[IAM] More details with Entra + SCIM (#23380)

cicku · dcpena · thomasgauvin · commit 1ad5c45d058e · 2025-08-15T16:52:25.000-04:00
* Update Entra guide

* Update entra.mdx

* Update index.mdx

* Update entra.mdx

* Update entra.mdx

* Update index.mdx

* Update okta.mdx

* Update index.mdx

* Update index.mdx

* Update entra.mdx

* Update index.mdx

* Update entra.mdx

* Update entra.mdx

* Changes to align with style guide

* Minor updates to align with style guide

---------

Co-authored-by: Denise Peña &lt;75506267+dcpena@users.noreply.github.com&gt;
diff --git a/src/content/docs/fundamentals/account/account-security/scim-setup/entra.mdx b/src/content/docs/fundamentals/account/account-security/scim-setup/entra.mdx
@@ -9,36 +9,43 @@ import { Render } from "~/components";
 
 <Render file="idp-group-deprecation" />
 
+Once you have [gathered the required data](/fundamentals/account/account-security/scim-setup/#gather-the-required-data), the following steps will be required to finish the provisioning with Entra.
+
 ## Set up the Enterprise application
 
-1. Go to your Microsoft Entra ID instance and select **Enterprise Applications**.
-2. Select **Create your own application** and name your application.
-3. Select **Integrate any other application you do not find in the gallery (Non-gallery)**.
-4. Select **Create**.
+1. Go to the Entra admin center and select **Applications** > **Enterprise Applications**.
+2. In the Microsoft Entra Gallery, select **New application** > **Create your own application**, then choose a name.
+3. Select **Integrate any other application you don't find in the gallery (Non-gallery)**.
+4. **Create** an application.
 
 ## Provision the Enterprise application
 
-1. Under **Manage** on the sidebar menu, select **Provisioning**.
-2. Select **Automatic** on the dropdown menu for the Provisioning Mode.
-3. Enter your API token value and the tenant URL: `https://api.cloudflare.com/client/v4/accounts/<your_account_ID>/scim/v2`.
-4. Select **Test Connection**, then select **Save**.
+1. Inside the newly created application under **Manage** from the sidebar menu, select **Provisioning**.
+2. Select **New configuration** and enter the **Tenant URL**: `https://api.cloudflare.com/client/v4/accounts/<ACCOUNT_ID>/scim/v2`. Replace `<ACCOUNT_ID>` with your own account ID.
+3. Paste the SCIM provisioning API token value as **Secret token**.
+4. Select **Test Connection** then **Save** the configuration.
 
-## Configure user & group sync in Microsoft Entra ID application
+## Configure user and group synchronization
 
-1. Once the SCIM application is created, [assign users and groups to the application](https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/assign-user-or-group-access-portal?pivots=portal).
-2. To begin syncing your Users & Groups into Cloudflare, navigate back to **Provisioning**, and under **Provisioning Status**, check *On*, then select **Save**. 
+1. Navigate to the newly created application under **Manage** from the sidebar menu, select **Users and groups**.
+2. [Assign users and groups to the application](https://learn.microsoft.com/entra/identity/enterprise-apps/assign-user-or-group-access-portal).
+3. After the users are assigned, navigate to **Provisioning** on the sidebar menu and select **Start Provisioning**.
 
 :::note
-To successfully provision with Microsoft Entra ID, the `user principal name` and `email` fields must match. These values are case-sensitive.
+To successfully synchronize the group details into Cloudflare the `User Principal Name` (of `Identity`) and `Email` (of `Contact Information`) fields of each user must be identical. Values are case-sensitive, and the User Principal Name can only contain alphanumeric characters. Learn more about [how to create, invite, and delete users](https://learn.microsoft.com/entra/fundamentals/how-to-create-delete-users). 
 :::
 
-3. To validate which users and groups were synchronized, select **Provisioning logs** in Microsoft Entra. You can also check the Cloudflare dashboard Audit Logs by navigating to **Manage Account** > **Audit Log**. 
-4. To grant permissions to Users & Groups in Cloudflare, refer to the Permission Policies guide.
+4. To validate which users and groups have been synchronized, navigate to **Provisioning logs** on the sidebar menu. You can also [review the Cloudflare Audit Logs](/fundamentals/account/account-security/review-audit-logs/).
+
+:::caution[Read-only group]
+If the Entra group shares the same name of an existing Cloudflare user group, the Cloudflare user group will become read-only after the provisioning.
+:::
 
+5. To grant permissions to users and groups at Cloudflare, refer to [Roles](/fundamentals/manage-members/roles/) and [Policies](/fundamentals/manage-members/policies/).
 
 ## (Optional) Automate Cloudflare's SCIM integration
 
-Cloudflare's SCIM integration requires one external application per account. Customers with many accounts may want to automate part of the setup to save time and reduce the amount of time spent in the Entra administrative UI.
+Cloudflare's SCIM integration requires one external application per account. Customers with multiple accounts may want to automate part of the setup to save time and reduce the amount of time spent in the Entra administrative UI.
 
 The initial setup of creating the non-gallery applications and adding the provisioning URL and API key are scriptable via API, but the rest of the setup is dependent on your specific need and IDP configuration.
 
diff --git a/src/content/docs/fundamentals/account/account-security/scim-setup/index.mdx b/src/content/docs/fundamentals/account/account-security/scim-setup/index.mdx
@@ -4,12 +4,21 @@ title: SCIM provisioning
 
 ---
 
-Cloudflare supports bulk provisioning of users into the Cloudflare dashboard by using the System for Cross-domain Identity Management (SCIM) protocol. This allows you to connect your external identity provider (IdP) to Cloudflare and quickly onboard and manage users and their permissions. Cloudflare supports SCIM onboarding with Okta and Microsoft Entra.
+Cloudflare supports bulk provisioning of users into the Cloudflare dashboard by using the System for Cross-domain Identity Management (SCIM) protocol. This allows you to connect an external identity provider (IdP) to Cloudflare, quickly onboard and manage user permissions. Currently, SCIM provisioning has been integrated with Okta and Microsoft Entra.
 
 :::note
-This section covers SCIM provisioning for the Cloudflare dashboard only. If you need to provision SCIM for Cloudflare Zero Trust, refer to [Zero Trust SCIM provisioning](/cloudflare-one/identity/users/scim/).
+This section covers SCIM provisioning for the Cloudflare dashboard. If you need to provision SCIM for Cloudflare Zero Trust, refer to [Zero Trust SCIM provisioning](/cloudflare-one/identity/users/scim/).
 :::
 
+## Objectives
+
+Once the SCIM provisioning is enabled:
+
+- A Cloudflare account can receive user group provisioning from the identity provider.
+- Members of each user group can be assigned one or more [policies](/fundamentals/manage-members/policies/). Each policy defines one or more [roles](https://developers.cloudflare.com/fundamentals/manage-members/roles/) applied to all group members thereof.
+- Members can belong to multiple user groups, and each group can also be configured with different policies.
+- Policies provisioned via SCIM can coexist with policies configured via the [traditional setup](/fundamentals/manage-members/manage/#edit-member-permissions).
+
 ## Expected behaviors
 
 Expectations for user lifecycle management with SCIM:
@@ -28,19 +37,18 @@ Expectations for user lifecycle management with SCIM:
 
 ## Prerequisites
 
-- Cloudflare provisioning with SCIM is only available to Enterprise customers using Okta or Microsoft Entra.
-- You must be a [Super Administrator](/fundamentals/manage-members/roles/) on the account.
-- In your identity provider, you must have the ability to create applications and groups.
+- Cloudflare dashboard SCIM provisioning is only available to Enterprise customers using Okta or Microsoft Entra.
+- You must be a Super Administrator for the initial setup.
+- In the identity provider, you must have the ability to create applications and groups.
 
 ---
 ## Gather the required data
 
 To start, you will need to collect a couple of pieces of data from Cloudflare and set these aside for later use.
 
-### Get your Account ID
+### Get the Account ID
 
-1. In the [Cloudflare dashboard](https://dash.cloudflare.com/), go to the Cloudflare account that you want to configure for SCIM provisioning.
-2. Copy your account ID from the account home page.
+The account ID can be found via dashboard or API. For more information, refer to [Find account and zone IDs](/fundamentals/account/find-account-and-zone-ids/).
 
 ### Create an API token
 
@@ -52,7 +60,7 @@ To start, you will need to collect a couple of pieces of data from Cloudflare an
 
    :::note
 
-   Cloudflare recommends using Account Owned API Tokens for SCIM Provisioning. Using user-specific API tokens, while supported, will lead to a broken SCIM connection in the event that the user's policies are revoked from the account with the SCIM integration. Learn more about [account owned tokens](/fundamentals/api/get-started/account-owned-tokens/).
+   Account owned API tokens are recommended for SCIM Provisioning. User owned API tokens, while supported, may result in a broken SCIM connection in the event when the user's policies are revoked from the SCIM integration, or the [API access](/fundamentals/api/how-to/control-api-access/) is unexpectedly disabled. Learn more about [account owned tokens](/fundamentals/api/get-started/account-owned-tokens/).
    :::
 
 2. Under **Account Resources**, select the specific account to include or exclude from the dropdown menu, if applicable.
diff --git a/src/content/docs/fundamentals/account/account-security/scim-setup/okta.mdx b/src/content/docs/fundamentals/account/account-security/scim-setup/okta.mdx
@@ -9,6 +9,8 @@ import { Render } from "~/components";
 
 <Render file="idp-group-deprecation" />
 
+Once you have [gathered the required data](/fundamentals/account/account-security/scim-setup/#gather-the-required-data), the following steps will be required to finish the provisioning with Okta.
+
 ## Set up your Okta SCIM application
 
 1. In the Okta dashboard, go to **Applications** > **Applications**.
@@ -43,4 +45,4 @@ The **Update User Attributes** option is not supported.
 
 To verify the integration, select **View Logs** in the Okta SCIM application, and check the Audit Logs in the Cloudflare dashboard by navigating to **Manage Account** > **Audit Log**. 
 
-This will provision all of the users in the group(s) affected to your Cloudflare account with "minimal account access."
+This will provision all of the users in the group(s) affected to your Cloudflare account with "minimal account access."
