diff --git a/internal/clients/cf/access.go b/internal/clients/cf/access.go
index 6abe35d..ea13349 100644
--- a/internal/clients/cf/access.go
+++ b/internal/clients/cf/access.go
@@ -1917,6 +1917,30 @@ func (c *API) ListAccessApplicationsByName(ctx context.Context, name string) (*A
 	return nil, fmt.Errorf("access application not found: %s", name)
 }
 
+// ListAccessApplicationsByDomain finds an Access Application by domain.
+func (c *API) ListAccessApplicationsByDomain(ctx context.Context, domain string) (*AccessApplicationResult, error) {
+	if _, err := c.GetAccountId(ctx); err != nil {
+		c.Log.Error(err, "error getting account ID")
+		return nil, err
+	}
+
+	rc := cloudflare.AccountIdentifier(c.ValidAccountId)
+
+	apps, _, err := c.CloudflareClient.ListAccessApplications(ctx, rc, cloudflare.ListAccessApplicationsParams{})
+	if err != nil {
+		c.Log.Error(err, "error listing access applications")
+		return nil, err
+	}
+
+	for _, app := range apps {
+		if app.Domain == domain {
+			return convertAccessApplicationToResult(app, c.ValidAccountId), nil
+		}
+	}
+
+	return nil, fmt.Errorf("access application not found: %s", domain)
+}
+
 // ============================================================================
 // Conversion helper functions for AccessApplication
 // ============================================================================
diff --git a/internal/clients/cf/interface.go b/internal/clients/cf/interface.go
index 1a940f9..5248006 100644
--- a/internal/clients/cf/interface.go
+++ b/internal/clients/cf/interface.go
@@ -60,6 +60,7 @@ type CloudflareClient interface {
 	UpdateAccessApplication(ctx context.Context, applicationID string, params AccessApplicationParams) (*AccessApplicationResult, error)
 	DeleteAccessApplication(ctx context.Context, applicationID string) error
 	ListAccessApplicationsByName(ctx context.Context, name string) (*AccessApplicationResult, error)
+	ListAccessApplicationsByDomain(ctx context.Context, domain string) (*AccessApplicationResult, error)
 
 	// Access Policy operations
 	CreateAccessPolicy(ctx context.Context, params AccessPolicyParams) (*AccessPolicyResult, error)
diff --git a/internal/clients/cf/mock/mock_client.go b/internal/clients/cf/mock/mock_client.go
index 0f8c8a3..baa802a 100644
--- a/internal/clients/cf/mock/mock_client.go
+++ b/internal/clients/cf/mock/mock_client.go
@@ -549,6 +549,21 @@ func (mr *MockCloudflareClientMockRecorder) EnableWebAnalytics(ctx, hostname any
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "EnableWebAnalytics", reflect.TypeOf((*MockCloudflareClient)(nil).EnableWebAnalytics), ctx, hostname)
 }
 
+// FindPagesDeploymentByCommitHash mocks base method.
+func (m *MockCloudflareClient) FindPagesDeploymentByCommitHash(ctx context.Context, projectName, commitHash string) (*cf.PagesDeploymentResult, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "FindPagesDeploymentByCommitHash", ctx, projectName, commitHash)
+	ret0, _ := ret[0].(*cf.PagesDeploymentResult)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// FindPagesDeploymentByCommitHash indicates an expected call of FindPagesDeploymentByCommitHash.
+func (mr *MockCloudflareClientMockRecorder) FindPagesDeploymentByCommitHash(ctx, projectName, commitHash any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "FindPagesDeploymentByCommitHash", reflect.TypeOf((*MockCloudflareClient)(nil).FindPagesDeploymentByCommitHash), ctx, projectName, commitHash)
+}
+
 // GetAccessApplication mocks base method.
 func (m *MockCloudflareClient) GetAccessApplication(ctx context.Context, applicationID string) (*cf.AccessApplicationResult, error) {
 	m.ctrl.T.Helper()
@@ -1015,6 +1030,21 @@ func (mr *MockCloudflareClientMockRecorder) InsertOrUpdateTXT(ctx, fqdn, txtID,
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "InsertOrUpdateTXT", reflect.TypeOf((*MockCloudflareClient)(nil).InsertOrUpdateTXT), ctx, fqdn, txtID, dnsID)
 }
 
+// ListAccessApplicationsByDomain mocks base method.
+func (m *MockCloudflareClient) ListAccessApplicationsByDomain(ctx context.Context, domain string) (*cf.AccessApplicationResult, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "ListAccessApplicationsByDomain", ctx, domain)
+	ret0, _ := ret[0].(*cf.AccessApplicationResult)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// ListAccessApplicationsByDomain indicates an expected call of ListAccessApplicationsByDomain.
+func (mr *MockCloudflareClientMockRecorder) ListAccessApplicationsByDomain(ctx, domain any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ListAccessApplicationsByDomain", reflect.TypeOf((*MockCloudflareClient)(nil).ListAccessApplicationsByDomain), ctx, domain)
+}
+
 // ListAccessApplicationsByName mocks base method.
 func (m *MockCloudflareClient) ListAccessApplicationsByName(ctx context.Context, name string) (*cf.AccessApplicationResult, error) {
 	m.ctrl.T.Helper()
@@ -1135,21 +1165,6 @@ func (mr *MockCloudflareClientMockRecorder) ListPagesDeployments(ctx, projectNam
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ListPagesDeployments", reflect.TypeOf((*MockCloudflareClient)(nil).ListPagesDeployments), ctx, projectName)
 }
 
-// FindPagesDeploymentByCommitHash mocks base method.
-func (m *MockCloudflareClient) FindPagesDeploymentByCommitHash(ctx context.Context, projectName, commitHash string) (*cf.PagesDeploymentResult, error) {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "FindPagesDeploymentByCommitHash", ctx, projectName, commitHash)
-	ret0, _ := ret[0].(*cf.PagesDeploymentResult)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// FindPagesDeploymentByCommitHash indicates an expected call of FindPagesDeploymentByCommitHash.
-func (mr *MockCloudflareClientMockRecorder) FindPagesDeploymentByCommitHash(ctx, projectName, commitHash any) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "FindPagesDeploymentByCommitHash", reflect.TypeOf((*MockCloudflareClient)(nil).FindPagesDeploymentByCommitHash), ctx, projectName, commitHash)
-}
-
 // ListPagesDomains mocks base method.
 func (m *MockCloudflareClient) ListPagesDomains(ctx context.Context, projectName string) ([]cf.PagesDomainResult, error) {
 	m.ctrl.T.Helper()
diff --git a/internal/controller/accessapplication/controller.go b/internal/controller/accessapplication/controller.go
index 6f19782..13976b1 100644
--- a/internal/controller/accessapplication/controller.go
+++ b/internal/controller/accessapplication/controller.go
@@ -200,8 +200,8 @@ func (r *Reconciler) reconcileApplication(
 				"applicationID", existing.ID)
 		}
 	} else {
-		// Try to find existing by name first
-		existing, err := apiResult.API.ListAccessApplicationsByName(ctx, appName)
+		// Try to find existing by domain first
+		existing, err := apiResult.API.ListAccessApplicationsByDomain(ctx, params.Domain)
 		if err == nil && existing != nil {
 			// Found existing, adopt it
 			logger.Info("Found existing AccessApplication in Cloudflare, adopting",