SCIM logs

Author: ranbel

src/content/docs/cloudflare-one/identity/idp-integration/entra-id.mdx

@@ -222,7 +222,7 @@ SCIM requires a separate enterprise application from the one created during [ini
 
 12. On the **Provisioning** page, select **Start provisioning**. You will see the synchronization status in Entra ID.
 
-To check which users and groups were synchronized, select **View provisioning logs**.
+To check which users and groups were synchronized, select **View provisioning logs** in Entra ID.
 
 <Render file="access/verify-scim-provisioning" />
 

src/content/docs/cloudflare-one/insights/logs/scim-logs.mdx

@@ -0,0 +1,33 @@
+---
+pcx_content_type: reference
+title: SCIM activity logs
+sidebar:
+  order: 3
+  label: SCIM logs
+---
+
+import { Render } from "~/components";
+
+SCIM activity logs allow administrators to audit how [SCIM provisioning](/cloudflare-one/identity/users/scim/) events in an identity provider (such as create, update, and delete) affect a user's identity and group membership in Zero Trust. You can compare your Zero Trust SCIM logs with your identity provider's SCIM logs to track how identity data is shared between the two services and pinpoint the source of any provisioning errors.
+
+## View SCIM logs
+
+For an overview of SCIM events across all users, log in to [Zero Trust](https://one.dash.cloudflare.com/) and go to **Logs** > **SCIM provisioning**. This page lists the inbound SCIM requests from all identity providers configured with SCIM. You can select an individual request to view more details about the SCIM operation.
+
+To investigate how SCIM events impacted a specific user, go to their [User Registry identity](/cloudflare-one/insights/logs/users/).
+
+<Render file="access/scim-requires-login" product="cloudflare-one" />
+
+## Log fields
+
+SCIM provisioning logs show the following information for each inbound SCIM request:
+
+- **IdP name**: UUID of the identity provider
+- **Timestamp**: Date and time of the request
+- **Action**: HTTP request method (`POST`, `PATCH`, `DELETE`)
+- **User email**: User who received the SCIM identity update
+- **Resource type**: Identity attribute that was modified (`GROUP` or ?)
+- **CF resource ID**:
+- **Outcome**: HTTP request response (`SUCCESS` or `ERROR`)
+- **Request body**: HTTP request body containing the data that was added, modified, or removed
+- **JSON log**: SCIM request log in JSON format

src/content/partials/cloudflare-one/access/scim-requires-login.mdx

@@ -0,0 +1,7 @@
+---
+{}
+---
+
+:::note
+New users must first [register the WARP client](/cloudflare-one/connections/connect-devices/warp/deployment/manual-deployment/) or authenticate to an Access application before SCIM provisioning can begin.
+:::

src/content/partials/cloudflare-one/access/verify-scim-provisioning.mdx

@@ -2,8 +2,8 @@
 {}
 ---
 
-To check if a user's identity was updated in Zero Trust, view their [User Registry identity](/cloudflare-one/insights/logs/users/).
+import { Render } from "~/components";
 
-:::note
-New users must first register the WARP client or authenticate to an Access application before SCIM provisioning can begin.
-:::
+To check if user identities were updated in Zero Trust, view your [SCIM provisioning logs](/cloudflare-one/insights/logs/scim-logs/).
+
+<Render file="access/scim-requires-login" product="cloudflare-one" />