Tutorial: Configure Cloudflare with Azure Active Directory B2C

In this sample tutorial, learn how to enable Cloudflare Web Application Firewall (WAF) solution for Azure Active Directory (AD) B2C tenant with custom domain. Cloudflare WAF helps organization protect against malicious attacks that aim to exploit vulnerabilities such as SQLi, and XSS.

Note

This feature is in public preview.

Prerequisites

To get started, you'll need:

• An Azure subscription. If you don't have a subscription, you can get a free account.

• An Azure AD B2C tenant that is linked to your Azure subscription.

• A Cloudflare account.

Scenario description

Cloudflare WAF integration includes the following components:

• Azure AD B2C Tenant – The authorization server, responsible for verifying the user’s credentials using the custom policies defined in the tenant. It's also known as the identity provider.

• Azure Front Door – Responsible for enabling custom domains for Azure B2C tenant. All traffic from Cloudflare WAF will be routed to Azure Front Door before arriving at Azure AD B2C tenant.

• Cloudflare – The web application firewall, which manages all traffic that is sent to the authorization server.

Integrate with Azure AD B2C

To use custom domains in Azure AD B2C, it's required to use custom domain feature provided by Azure Front Door. Learn how to enable Azure AD B2C custom domains.

After custom domain for Azure AD B2C is successfully configured using Azure Front Door, test the custom domain before proceeding further.

Onboard with Cloudflare

Sign-up and create a Cloudflare account. To enable WAF, a minimum of Pro SKU is required.

Configure DNS

1. To enable WAF for a domain, you must turn-on the proxy setting from the DNS console for the CNAME entry as shown in the example for domain id.contosobank.co.uk.

   

2. Toggle the Proxy status option available under the DNS pane.

3. After you switch it to Proxied, it would turn orange. The final setting should look like:

   

Configure WAF

Configure WAF in your Cloudflare settings.

Configure firewall rule

Add, update, or remove firewall rules using the firewall option available in the top pane of the console. For example, following firewall setting enables CAPTCHA for all incoming requests to contosobank.co.uk domain before the request is sent to Azure Front Door. Learn more about setting firewall rules.

Test the settings

1. After saving the rule, it's required to complete CAPTCHA every time access to custom domain is requested.

   

   Note

   Cloudflare also provides various other options to create customized block pages.

2. User is taken to Azure AD B2C policy after successfully completing CAPTCHA.

   

Additional resources

• Troubleshoot Cloudflare custom page issues

• Get started with custom policies in Azure AD B2C

Next steps

• Configure a custom domain in Azure AD B2C