cloudflare
diff --git a/‎src/assets/images/cloudflare-one/identity/azure/entra-email-claim.png‎
335 KB b/‎src/assets/images/cloudflare-one/identity/azure/entra-email-claim.png‎
335 KB
diff --git a/‎src/content/docs/cloudflare-one/identity/idp-integration/entra-id.mdx‎
Lines changed: 55 additions & 36 deletions b/‎src/content/docs/cloudflare-one/identity/idp-integration/entra-id.mdx‎
Lines changed: 55 additions & 36 deletions
@@ -108,6 +108,24 @@ More narrow permissions may be used, however this is the set of permissions that
 
 To [test](/cloudflare-one/identity/idp-integration/#test-idps-in-zero-trust) that your connection is working, select **Test**.
 
+#### UPN and email
+
+If your organization's UPNs do not match users' email addresses, you must add a custom claim for email. For example, if your organization's email format is `[email protected]` but the UPN is `[email protected]`, you must create an email claim if you are configuring email-based policies.
+
+By default, Cloudflare will look for an `email` claim in the JSON response. If an `email` claim does not exist, it will look for the unique claim name you created to represent email (for example, `email_identifier`). Last, if neither option exists, Cloudflare will then look for the UPN claim sent in the JSON response.
+
+To receive an email claim in a JSON response from Microsoft Entra, you must:
+
+1. In the [Microsoft Entra admin center](https://entra.microsoft.com/), go to **Application** > **App registration** > select the relevant application > **Manage** > **Token configuration**.
+2. Add a claim for email.
+
+   ![Email claim for Entra](~/assets/images/cloudflare-one/identity/azure/entra-email-claim.png)
+
+   The example above includes both a UPN claim and an email claim. Because an email claim was created in the Microsoft Entra configuration, Cloudflare will look for the `email` key-value pair in the JSON response.
+
+3. If you gave your email claim another name than `email`, in [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **Authentication** > **Azure AD** > **Edit**.
+4. Under **Optional configurations** > **Email claim**, enter the name of the claim representing your organization's email addresses.
+
 ## Synchronize users and groups
 
 The Microsoft Entra ID integration allows you to synchronize IdP groups and automatically deprovision users using [SCIM](/cloudflare-one/identity/users/scim/).
@@ -120,7 +138,7 @@ The Microsoft Entra ID integration allows you to synchronize IdP groups and auto
 
 <Render
 	file="access/enable-scim-on-dashboard"
-	params={{ idp: "Entra ID", and: " and ", supportgroups: "Support groups"}}
+	params={{ idp: "Entra ID", and: " and ", supportgroups: "Support groups" }}
 />
 
 ### 2. Configure SCIM in Entra ID
@@ -139,9 +157,9 @@ SCIM requires a separate enterprise application from the one created during [ini
 
 5. Once the SCIM application is created, [assign users and groups to the application](https://learn.microsoft.com/entra/identity/enterprise-apps/assign-user-or-group-access-portal).
 
-	:::note
-	Groups in this SCIM application should match the groups in your other [Cloudflare Access enterprise application](/cloudflare-one/identity/idp-integration/entra-id/#set-up-entra-id-as-an-identity-provider). Because SCIM group membership updates will overwrite any groups in a user's identity, assigning the same groups to each app ensures consistent policy evaluation.
-	:::
+   :::note
+   Groups in this SCIM application should match the groups in your other [Cloudflare Access enterprise application](/cloudflare-one/identity/idp-integration/entra-id/#set-up-entra-id-as-an-identity-provider). Because SCIM group membership updates will overwrite any groups in a user's identity, assigning the same groups to each app ensures consistent policy evaluation.
+   :::
 
 6. Go to **Provisioning** and select **Get started**.
 
@@ -159,7 +177,7 @@ SCIM requires a separate enterprise application from the one created during [ini
 
 To check which users and groups were synchronized, select **View provisioning logs**.
 
-<Render file="access/verify-scim-provisioning"/>
+<Render file="access/verify-scim-provisioning" />
 
 ### Provisioning attributes
 
@@ -207,38 +225,39 @@ Access and Gateway policies for an Entra group will also apply to all [nested gr
 ## Force user interaction during WARP reauthentication
 
 You can require users to re-enter their credentials into Entra ID whenever they [re-authenticate their WARP session](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-sessions/). To configure this setting:
+
 1. Make a `GET` request to the [Identity Providers endpoint](/api/resources/zero_trust/subresources/identity_providers/) and copy the response for the Entra ID identity provider.
 2. [Update the Entra ID identity provider](/api/resources/zero_trust/subresources/identity_providers/methods/update/) using a `PUT` request. In the request body, include all existing configurations and set the `prompt` parameter to either `login` or `select_account`. For example,
-	```sh {17}
-	curl --request PUT \
-	https://api.cloudflare.com/client/v4/accounts/{account_id}/access/identity_providers/{identity_provider_id} \
-	--header "Authorization: Bearer <API_TOKEN>" \
-	--header "Content-Type: application/json" \
-	--data '{
-			"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
-			"type": "azureAD",
-			"uid": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
-			"name": "Entra ID",
-			"version": "31e74e9b4f033e16b604552091a72295",
-			"config": {
-				"azure_cloud": "default",
-				"client_id": "<CLIENT_ID>",
-				"conditional_access_enabled": false,
-				"directory_id": "<AZURE_DIRECTORY_ID>",
-				"redirect_url": "https://<TEAM_NAME>.cloudflareaccess.com/cdn-cgi/access/callback",
-				"prompt": "login",
-				"support_groups": true
-			},
-			"scim_config": {
-				"enabled": true,
-				"user_deprovision": true,
-				"seat_deprovision": false,
-				"group_member_deprovision": false,
-				"identity_update_behavior": "automatic"
-			},
-			"scim_base_url": "https://<TEAM_NAME>.cloudflareaccess.com/populations/f174e90a-fafe-4643-bbbc-4a0ed4fc8415/scim/v2"
-	}'
-	```
+   ```sh {17}
+   curl --request PUT \
+   https://api.cloudflare.com/client/v4/accounts/{account_id}/access/identity_providers/{identity_provider_id} \
+   --header "Authorization: Bearer <API_TOKEN>" \
+   --header "Content-Type: application/json" \
+   --data '{
+   		"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
+   		"type": "azureAD",
+   		"uid": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
+   		"name": "Entra ID",
+   		"version": "31e74e9b4f033e16b604552091a72295",
+   		"config": {
+   			"azure_cloud": "default",
+   			"client_id": "<CLIENT_ID>",
+   			"conditional_access_enabled": false,
+   			"directory_id": "<AZURE_DIRECTORY_ID>",
+   			"redirect_url": "https://<TEAM_NAME>.cloudflareaccess.com/cdn-cgi/access/callback",
+   			"prompt": "login",
+   			"support_groups": true
+   		},
+   		"scim_config": {
+   			"enabled": true,
+   			"user_deprovision": true,
+   			"seat_deprovision": false,
+   			"group_member_deprovision": false,
+   			"identity_update_behavior": "automatic"
+   		},
+   		"scim_base_url": "https://<TEAM_NAME>.cloudflareaccess.com/populations/f174e90a-fafe-4643-bbbc-4a0ed4fc8415/scim/v2"
+   }'
+   ```
 
 ## Example API Configuration
 
@@ -253,4 +272,4 @@ You can require users to re-enter their credentials into Entra ID whenever they
 	"type": "azureAD",
 	"name": "my example idp"
 }
-```
+```