Skip to content

Commit cf03799

Browse files
dcpenadcpena
committed
Added User Groups docs
1 parent 5429ae3 commit cf03799

File tree

2 files changed

+596
-0
lines changed

2 files changed

+596
-0
lines changed

src/content/docs/fundamentals/setup/account/account-security/scim-setup.mdx

Lines changed: 109 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -155,6 +155,115 @@ Refer to the list of [Roles](/fundamentals/setup/manage-members/roles/) for more
155155
To successfully provision with Microsoft Entra ID, the `user principal name` and `email` fields must match. These values are case-sensitive.
156156
:::
157157

158+
### Automate Cloudflare's SCIM integration
159+
160+
Cloudflare's SCIM integration requires one external application per account. Customers with many accounts may want to automate part of the setup to save time and reduce the amount of time spent in the Entra administrative UI.
161+
162+
The initial setup of creating the non-gallery applications and adding the provisioning URL and API key are scriptable via API, but the rest of the setup is dependent on your specific need and IDP configuration.
163+
164+
1. Get an access token
165+
166+
Get an Entra access token. Note that the example below is using the Azure CLI.
167+
168+
```
169+
# Using azure-cli
170+
az login
171+
az account get-access-token --resource https://graph.microsoft.com
172+
173+
(payload with accessToken returned)
174+
```
175+
2. Create a new application via template.
176+
177+
The template ID 8adf8e6e-67b2-4cf2-a259-e3dc5476c621 is the suggested template to create non-gallery apps in the Entra docs. Replace `<accessToken>` and `displayName` with your values.
178+
179+
```curl title="Example request"
180+
curl -X POST 'https://graph.microsoft.com/v1.0/applicationTemplates/8adf8e6e-67b2-4cf2-a259-e3dc5476c621/instantiate' \
181+
--header 'Content-Type: application/json' \
182+
--header 'Authorization: Bearer <accessToken>' \
183+
--data-raw '{
184+
"displayName": "Entra API create application test"
185+
}'
186+
```
187+
188+
```curl title="Example response"
189+
{
190+
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#microsoft.graph.applicationServicePrincipal",
191+
"application": {
192+
"id": "343a8552-f9d9-471c-b677-d37062117cc8", //
193+
"appId": "03d8207b-e837-4be9-b4e6-180492eb3b61",
194+
"applicationTemplateId": "8adf8e6e-67b2-4cf2-a259-e3dc5476c621",
195+
"createdDateTime": "2025-01-30T00:37:44Z",
196+
"deletedDateTime": null,
197+
"displayName": "Entra API create application test",
198+
"description": null,
199+
// ... snipped rest of large application payload
200+
},
201+
"servicePrincipal": {
202+
"id": "a8cb133d-f841-4eb9-8bc9-c8e9e8c0d417", // Note this ID for the subsequent request
203+
"deletedDateTime": null,
204+
"accountEnabled": true,
205+
"appId": "03d8207b-e837-4be9-b4e6-180492eb3b61",
206+
"applicationTemplateId": "8adf8e6e-67b2-4cf2-a259-e3dc5476c621",
207+
"appDisplayName": "Entra API create application test",
208+
// ...snipped rest of JSON payload
209+
}
210+
```
211+
212+
3. Create a provisioning job
213+
214+
To enable provisioning, you will also need to create a job. Note the SERVICE_PRINCIPAL_ID in the previous request will be used in the request below. The SCIM templateId is an Entra provided template.
215+
216+
```curl title="Example request"
217+
curl -X POST 'https://graph.microsoft.com/v1.0/servicePrincipals/<SERVICE_PRINCIPAL_ID>/synchronization/jobs' \
218+
--header 'Content-Type: application/json' \
219+
--header 'Authorization: Bearer <accessToken>' \
220+
--data-raw '{
221+
"templateId": "scim"
222+
}'
223+
```
224+
225+
```curl title="Example response"
226+
{
227+
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#servicePrincipals('a8cb133d-f841-4eb9-8bc9-c8e9e8c0d417')/synchronization/jobs/$entity",
228+
"id": "scim.5b223a2cc249463bbd9a791550f11c76.03d8207b-e837-4be9-b4e6-180492eb3b61",
229+
"templateId": "scim",
230+
"schedule": {
231+
"expiration": null,
232+
"interval": "PT40M",
233+
"state": "Disabled"
234+
},
235+
// ... snipped rest of JSON payload
236+
```
237+
238+
4. Configure the SCIM provisioning URL and API token
239+
240+
Next, configure the Tenant URL (Cloudflare SCIM endpoint) and API token (SCIM Provisioning API Token).
241+
242+
Replace `<accessToken>`, `<ACCOUNT_ID>`, `<SCIM_PROVISIONING_API_TOKEN_VALUE>` with your values.
243+
244+
```curl title="Example request"
245+
--header 'Content-Type: application/json' \
246+
--header 'Authorization: Bearer <accessToken>' \
247+
--data-raw '{
248+
"value": [
249+
{
250+
"key": "BaseAddress",
251+
"value": "https://api.cloudflare.com/client/v4/accounts/<ACCOUNT_ID>/scim/v2"
252+
},
253+
{
254+
"key": "SecretToken",
255+
"value": "<SCIM_PROVISIONING_API_TOKEN_VALUE>"
256+
}
257+
]
258+
}'
259+
```
260+
261+
After completing the tasks above, the next steps in Entra include:
262+
263+
- Additional group/provisioning configuration
264+
- Test and save after updating the config.
265+
- Provisioning after configuration is complete
266+
158267
## Expected behaviors
159268

160269
Expectations for user lifecycle management with SCIM:

0 commit comments

Comments
 (0)