cloudflare
diff --git a/‎src/content/docs/fundamentals/account/account-security/scim-setup.mdx‎
Lines changed: 0 additions & 168 deletions b/‎src/content/docs/fundamentals/account/account-security/scim-setup.mdx‎
Lines changed: 0 additions & 168 deletions
diff --git a/‎src/content/docs/fundamentals/account/account-security/scim-setup/entra.mdx‎
Lines changed: 162 additions & 0 deletions b/‎src/content/docs/fundamentals/account/account-security/scim-setup/entra.mdx‎
Lines changed: 162 additions & 0 deletions
diff --git a/‎src/content/docs/fundamentals/account/account-security/scim-setup/index.mdx‎
Lines changed: 65 additions & 0 deletions b/‎src/content/docs/fundamentals/account/account-security/scim-setup/index.mdx‎
Lines changed: 65 additions & 0 deletions
@@ -0,0 +1,162 @@
+---
+pcx_content_type: how-to
+title: Provision with Microsoft Entra
+sidebar:
+  label: Microsoft Entra
+---
+
+## Set up the Enterprise application
+
+1. Go to your Microsoft Entra ID instance and select **Enterprise Applications**.
+2. Select **Create your own application** and name your application.
+3. Select **Integrate any other application you do not find in the gallery (Non-gallery)**.
+4. Select **Create**.
+
+## Provision the Enterprise application
+
+1. Under **Manage** on the sidebar menu, select **Provisioning**.
+2. Select **Automatic** on the dropdown menu for the Provisioning Mode.
+3. Enter your API token value and the tenant URL: `https://api.cloudflare.com/client/v4/accounts/<your_account_ID>/scim/v2`.
+4. Select **Test Connection**, then select **Save**.
+
+## Configure user permissions in Microsoft Entra ID
+
+1. Once the SCIM application is created, [assign users and groups to the application](https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/assign-user-or-group-access-portal?pivots=portal).
+
+:::note
+You must have opted into the Cloudflare User Groups Public Beta to synchronize groups from Okta to Cloudflare. Refer to the [User Groups](/fundamentals/setup/manage-members/user-groups/) documentation for more information.
+
+Currently, groups need to match a specific format to provision specific Cloudflare account-level roles. Cloudflare is in the process of adding Cloudflare Groups, which can take in freeform group names in the future.
+:::
+
+2. To begin syncing your Users & Groups into Cloudflare, navigate back to **Provisioning**, and under **Provisioning Status**, check *On*, then select **Save**. 
+
+:::note
+To successfully provision with Microsoft Entra ID, the `user principal name` and `email` fields must match. These values are case-sensitive.
+:::
+
+3. To check which users and groups were synchronized, select **Provisioning logs**. 
+4. To verify the integration, select **Provisioning Logs** in Entra ID application, and check the Cloudflare Dash Audit Logs by navigating to **Manage Account** > **Audit Log**. 
+5. To grant permissions to Users & Groups in Cloudflare, refer to the Permission Policies guide.
+
+
+## (Optional) Automate Cloudflare's SCIM integration
+
+Cloudflare's SCIM integration requires one external application per account. Customers with many accounts may want to automate part of the setup to save time and reduce the amount of time spent in the Entra administrative UI.
+
+The initial setup of creating the non-gallery applications and adding the provisioning URL and API key are scriptable via API, but the rest of the setup is dependent on your specific need and IDP configuration.
+
+**1. Get an access token**
+
+Get an Entra access token. Note that the example below is using the Azure CLI.
+
+```
+# Using azure-cli
+az login
+az account get-access-token --resource https://graph.microsoft.com
+
+(payload with accessToken returned)
+```
+**2. Create a new application via template.**
+
+The template ID 8adf8e6e-67b2-4cf2-a259-e3dc5476c621 is the suggested template to create non-gallery apps in the Entra docs. Replace `<accessToken>` and `displayName` with your values.
+
+```curl title="Example request"
+curl -X POST 'https://graph.microsoft.com/v1.0/applicationTemplates/8adf8e6e-67b2-4cf2-a259-e3dc5476c621/instantiate' \
+  --header 'Content-Type: application/json' \
+  --header 'Authorization: Bearer <accessToken>' \
+  --data-raw '{
+    "displayName": "Entra API create application test"
+}'
+```
+
+```curl title="Example response"
+{
+  "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#microsoft.graph.applicationServicePrincipal",
+  "application": {
+    "id": "343a8552-f9d9-471c-b677-d37062117cc8", //
+    "appId": "03d8207b-e837-4be9-b4e6-180492eb3b61",
+    "applicationTemplateId": "8adf8e6e-67b2-4cf2-a259-e3dc5476c621",
+    "createdDateTime": "2025-01-30T00:37:44Z",
+    "deletedDateTime": null,
+    "displayName": "Entra API create application test",
+    "description": null,
+    // ... snipped rest of large application payload
+  },
+  "servicePrincipal": {
+    "id": "a8cb133d-f841-4eb9-8bc9-c8e9e8c0d417", // Note this ID for the subsequent request 
+    "deletedDateTime": null,
+    "accountEnabled": true,
+    "appId": "03d8207b-e837-4be9-b4e6-180492eb3b61",
+    "applicationTemplateId": "8adf8e6e-67b2-4cf2-a259-e3dc5476c621",
+    "appDisplayName": "Entra API create application test",
+	// ...snipped rest of JSON payload
+}
+```
+
+**3. Create a provisioning job**
+
+To enable provisioning, you will also need to create a job. Note the SERVICE_PRINCIPAL_ID in the previous request will be used in the request below. The SCIM templateId is an Entra provided template.
+
+```curl title="Example request"
+curl -X POST 'https://graph.microsoft.com/v1.0/servicePrincipals/<SERVICE_PRINCIPAL_ID>/synchronization/jobs' \
+  --header 'Content-Type: application/json' \
+  --header 'Authorization: Bearer <accessToken>' \
+  --data-raw '{ 
+    "templateId": "scim"
+}'
+```
+
+```curl title="Example response"
+{
+  "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#servicePrincipals('a8cb133d-f841-4eb9-8bc9-c8e9e8c0d417')/synchronization/jobs/$entity",
+  "id": "scim.5b223a2cc249463bbd9a791550f11c76.03d8207b-e837-4be9-b4e6-180492eb3b61",
+  "templateId": "scim",
+  "schedule": {
+    "expiration": null,
+    "interval": "PT40M",
+    "state": "Disabled"
+  },
+// ... snipped rest of JSON payload
+```
+
+**4. Configure the SCIM provisioning URL and API token**
+
+Next, configure the Tenant URL (Cloudflare SCIM endpoint) and API token (SCIM Provisioning API Token). 
+
+Replace `<accessToken>`, `<ACCOUNT_ID>`, `<SCIM_PROVISIONING_API_TOKEN_VALUE>` with your values.
+
+```curl title="Example request"
+ --header 'Content-Type: application/json' \
+  --header 'Authorization: Bearer <accessToken>' \
+  --data-raw '{
+  "value": [
+    {
+      "key": "BaseAddress",
+      "value": "https://api.cloudflare.com/client/v4/accounts/<ACCOUNT_ID>/scim/v2"
+    },
+    {
+      "key": "SecretToken",
+      "value": "<SCIM_PROVISIONING_API_TOKEN_VALUE>"
+    }
+  ]
+}'
+```
+
+After completing the tasks above, the next steps in Entra include:
+
+- Additional group/provisioning configuration
+- Test and save after updating the config.
+- Provisioning after configuration is complete
+
+## Expected behaviors
+
+Expectations for user lifecycle management with SCIM:
+
+| Expected Cloudflare dash behavior              | Identity provider action      |
+| ---------------------------------------------- |-------------------------------|
+| User is added to account as member             | Assign the user to a SCIM application. They will be assigned the Minimal Account Access role so that their dash experience is not broken.   |
+| User is removed from account as member         | Unassign the user from the SCIM application.    |
+| Add role to user                               | Add the user to a group in the IdP which is pushed via SCIM. They must also be assigned to the SCIM application and exist as an account member.                 |
+| Remove role from user                          | Remove the user from the corresponding group in the IdP.   |
+| Retain user in account but with no permissions | Remove the user from all role groups but leave them assigned to the SCIM application. They will be an account member with only the role Minimal Account Access. |
@@ -0,0 +1,65 @@
+---
+pcx_content_type: how-to
+title: SCIM provisioning
+updated: 2024-12-04
+
+---
+
+Cloudflare supports bulk provisioning of users into the Cloudflare dashboard by using the System for Cross-domain Identity Management (SCIM) protocol. This allows you to connect your external identity provider (IdP) to Cloudflare and quickly onboard and manage users and their permissions. Cloudflare supports SCIM onboarding with Okta and Microsoft Entra.
+
+:::note
+This section covers SCIM provisioning for the Cloudflare dashboard only. If you need to provision SCIM for Cloudflare Zero Trust, refer to [Zero Trust SCIM provisioning](/cloudflare-one/identity/users/scim/).
+:::
+
+## Limitations
+
+- If a user is the only Super Administrator on an Enterprise account, they will not be deprovisioned.
+- Cloudflare currently only supports [Account-scoped Roles](/fundamentals/manage-members/roles/#account-scoped-roles) and does not support Domain-scoped Roles provisioning via SCIM.
+- Cloudflare does not allow custom user groups.
+
+## Prerequisites
+
+- Cloudflare provisioning with SCIM is only available to Enterprise customers using Okta or Microsoft Entra.
+- You must be a [Super Administrator](/fundamentals/manage-members/roles/) on the account.
+- In your identity provider, you must have the ability to create applications and groups.
+
+---
+## Gather the required data
+
+To start, you will need to collect a couple of pieces of data from Cloudflare and set these aside for later use.
+
+### Get your Account ID
+
+
+1. In the [Cloudflare dashboard](https://dash.cloudflare.com/), go to the Cloudflare account that you want to configure for SCIM provisioning.
+2. Copy your account ID from the account home page.
+
+### Create an API token
+
+1. [Create an API token](/fundamentals/api/get-started/create-token/) with the following permissions:
+
+   | Type    | Item              | Permission |
+   | ------- | ----------------- | ---------- |
+   | Account | SCIM Provisioning | Edit       |
+
+   :::note
+
+   Cloudflare recommends using Account Owned API Tokens for SCIM Provisioning. Using user-specific API tokens, while supported, will lead to a broken SCIM connection in the event that the user's policies are revoked from the account with the SCIM integration. Learn more about [account owned tokens](/fundamentals/api/get-started/account-owned-tokens/).
+   :::
+
+2. Under **Account Resources**, select the specific account to include or exclude from the dropdown menu, if applicable.
+3. Select **Continue to summary**.
+4. Validate the permissions and select **Create Token**.
+5. Copy the token value.
+
+## Expected behaviors
+
+Expectations for user lifecycle management with SCIM:
+
+| Expected Cloudflare dash behavior | Identity provider action  |
+| --------------------------------- | ------------------------- |
+| User is added to account as member   | Assign the user to a SCIM application. They will be assigned the Minimal Account Access role so that their dash experience is not broken.    |
+| User is removed from account as member         | Unassign the user from the SCIM application.    |
+| Add role to user                               | Add the user to a group in the IdP which is pushed via SCIM. They must also be assigned to the SCIM application and exist as an account member.   |
+| Remove role from user                          | Remove the user from the corresponding group in the IdP. |
+| Retain user in account but with no permissions | Remove the user from all role groups but leave them assigned to the SCIM application. They will be an account member with only the role Minimal Account Access. |