[CF1] microsoft entra ID IdP guide revision (#21792)

* [CF1] microsoft entra ID IdP guide revision

* final edits

* final

Author: deadlypants1973

src/content/docs/cloudflare-one/identity/idp-integration/entra-id.mdx

@@ -19,45 +19,43 @@ The following Entra ID values are required to set up the integration:
 
 To retrieve those values:
 
-1.  Log in to the [Azure dashboard](https://portal.azure.com/).
+1.  Log in to the [Microsoft Entra admin center](https://entra.microsoft.com/).
 
-2.  Go to **All services** > **Microsoft Entra ID**.
+2.  Go to **Applications** > **Enterprise applications**.
 
-3.  In the sidebar, go to **Manage** > **Enterprise applications**.
+3.  Select **New application**, then select **Create your own application**.
 
-4.  Select **New application**, then select **Create your own application**.
+4.  Name your application.
 
-5.  Name your application.
+5.  Select **Register an application to integrate with Microsoft Entra ID (App you're developing)**. If offered, do not select any of the gallery applications. Select **Create**.
 
-6.  Select **Register an application to integrate with Microsoft Entra ID (App you're developing)** and then select **Create**.
-
-7.  Under **Redirect URI**, select the _Web_ platform and enter the following URL:
+6.  Under **Redirect URI**, select the _Web_ platform and enter the following URL.
 
     ```txt
     https://<your-team-name>.cloudflareaccess.com/cdn-cgi/access/callback
     ```
 
-    You can find your team name in Zero Trust under **Settings** > **Custom Pages**.
+    In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **Custom Pages** to find your team name.
 
     ![Registering an application in Azure](~/assets/images/cloudflare-one/identity/azure/name-app.png)
 
-8.  Select **Register**.
+7.  Select **Register**.
 
-9.  Next, return to Microsoft Entra ID and go to go to **Manage** > **App registrations**.
+8.  Next, return to Microsoft Entra ID and go to **Applications** > **App registrations**.
 
-10. Select the app you just created. Copy the **Application (client) ID** and **Directory (tenant) ID**.
+9. Select **All applications** and select the app you just created. Copy the **Application (client) ID** and **Directory (tenant) ID**. You will need these values when [adding Entra ID as an identity provider in step 3](/cloudflare-one/identity/idp-integration/entra-id/#3-add-entra-id-as-an-identity-provider).
 
     ![Viewing the Application ID and Directory ID in Azure](~/assets/images/cloudflare-one/identity/azure/azure-values.png)
 
-11. Under **Client credentials**, go to **Add a certificate or secret**. Select **New client secret**.
+10. Under **Client credentials**, go to **Add a certificate or secret**. Select **New client secret**.
 
-12. Name the client secret and choose an expiration period.
+11. Name the client secret and choose an expiration period.
 
     :::note
     When the client secret expires, users will be unable to log in through Access. Take note of your expiry date to prevent login errors and renew your client secret when necessary.
     :::
 
-13. After the client secret is created, copy its **Value** field. Store the client secret in a safe place, as it can only be viewed immediately after creation.
+12. After the client secret is created, copy its **Value** field. Store the client secret in a safe place, as it can only be viewed immediately after creation. You will need this client secret value when [adding Entra ID as an identity provider in step 3](/cloudflare-one/identity/idp-integration/entra-id/#3-add-entra-id-as-an-identity-provider).
 
     ![Location of client secret in Azure](~/assets/images/cloudflare-one/identity/azure/client-cert-value.png)
 
@@ -101,7 +99,11 @@ More narrow permissions may be used, however this is the set of permissions that
 
 4. Enter the **Application (client) ID**, **Client secret**, and **Directory (tenant) ID** obtained from Microsoft Entra ID.
 
-5. (Optional) Configure the following settings:
+5. Select **Save**.
+
+6. To [test](/cloudflare-one/identity/idp-integration/#test-idps-in-zero-trust) that your connection is working, select **Test**.
+
+7. (Optional) Configure the following settings:
 
    - **Proof Key for Code Exchange**: Perform [PKCE](https://www.oauth.com/oauth2-servers/pkce/) on all login attempts.
    - **Support Groups**: Allow Cloudflare to read a user's Entra ID group membership.
@@ -110,10 +112,6 @@ More narrow permissions may be used, however this is the set of permissions that
    - **Email claim**: Enter the Entra ID claim that you wish to use for user identification (for example, `preferred_username`).
    - **OIDC Claims**: Enter [custom OIDC claims](/cloudflare-one/identity/idp-integration/generic-oidc/#oidc-claims) that you wish to add to your users' identity. This information will be available in the [user identity endpoint](/cloudflare-one/identity/authorization-cookie/application-token/#user-identity).
 
-6. Select **Save**.
-
-To [test](/cloudflare-one/identity/idp-integration/#test-idps-in-zero-trust) that your connection is working, select **Test**.
-
 </TabItem> <TabItem label="API">
 
 1.  [Create an API token](/fundamentals/api/get-started/create-token/) with the following permissions:
@@ -139,16 +137,19 @@ To [test](/cloudflare-one/identity/idp-integration/#test-idps-in-zero-trust) tha
         }'
         ```
 
-</TabItem> <TabItem label="Terraform (v5)">
+</TabItem> <TabItem label="Terraform">
 
+:::note[Provider versions]
+The following example requires Cloudflare provider version `4.40.0` or greater.
+:::
 
 1.  Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/api_token):
 
     - `Access: Organizations, Identity Providers, and Groups Write`
 
 2.  Configure the [`cloudflare_zero_trust_access_identity_provider`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_access_identity_provider) resource:
 
-		<Render file="access/entra-id-terraform" />
+        <Render file="access/entra-id-terraform" />
 
 </TabItem> </Tabs>
 
@@ -197,37 +198,41 @@ SCIM requires a separate enterprise application from the one created during [ini
 
 3. Name your application (for example, `Cloudflare Access SCIM`).
 
-4. Select **Integrate any other application you don't find in the gallery (Non-gallery)**.
+4. Select **Integrate any other application you don't find in the gallery (Non-gallery)**. If offered, do not select any of the gallery applications. Select **Create**.
 
-5. Once the SCIM application is created, [assign users and groups to the application](https://learn.microsoft.com/entra/identity/enterprise-apps/assign-user-or-group-access-portal).
+5. After you have created the application, go to **Provisioning** > select **New Configuration**.
 
-   :::note
-   Groups in this SCIM application should match the groups in your other [Cloudflare Access enterprise application](/cloudflare-one/identity/idp-integration/entra-id/#set-up-entra-id-as-an-identity-provider). Because SCIM group membership updates will overwrite any groups in a user's identity, assigning the same groups to each app ensures consistent policy evaluation.
-   :::
+6. In the **Tenant URL** field, enter the **SCIM Endpoint** obtained from your Entra ID integration in Zero Trust [in the previous step](/cloudflare-one/identity/idp-integration/entra-id/#1-enable-scim-in-zero-trust).
 
-6. Go to **Provisioning** and select **Get started**.
+7. In the **Secret token** field, enter the **SCIM Secret** obtained from your Entra ID integration in Zero Trust [in the previous step](/cloudflare-one/identity/idp-integration/entra-id/#1-enable-scim-in-zero-trust).
 
-7. For **Provisioning Mode**, choose _Automatic_.
+8. Select **Test Connection** to ensure that the credentials were entered correctly. If the test fails, go to your Entra ID integration in Zero Trust, select **Regenerate Secret**, select **Save**, and enter your new **SCIM Secret** in the **Secret token** field.
 
-8. In the **Tenant URL** field, enter the **SCIM Endpoint** obtained from Zero Trust.
+9. Select **Create**.
 
-9. In the **Secret Token** field, enter the **SCIM Secret** obtained from Zero Trust.
+10. Once the SCIM application is created, [assign users and groups to the application](https://learn.microsoft.com/entra/identity/enterprise-apps/assign-user-or-group-access-portal).
 
-10. Select **Test Connection** to ensure that the credentials were entered correctly.
+   :::note
+   Groups in this SCIM application should match the groups in your other [Cloudflare Access enterprise application](/cloudflare-one/identity/idp-integration/entra-id/#set-up-entra-id-as-an-identity-provider). Because SCIM group membership updates will overwrite any groups in a user's identity, assigning the same groups to each app ensures consistent policy evaluation.
+   :::
+
+11. Go to **Provisioning** and select **Start provisioning**.
 
-11. Select **Save**.
+12. For **Provisioning Mode**, the default mode should be set by Microsoft to _Automatic_.
 
-12. On the **Provisioning** page, select **Start provisioning**. You will see the synchronization status in Entra ID.
+13. On the **Overview** page in Entra ID, you will see the synchronization status.
 
-To check which users and groups were synchronized, select **View provisioning logs** in Entra ID.
+To check which users and groups were synchronized, select **Provisioning logs**.
 
 <Render file="access/verify-scim-provisioning" />
 
+To monitor the exchange of identity details between Cloudflare Access and Microsoft Entra ID, go to [Zero Trust](https://one.dash.cloudflare.com) > **Logs** > **SCIM provisioning** and view the [SCIM activity logs](/cloudflare-one/insights/logs/scim-logs/).
+
 ### Provisioning attributes
 
-Provisioning attributes define the user properties that Entra ID will synchronize with Cloudflare Access. To modify your provisioning attributes, go to the **Provisioning** page in Entra ID and select **Edit attribute mappings**.
+Provisioning attributes define the user properties that Entra ID will synchronize with Cloudflare Access. To modify your provisioning attributes, go to the **Attribute mapping** and select **Provision Microsoft Entra ID Users**.
 
-We recommend enabling the following user attribute mappings:
+If not already configured, Cloudflare recommends enabling the following user attribute mappings:
 
 | customappsso Attribute         | Entra ID Attribute | Recommendation |
 | ------------------------------ | ------------------ | -------------- |
@@ -252,7 +257,7 @@ You can create Access and Gateway policies for groups that are not synchronized
 
 1. Make sure you enable **Support groups** as you set up Microsoft Entra ID in Zero Trust.
 
-2. On your Azure dashboard, note the `Object Id` for the Entra group. In the example below, the group named Admins has an ID of `61503835-b6fe-4630-af88-de551dd59a2`.
+2. In your Microsoft Entra dashboard, note the `Object Id` for the Entra group. In the example below, the group named Admins has an ID of `61503835-b6fe-4630-af88-de551dd59a2`.
 
    ![Viewing the Azure group ID on the Azure dashboard](~/assets/images/cloudflare-one/identity/azure/object-id.png)
 

src/content/partials/cloudflare-one/access/enable-scim-on-dashboard.mdx

@@ -21,8 +21,8 @@ import { Markdown } from "~/components"
 	- _Group membership change reauthentication_: [Revoke a user's active session](/cloudflare-one/identity/users/session-management/#per-user) when their group membership changes in {props.idp}. This will invalidate all active Access sessions and prompt for reauthentication for any [WARP session policies](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-sessions/). Access will read the user's updated group membership when they reauthenticate.
 	- _No action_: Update the user's identity the next time they reauthenticate to Access or WARP.
 
-5. Select **Save**.
+5. Select **Regenerate Secret**. Copy the **SCIM Endpoint** and **SCIM Secret**. You will need to enter these values into {props.idp}.
 
-6. Copy the **SCIM Endpoint** and **SCIM Secret**. You will need to enter these values into {props.idp}.
+6. Select **Save**. 
 
 The SCIM secret never expires, but you can manually regenerate the secret at any time.