cloudflare · ranbel · Apr 9, 2025 · Mar 28, 2025 · Mar 31, 2025 · Mar 31, 2025
@@ -222,7 +222,7 @@ SCIM requires a separate enterprise application from the one created during [ini
 
 12. On the **Provisioning** page, select **Start provisioning**. You will see the synchronization status in Entra ID.
 
-To check which users and groups were synchronized, select **View provisioning logs**.
+To check which users and groups were synchronized, select **View provisioning logs** in Entra ID.
 
 <Render file="access/verify-scim-provisioning" />
 

@@ -0,0 +1,35 @@
+---
+pcx_content_type: reference
+title: SCIM activity logs
+sidebar:
+  order: 3
+  label: SCIM logs
+---
+
+import { Render } from "~/components";
+
+SCIM activity logs allow administrators to audit how [SCIM provisioning](/cloudflare-one/identity/users/scim/) events in an identity provider (such as create, update, and delete) affect a user's identity and group membership in Zero Trust. You can compare your Zero Trust SCIM logs with your identity provider's SCIM logs to track how identity data is shared between the two services and pinpoint the source of any provisioning errors.
+
+## View SCIM logs
+
+For an overview of SCIM events across all users, log in to [Zero Trust](https://one.dash.cloudflare.com/) and go to **Logs** > **SCIM provisioning**. This page lists the inbound SCIM requests from all identity providers configured with SCIM. You can select an individual request to view more details about the SCIM operation.
+
+To investigate how SCIM events impacted a specific user, go to their [User Registry identity](/cloudflare-one/insights/logs/users/).
+
+<Render file="access/scim-requires-login" product="cloudflare-one" />
+
+## Log fields
+
+SCIM provisioning logs show the following information for each inbound SCIM request:
+
+- **IdP name**: Name of the identity provider
+- **Timestamp**: Date and time of the request
+- **Action**: HTTP request method (`POST`, `PUT`, `PATCH`, `DELETE`)
+- **User email**: User who received the SCIM identity update
+- **Group name**: Group that received the SCIM identity update
+- **Resource type**: SCIM resource that was modified (`GROUP` or `USER`)
+- **CF resource ID**: Consistent identifier for the user or group created by Cloudflare SCIM
+- **IDP resource ID**: Identifier for the user or group provided by the identity provider
+- **Outcome**: Whether the SCIM request was applied successfully (`SUCCESS` or `ERROR`)
+- **Request body**: HTTP request body containing the data that was added, modified, or removed
+- **JSON log**: SCIM request log in JSON format
@@ -0,0 +1,7 @@
+---
+{}
+---
+
+:::note
+New users must first [register the WARP client](/cloudflare-one/connections/connect-devices/warp/deployment/manual-deployment/) or authenticate to an Access application before SCIM provisioning can begin.
+:::
@@ -2,8 +2,8 @@
 {}
 ---
 
-To check if a user's identity was updated in Zero Trust, view their [User Registry identity](/cloudflare-one/insights/logs/users/).
+import { Render } from "~/components";
 
-:::note
-New users must first register the WARP client or authenticate to an Access application before SCIM provisioning can begin.
-:::
+To check if user identities were updated in Zero Trust, view your [SCIM provisioning logs](/cloudflare-one/insights/logs/scim-logs/).
+
+<Render file="access/scim-requires-login" product="cloudflare-one" />