Access & configuration¶
This page puts a login screen in front of the app so only your staff can reach it, using their Microsoft 365 accounts. It assumes no prior Cloudflare Zero Trust experience.
There are three parts: (A) tell Microsoft to trust Cloudflare, (B) tell Cloudflare to use Microsoft for login, (C) put the login in front of your app. Do them in order.
This Entra registration is separate from the mail one
The registration you create in Part A is only for login. It is not the same as the mail-sending registration in Microsoft 365 connection. Keep them separate.
Part A — Register Cloudflare in Microsoft Entra¶
- Go to https://entra.microsoft.com → Identity → Applications → App registrations → + New registration.
- Name:
Cloudflare Access – Login. - Supported account types: Accounts in this organizational directory only.
-
Redirect URI: choose Web in the dropdown and enter (you'll get your team name in Part B — for now use a placeholder and fix it after, or set your known team name):
5. Click Register. 6. On the Overview page, copy the Application (client) ID and Directory (tenant) ID. 7. In the left menu select Certificates & secrets → + New client secret → give it a name, choose an expiry, Add. Immediately copy the secret's Value (it's only shown once). 8. In the left menu select API permissions → + Add a permission → Microsoft Graph → Delegated → addhttps://<your-team-name>.cloudflareaccess.com/cdn-cgi/access/callbackemail,openid,profile,offline_access,User.Read→ Add permissions → Grant admin consent.
Keep the client ID, tenant ID, and secret value handy for Part B.
Part B — Add Microsoft as a login method in Cloudflare¶
- Go to https://one.dash.cloudflare.com (Cloudflare Zero Trust). If it's your first time, follow the prompt to choose a team name — write this down; it becomes
https://<your-team-name>.cloudflareaccess.com(your team domain). - In the left menu select Settings → Authentication.
- Under Login methods, click Add new.
- Choose Azure AD (Microsoft Entra ID).
- Fill in:
- App ID = the Application (client) ID from Part A.
- Client secret = the secret Value from Part A.
- Directory (tenant) ID = from Part A.
- Click Save, then Test — sign in with a Microsoft account and confirm you see "Your connection works."
Tip
If you used a placeholder redirect URI in Part A step 4, go back to Entra now and set it to your real https://<your-team-name>.cloudflareaccess.com/cdn-cgi/access/callback.
Part C — Put login in front of the app¶
- In Cloudflare Zero Trust, left menu → Access → Applications → + Add an application.
- Choose Self-hosted.
- Application name:
Cove Audit Reporter. - Session duration: leave default (e.g. 24 hours).
- Under Application domain, enter your app's domain, e.g.
backup-audit.totlcom.com(leave the path blank so the whole app is protected). - Under Identity providers, make sure Azure AD (from Part B) is selected. Click Next.
- Add a policy for normal access:
- Policy name:
Company users. - Action: Allow.
- Configure rules: add an Include rule — for example Emails ending in
@totlcom.com(or Login Methods → Azure AD).
- Policy name:
- Save the application.
Lock down the admin area¶
Add a second application that covers only the admin path, allowing just you:
- Access → Applications → + Add an application → Self-hosted.
- Name:
Cove Audit Reporter – Admin. - Application domain: your domain with the path
/admin(and add another for/api/v1/adminif the form allows a second domain/path). - Policy: Allow, Include → Emails → your admin email(s) only.
- Save.
Note
Cloudflare matches the most specific application first, so the /admin app's stricter policy applies to admin pages while the main app covers everything else.
In-app admins vs. the Access policy
You can add more admins inside the app (Admin → Admins), but Cloudflare Access is a separate gate in front of /admin. A newly added admin also needs to satisfy the /admin Access policy to reach those pages. Two options: (1) make the /admin Access policy allow all your org users and let the app enforce who's an admin (simplest — the app already blocks non-admins), or (2) keep the strict Access policy and add each new admin's email to it as well. Config owners always work as long as they're allowed by Access.
Part D — Get the two values the app needs¶
The app verifies every request against your Access settings, using two values:
- Team domain —
\<your-team-name\>.cloudflareaccess.comfrom Part B. - AUD tag — open Access → Applications → Cove Audit Reporter → Overview (or Settings). Copy the Application Audience (AUD) Tag (a long hex string).
Set them as secrets (from the project folder in your terminal):
npx wrangler secret put CF_ACCESS_TEAM_DOMAIN
npx wrangler secret put CF_ACCESS_AUD
Paste the team domain and AUD tag when prompted. Then re-deploy:
npm run deploy
Now visiting the app redirects to a Microsoft login, and only allowed users get in.
The configuration file¶
Non-secret settings live in server/config/app.config.ts — committed to git and changed only by editing the file and re-deploying. They cannot be changed from the running app.
export const appConfig = {
adminEmails: ["robertbettencourt@totlcom.com"],
m365: {
senderUpn: "reports@totlcom.com",
tenantId: "YOUR_TENANT_ID",
clientId: "YOUR_CLIENT_ID",
allowSendAsOtherMailboxes: false,
},
report: {
staleDays: 7,
defaultTimezone: "America/Los_Angeles",
},
} as const;
| Setting | Purpose |
|---|---|
adminEmails |
Who can reach /admin and admin APIs (must also be allowed by the Access admin policy) |
m365.senderUpn |
The only mailbox reports can be sent from |
m365.tenantId / clientId |
The mail app registration (from Microsoft 365 connection) |
report.staleDays |
Days without a successful backup before a device is flagged |
report.defaultTimezone |
Timezone for scheduling and timestamps |
Warning
After editing this file you must re-run npm run deploy. Changing an admin or the sender mailbox is deliberately code-only — there is no button for it.