Skip to content

[Fundamentals] Added User Groups docs #22596

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 5 commits into from
Closed

[Fundamentals] Added User Groups docs #22596

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
cf03799
Added User Groups docs
dcpena May 21, 2025
a30e125
Added additional content
dcpena May 21, 2025
06f9663
Fixed typo and added link to User Groups docs
dcpena May 21, 2025
fbe7b94
Fixed duplicate content in tabs
dcpena May 21, 2025
559259b
Split out SCIM provisioning
dcpena May 29, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
162 changes: 162 additions & 0 deletions ...nt/docs/fundamentals/setup/account/account-security/scim-provisioning/entra.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,162 @@
---
pcx_content_type: how-to
title: Provision with Microsoft Entra
sidebar:
label: Microsoft Entra
---

## Set up the Enterprise application

1. Go to your Microsoft Entra ID instance and select **Enterprise Applications**.
2. Select **Create your own application** and name your application.
3. Select **Integrate any other application you do not find in the gallery (Non-gallery)**.
4. Select **Create**.

## Provision the Enterprise application

1. Under **Manage** on the sidebar menu, select **Provisioning**.
2. Select **Automatic** on the dropdown menu for the Provisioning Mode.
3. Enter your API token value and the tenant URL: `https://api.cloudflare.com/client/v4/accounts/<your_account_ID>/scim/v2`.
4. Select **Test Connection**, then select **Save**.

## Configure user permissions in Microsoft Entra ID

1. Once the SCIM application is created, [assign users and groups to the application](https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/assign-user-or-group-access-portal?pivots=portal).

:::note
You must have opted into the Cloudflare User Groups Public Beta to synchronize groups from Okta to Cloudflare. Refer to the [User Groups](/fundamentals/setup/manage-members/user-groups/) documentation for more information.

Currently, groups need to match a specific format to provision specific Cloudflare account-level roles. Cloudflare is in the process of adding Cloudflare Groups, which can take in freeform group names in the future.
:::

2. To begin syncing your Users & Groups into Cloudflare, navigate back to **Provisioning**, and under **Provisioning Status**, check *On*, then select **Save**.

:::note
To successfully provision with Microsoft Entra ID, the `user principal name` and `email` fields must match. These values are case-sensitive.
:::

3. To check which users and groups were synchronized, select **Provisioning logs**.
4. To verify the integration, select **Provisioning Logs** in Entra ID application, and check the Cloudflare Dash Audit Logs by navigating to **Manage Account** > **Audit Log**.
5. To grant permissions to Users & Groups in Cloudflare, refer to the Permission Policies guide.


## (Optional) Automate Cloudflare's SCIM integration

Cloudflare's SCIM integration requires one external application per account. Customers with many accounts may want to automate part of the setup to save time and reduce the amount of time spent in the Entra administrative UI.

The initial setup of creating the non-gallery applications and adding the provisioning URL and API key are scriptable via API, but the rest of the setup is dependent on your specific need and IDP configuration.

**1. Get an access token**

Get an Entra access token. Note that the example below is using the Azure CLI.

```
# Using azure-cli
az login
az account get-access-token --resource https://graph.microsoft.com

(payload with accessToken returned)
```
**2. Create a new application via template.**

The template ID 8adf8e6e-67b2-4cf2-a259-e3dc5476c621 is the suggested template to create non-gallery apps in the Entra docs. Replace `<accessToken>` and `displayName` with your values.

```curl title="Example request"
curl -X POST 'https://graph.microsoft.com/v1.0/applicationTemplates/8adf8e6e-67b2-4cf2-a259-e3dc5476c621/instantiate' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer <accessToken>' \
--data-raw '{
"displayName": "Entra API create application test"
}'
```

```curl title="Example response"
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#microsoft.graph.applicationServicePrincipal",
"application": {
"id": "343a8552-f9d9-471c-b677-d37062117cc8", //
"appId": "03d8207b-e837-4be9-b4e6-180492eb3b61",
"applicationTemplateId": "8adf8e6e-67b2-4cf2-a259-e3dc5476c621",
"createdDateTime": "2025-01-30T00:37:44Z",
"deletedDateTime": null,
"displayName": "Entra API create application test",
"description": null,
// ... snipped rest of large application payload
},
"servicePrincipal": {
"id": "a8cb133d-f841-4eb9-8bc9-c8e9e8c0d417", // Note this ID for the subsequent request
"deletedDateTime": null,
"accountEnabled": true,
"appId": "03d8207b-e837-4be9-b4e6-180492eb3b61",
"applicationTemplateId": "8adf8e6e-67b2-4cf2-a259-e3dc5476c621",
"appDisplayName": "Entra API create application test",
// ...snipped rest of JSON payload
}
```

**3. Create a provisioning job**

To enable provisioning, you will also need to create a job. Note the SERVICE_PRINCIPAL_ID in the previous request will be used in the request below. The SCIM templateId is an Entra provided template.

```curl title="Example request"
curl -X POST 'https://graph.microsoft.com/v1.0/servicePrincipals/<SERVICE_PRINCIPAL_ID>/synchronization/jobs' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer <accessToken>' \
--data-raw '{
"templateId": "scim"
}'
```

```curl title="Example response"
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#servicePrincipals('a8cb133d-f841-4eb9-8bc9-c8e9e8c0d417')/synchronization/jobs/$entity",
"id": "scim.5b223a2cc249463bbd9a791550f11c76.03d8207b-e837-4be9-b4e6-180492eb3b61",
"templateId": "scim",
"schedule": {
"expiration": null,
"interval": "PT40M",
"state": "Disabled"
},
// ... snipped rest of JSON payload
```

**4. Configure the SCIM provisioning URL and API token**

Next, configure the Tenant URL (Cloudflare SCIM endpoint) and API token (SCIM Provisioning API Token).

Replace `<accessToken>`, `<ACCOUNT_ID>`, `<SCIM_PROVISIONING_API_TOKEN_VALUE>` with your values.

```curl title="Example request"
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer <accessToken>' \
--data-raw '{
"value": [
{
"key": "BaseAddress",
"value": "https://api.cloudflare.com/client/v4/accounts/<ACCOUNT_ID>/scim/v2"
},
{
"key": "SecretToken",
"value": "<SCIM_PROVISIONING_API_TOKEN_VALUE>"
}
]
}'
```

After completing the tasks above, the next steps in Entra include:

- Additional group/provisioning configuration
- Test and save after updating the config.
- Provisioning after configuration is complete

## Expected behaviors
Copy link
Contributor

@bnelz bnelz May 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[suggestion, non-blocking] Consider moving this up to index.mdx for the SCIM overview, the Dash vs. IdP actions described here are generic rather than provider-specific and it would be valuable information for any SCIM customer.


Expectations for user lifecycle management with SCIM:

| Expected Cloudflare dash behavior | Identity provider action |
| ---------------------------------------------- |-------------------------------|
| User is added to account as member | Assign the user to a SCIM application. They will be assigned the Minimal Account Access role so that their dash experience is not broken. |
| User is removed from account as member | Unassign the user from the SCIM application. |
| Add role to user | Add the user to a group in the IdP which is pushed via SCIM. They must also be assigned to the SCIM application and exist as an account member. |
| Remove role from user | Remove the user from the corresponding group in the IdP. |
| Retain user in account but with no permissions | Remove the user from all role groups but leave them assigned to the SCIM application. They will be an account member with only the role Minimal Account Access. |
54 changes: 54 additions & 0 deletions ...nt/docs/fundamentals/setup/account/account-security/scim-provisioning/index.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
---
pcx_content_type: how-to
title: Dashboard SCIM provisioning
updated: 2024-12-04

---

Cloudflare supports bulk provisioning of users into the Cloudflare dashboard by using the System for Cross-domain Identity Management (SCIM) protocol. This allows you to connect your external identity provider (IdP) to Cloudflare and quickly onboard and manage users and their permissions. Cloudflare supports SCIM onboarding with Okta and Microsoft Entra.

:::note
This section covers SCIM provisioning for the Cloudflare dashboard only. If you need to provision SCIM for Cloudflare Zero Trust, refer to [Zero Trust SCIM provisioning](/cloudflare-one/identity/users/scim/).
:::

## Limitations

- If a user is the only Super Administrator on an Enterprise account, they will not be deprovisioned.
- Cloudflare currently only supports [Account-scoped Roles](/fundamentals/setup/manage-members/roles/#account-scoped-roles) and does not support Domain-scoped Roles provisioning via SCIM.
- Cloudflare does not allow custom user groups.

## Prerequisites

- Cloudflare provisioning with SCIM is only available to Enterprise customers using Okta or Microsoft Entra ID.
- You must be a [Super Administrator](/fundamentals/setup/manage-members/roles/) on the account.
- In your identity provider, you must have the ability to create applications and groups.

---
## Gather the required data

To start, you will need to collect a couple of pieces of data from Cloudflare and set these aside for later use.

### Get your Account ID


1. In the [Cloudflare dashboard](https://dash.cloudflare.com/), go to the Cloudflare account that you want to configure for SCIM provisioning.
2. Copy your account ID from the account home page.

### Create an API token

1. [Create an API token](/fundamentals/api/get-started/create-token/) with the following permissions:

| Type | Item | Permission |
| ------- | ----------------- | ---------- |
| Account | SCIM Provisioning | Edit |

:::note

Cloudflare recommends using Account Owned API Tokens for SCIM Provisioning. Using user-specific API tokens, while supported, will lead to a broken SCIM connection in the event that the user's policies are revoked from the account with the SCIM integration. Learn more about [account owned tokens](/fundamentals/api/get-started/account-owned-tokens/).
:::

2. Select **Continue to summary**.

3. Validate the permissions and select **Create Token**.

4. Copy the token value.
49 changes: 49 additions & 0 deletions ...ent/docs/fundamentals/setup/account/account-security/scim-provisioning/okta.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
---
pcx_content_type: how-to
title: Provision with Okta
sidebar:
label: Okta
---

## Set up your Okta SCIM application

1. In the Okta dashboard, go to **Applications** > **Applications**.
2. Select **Browse App Catalog**.
3. Locate and select **SCIM 2.0 Test App (OAuth Bearer Token)**.
4. Select **Add Integration** and name your integration.
5. Enable the following options:
* **Do not display application icon to users**
* **Do not display application icon in the Okta Mobile App**
6. Disable **Automatically log in when user lands on login page**.
7. Select **Next**, then select **Done**.

## Integrate the Cloudflare API

:::note
The **Update User Attributes** option is not supported.
:::

1. In your integration page, go to **Provisioning** > **Configure API Integration**.
2. Enable **Enable API Integration**.
3. In SCIM 2.0 Base URL, enter: `https://api.cloudflare.com/client/v4/accounts/<accountID>/scim/v2`, substituting `accountID` for your [Cloudflare Account ID](/fundamentals/setup/account/account-security/scim-setup/#get-your-account-id).
4. In the **OAuth Bearer Token** field, enter your API token value.
5. Deselect **Import Groups**.


## Set up your SCIM users and groups

1. In **Provisioning to App**, select **Edit**.
2. Enable **Create Users** and **Deactivate Users**. Select **Save**.
3. Select **Done**.
4. In the Assignments tab, add the users you want to synchronize with Cloudflare Dash. You can add users in batches by assigning a group. If a user is removed from the application assignment via either direct user assignment or removed from the group that was assigned to the app, this will trigger a deprovisioning event from Okta to Cloudflare.
5. In the Push Groups tab, add the Okta groups you want to synchronize with Cloudflare Dash. You can view these groups in the dash under Manage Account > Manage members > Members > User Groups.

:::note
You must have opted into the Cloudflare User Groups Public Beta to synchronize groups from Okta to Cloudflare. Refer to the [User Groups](/fundamentals/setup/manage-members/user-groups/) documentation for more information.
:::

To verify the integration, select **View Logs** in the Okta SCIM application, and check the Cloudflare Dash Audit Logs by navigating to **Manage Account** > **Audit Log**.

To grant permissions to Users & Groups in Cloudflare, refer to the Permission Policies guide.

This will provision all of the users in the group(s) affected to your Cloudflare account with "minimal account access."
Loading
Loading