2) keep the strict Access policy and add each new admin's email to it as well. Config owners always work as long as they're allowed by Access.

Part D — Get the two values the app needs

The app verifies every request against your Access settings, using two values:

  1. Team domain\<your-team-name\>.cloudflareaccess.com from Part B.
  2. AUD tag — open Access → Applications → Cove Audit Reporter → Overview (or Settings). Copy the Application Audience (AUD) Tag (a long hex string).

Set them as secrets (from the project folder in your terminal):

npx wrangler secret put CF_ACCESS_TEAM_DOMAIN
npx wrangler secret put CF_ACCESS_AUD

Paste the team domain and AUD tag when prompted. Then re-deploy:

npm run deploy

Now visiting the app redirects to a Microsoft login, and only allowed users get in.

The configuration file

Non-secret settings live in server/config/app.config.ts — committed to git and changed only by editing the file and re-deploying. They cannot be changed from the running app.

export const appConfig = {
  adminEmails: ["robertbettencourt@totlcom.com"],
  m365: {
    senderUpn: "reports@totlcom.com",
    tenantId: "YOUR_TENANT_ID",
    clientId: "YOUR_CLIENT_ID",
    allowSendAsOtherMailboxes: false,
  },
  report: {
    staleDays: 7,
    defaultTimezone: "America/Los_Angeles",
  },
} as const;
Setting Purpose
adminEmails Who can reach /admin and admin APIs (must also be allowed by the Access admin policy)
m365.senderUpn The only mailbox reports can be sent from
m365.tenantId / clientId The mail app registration (from Microsoft 365 connection)
report.staleDays Days without a successful backup before a device is flagged
report.defaultTimezone Timezone for scheduling and timestamps

Warning

After editing this file you must re-run npm run deploy. Changing an admin or the sender mailbox is deliberately code-only — there is no button for it.