[ZT] SCIM identity auto-update (#18251)

* PCX-14656

* Update enable-scim-on-dashboard.mdx

* link to user registry identity

---------

Co-authored-by: kennyj42 <[email protected]>

Author: ranbel

src/content/docs/cloudflare-one/insights/logs/users.mdx

@@ -16,7 +16,7 @@ In [Zero Trust](https://one.dash.cloudflare.com/), go to **My Team** > **Users**
 
 ### Available logs
 
-* **User Registry identity**: Select the user's name to view their last seen identity. This identity is refreshed when the user re-authenticates WARP, logs into an Access application, or has their IdP group membership updated via <GlossaryTooltip term="SCIM" link="/cloudflare-one/identity/users/scim/">SCIM provisioning</GlossaryTooltip>. To track how the user's identity has changed over time, go to the **Audit logs** tab.
+* **User Registry identity**: Select the user's name to view their last seen identity. This identity is used to evaluate Gateway policies and WARP [device profiles](/cloudflare-one/connections/connect-devices/warp/configure-warp/device-profiles/). A refresh occurs when the user re-authenticates WARP, logs into an Access application, or has their IdP group membership updated via <GlossaryTooltip term="SCIM" link="/cloudflare-one/identity/users/scim/">SCIM provisioning</GlossaryTooltip>. To track how the user's identity has changed over time, go to the **Audit logs** tab.
 * **Session identities**: The user's active sessions, the identity used to authenticate each session, and when each session will [expire](/cloudflare-one/identity/users/session-management/).
 * **Devices**: Devices registered to the user via WARP.
 * **Recent activities**: The user's five most recent Access login attempts. For more details, refer to your [authentication audit logs](/cloudflare-one/insights/logs/audit-logs/#authentication-audit-logs).

src/content/partials/cloudflare-one/access/enable-scim-on-dashboard.mdx

@@ -13,11 +13,14 @@ import { Markdown } from "~/components"
 
 3. Turn on **Enable SCIM**{props.and}**{props.supportgroups}**.
 
-4. (Optional) Turn on the following settings:
+4. (Optional) Configure the following settings:
 
-* **Enable user deprovisioning**: [Revoke a user's active session](/cloudflare-one/identity/users/session-management/#per-user) when they are removed from the SCIM application in {props.idp}. This will invalidate all active Access sessions and prompt for reauthentication for any Gateway WARP session policies.
+* **Enable user deprovisioning**: [Revoke a user's active session](/cloudflare-one/identity/users/session-management/#per-user) when they are removed from the SCIM application in {props.idp}. This will invalidate all active Access sessions and prompt for reauthentication for any [WARP session policies](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-sessions/).
 * **Remove user seat on deprovision**: [Remove a user's seat](/cloudflare-one/identity/users/seat-management/) from your Zero Trust account when they are removed from the SCIM application in {props.idp}.
-* **Enable group membership change reauthentication**: [Revoke a user's active session](/cloudflare-one/identity/users/session-management/#per-user) when their group membership changes in {props.idp}. This will invalidate all active Access sessions and prompt for reauthentication for any Gateway WARP session policies. Access will read the user's updated group membership when they reauthenticate.
+* **SCIM identity update behavior**: Choose what happens in Zero Trust when the user's identity updates in {props.idp}.
+	- _Automatic identity updates_: Automatically update the [User Registry identity](/cloudflare-one/insights/logs/users/) when {props.idp} sends an updated identity or group membership through SCIM. This identity is used for Gateway policies and WARP [device profiles](/cloudflare-one/connections/connect-devices/warp/configure-warp/device-profiles/); Access will read the user's updated identity when they reauthenticate.
+	- _Group membership change reauthentication_: [Revoke a user's active session](/cloudflare-one/identity/users/session-management/#per-user) when their group membership changes in {props.idp}. This will invalidate all active Access sessions and prompt for reauthentication for any [WARP session policies](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-sessions/). Access will read the user's updated group membership when they reauthenticate.
+	- _No action_: Update the user's identity the next time they reauthenticate to Access or WARP.
 
 5. Select **Save**.