Additional feedback edits

Author: dcpena

src/content/docs/fundamentals/account/account-security/scim-setup/entra.mdx

@@ -5,6 +5,10 @@ sidebar:
   label: Microsoft Entra
 ---
 
+import { Render } from "~/components";
+
+<Render file="idp-group-deprecation" />
+
 ## Set up the Enterprise application
 
 1. Go to your Microsoft Entra ID instance and select **Enterprise Applications**.
@@ -146,15 +150,3 @@ After completing the tasks above, the next steps in Entra include:
 - Additional group/provisioning configuration
 - Test and save after updating the config.
 - Provisioning after configuration is complete
-
-## Expected behaviors
-
-Expectations for user lifecycle management with SCIM:
-
-| Expected Cloudflare dash behavior              | Identity provider action      |
-| ---------------------------------------------- |-------------------------------|
-| User is added to account as member             | Assign the user to a SCIM application. They will be assigned the Minimal Account Access role so that their dash experience is not broken.   |
-| User is removed from account as member         | Unassign the user from the SCIM application.    |
-| Add role to user                               | Add the user to a group in the IdP which is pushed via SCIM. They must also be assigned to the SCIM application and exist as an account member.                 |
-| Remove role from user                          | Remove the user from the corresponding group in the IdP.   |
-| Retain user in account but with no permissions | Remove the user from all role groups but leave them assigned to the SCIM application. They will be an account member with only the role Minimal Account Access. |

src/content/docs/fundamentals/account/account-security/scim-setup/index.mdx

@@ -1,7 +1,6 @@
 ---
 pcx_content_type: how-to
 title: SCIM provisioning
-updated: 2024-12-04
 
 ---
 
@@ -11,6 +10,18 @@ Cloudflare supports bulk provisioning of users into the Cloudflare dashboard by
 This section covers SCIM provisioning for the Cloudflare dashboard only. If you need to provision SCIM for Cloudflare Zero Trust, refer to [Zero Trust SCIM provisioning](/cloudflare-one/identity/users/scim/).
 :::
 
+## Expected behaviors
+
+Expectations for user lifecycle management with SCIM:
+
+| Expected Cloudflare dash behavior | Identity provider action  |
+| --------------------------------- | ------------------------- |
+| User is added to account as member   | Assign the user to a SCIM application. They will be assigned the Minimal Account Access role so that their dash experience is not broken.    |
+| User is removed from account as member         | Unassign the user from the SCIM application.    |
+| Add role to user                               | Add the user to a group in the IdP which is pushed via SCIM. They must also be assigned to the SCIM application and exist as an account member.   |
+| Remove role from user                          | Remove the user from the corresponding group in the IdP. |
+| Retain user in account but with no permissions | Remove the user from all role groups but leave them assigned to the SCIM application. They will be an account member with only the role Minimal Account Access. |
+
 ## Limitations
 
 - If a user is the only Super Administrator on an Enterprise account, they will not be deprovisioned.
@@ -49,15 +60,3 @@ To start, you will need to collect a couple of pieces of data from Cloudflare an
 3. Select **Continue to summary**.
 4. Validate the permissions and select **Create Token**.
 5. Copy the token value.
-
-## Expected behaviors
-
-Expectations for user lifecycle management with SCIM:
-
-| Expected Cloudflare dash behavior | Identity provider action  |
-| --------------------------------- | ------------------------- |
-| User is added to account as member   | Assign the user to a SCIM application. They will be assigned the Minimal Account Access role so that their dash experience is not broken.    |
-| User is removed from account as member         | Unassign the user from the SCIM application.    |
-| Add role to user                               | Add the user to a group in the IdP which is pushed via SCIM. They must also be assigned to the SCIM application and exist as an account member.   |
-| Remove role from user                          | Remove the user from the corresponding group in the IdP. |
-| Retain user in account but with no permissions | Remove the user from all role groups but leave them assigned to the SCIM application. They will be an account member with only the role Minimal Account Access. |

src/content/docs/fundamentals/account/account-security/scim-setup/okta.mdx

@@ -5,6 +5,10 @@ sidebar:
   label: Okta
 ---
 
+import { Render } from "~/components";
+
+<Render file="idp-group-deprecation" />
+
 ## Set up your Okta SCIM application
 
 1. In the Okta dashboard, go to **Applications** > **Applications**.

src/content/partials/fundamentals/idp-group-deprecation.mdx

@@ -0,0 +1,8 @@
+---
+{}
+
+---
+
+:::note
+**Important Update:** Cloudflare now supports native User Groups for enhanced access control. This new feature replaces the previous method of directly assigning Cloudflare roles based on IdP group mappings, which is deprecated as of June 2nd, 2025. Update your SCIM configurations using the instructions below to utilize User Groups for seamless provisioning.
+:::