Skip to content

[Fundamentals] Added User Groups docs #22766

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 8 commits into from
Jun 2, 2025
Merged

[Fundamentals] Added User Groups docs #22766

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
e6f572c
Added User Groups
dcpena May 29, 2025
e0dce44
Split out SCIM content
dcpena May 29, 2025
bbdebeb
Applying Adam's feedback
dcpena May 30, 2025
a3f3642
Additional feedback edits
dcpena May 30, 2025
89d494b
Updated note and other feedback
dcpena May 30, 2025
c61ee1a
Fixing broken links
dcpena May 30, 2025
d6c354f
Apply suggestions from code review
dcpena Jun 2, 2025
29e730a
Last bits of feedback from review
dcpena Jun 2, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
168 changes: 0 additions & 168 deletions src/content/docs/fundamentals/account/account-security/scim-setup.mdx
View file
Open in desktop

This file was deleted.

162 changes: 162 additions & 0 deletions src/content/docs/fundamentals/account/account-security/scim-setup/entra.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,162 @@
---
pcx_content_type: how-to
title: Provision with Microsoft Entra
sidebar:
label: Microsoft Entra
---

## Set up the Enterprise application

1. Go to your Microsoft Entra ID instance and select **Enterprise Applications**.
2. Select **Create your own application** and name your application.
3. Select **Integrate any other application you do not find in the gallery (Non-gallery)**.
4. Select **Create**.

## Provision the Enterprise application

1. Under **Manage** on the sidebar menu, select **Provisioning**.
2. Select **Automatic** on the dropdown menu for the Provisioning Mode.
3. Enter your API token value and the tenant URL: `https://api.cloudflare.com/client/v4/accounts/<your_account_ID>/scim/v2`.
4. Select **Test Connection**, then select **Save**.

## Configure user permissions in Microsoft Entra ID

1. Once the SCIM application is created, [assign users and groups to the application](https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/assign-user-or-group-access-portal?pivots=portal).

:::note
You must have opted into the Cloudflare User Groups Public Beta to synchronize groups from Okta to Cloudflare. Refer to the [User Groups](/fundamentals/setup/manage-members/user-groups/) documentation for more information.

Currently, groups need to match a specific format to provision specific Cloudflare account-level roles. Cloudflare is in the process of adding Cloudflare Groups, which can take in freeform group names in the future.
:::
Copy link
Contributor

@AdamBouhmad AdamBouhmad May 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(not sure if this div is needed anymore with the above removed, but just dropping a note incase)


2. To begin syncing your Users & Groups into Cloudflare, navigate back to **Provisioning**, and under **Provisioning Status**, check *On*, then select **Save**.

:::note
To successfully provision with Microsoft Entra ID, the `user principal name` and `email` fields must match. These values are case-sensitive.
:::

3. To check which users and groups were synchronized, select **Provisioning logs**.
4. To verify the integration, select **Provisioning Logs** in Entra ID application, and check the Cloudflare Dash Audit Logs by navigating to **Manage Account** > **Audit Log**.
5. To grant permissions to Users & Groups in Cloudflare, refer to the Permission Policies guide.


## (Optional) Automate Cloudflare's SCIM integration

Cloudflare's SCIM integration requires one external application per account. Customers with many accounts may want to automate part of the setup to save time and reduce the amount of time spent in the Entra administrative UI.

The initial setup of creating the non-gallery applications and adding the provisioning URL and API key are scriptable via API, but the rest of the setup is dependent on your specific need and IDP configuration.

**1. Get an access token**

Get an Entra access token. Note that the example below is using the Azure CLI.

```
# Using azure-cli
az login
az account get-access-token --resource https://graph.microsoft.com

(payload with accessToken returned)
```
**2. Create a new application via template.**

The template ID 8adf8e6e-67b2-4cf2-a259-e3dc5476c621 is the suggested template to create non-gallery apps in the Entra docs. Replace `<accessToken>` and `displayName` with your values.

```curl title="Example request"
curl -X POST 'https://graph.microsoft.com/v1.0/applicationTemplates/8adf8e6e-67b2-4cf2-a259-e3dc5476c621/instantiate' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer <accessToken>' \
--data-raw '{
"displayName": "Entra API create application test"
}'
```

```curl title="Example response"
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#microsoft.graph.applicationServicePrincipal",
"application": {
"id": "343a8552-f9d9-471c-b677-d37062117cc8", //
"appId": "03d8207b-e837-4be9-b4e6-180492eb3b61",
"applicationTemplateId": "8adf8e6e-67b2-4cf2-a259-e3dc5476c621",
"createdDateTime": "2025-01-30T00:37:44Z",
"deletedDateTime": null,
"displayName": "Entra API create application test",
"description": null,
// ... snipped rest of large application payload
},
"servicePrincipal": {
"id": "a8cb133d-f841-4eb9-8bc9-c8e9e8c0d417", // Note this ID for the subsequent request
"deletedDateTime": null,
"accountEnabled": true,
"appId": "03d8207b-e837-4be9-b4e6-180492eb3b61",
"applicationTemplateId": "8adf8e6e-67b2-4cf2-a259-e3dc5476c621",
"appDisplayName": "Entra API create application test",
// ...snipped rest of JSON payload
}
```

**3. Create a provisioning job**

To enable provisioning, you will also need to create a job. Note the SERVICE_PRINCIPAL_ID in the previous request will be used in the request below. The SCIM templateId is an Entra provided template.

```curl title="Example request"
curl -X POST 'https://graph.microsoft.com/v1.0/servicePrincipals/<SERVICE_PRINCIPAL_ID>/synchronization/jobs' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer <accessToken>' \
--data-raw '{
"templateId": "scim"
}'
```

```curl title="Example response"
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#servicePrincipals('a8cb133d-f841-4eb9-8bc9-c8e9e8c0d417')/synchronization/jobs/$entity",
"id": "scim.5b223a2cc249463bbd9a791550f11c76.03d8207b-e837-4be9-b4e6-180492eb3b61",
"templateId": "scim",
"schedule": {
"expiration": null,
"interval": "PT40M",
"state": "Disabled"
},
// ... snipped rest of JSON payload
```

**4. Configure the SCIM provisioning URL and API token**

Next, configure the Tenant URL (Cloudflare SCIM endpoint) and API token (SCIM Provisioning API Token).

Replace `<accessToken>`, `<ACCOUNT_ID>`, `<SCIM_PROVISIONING_API_TOKEN_VALUE>` with your values.

```curl title="Example request"
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer <accessToken>' \
--data-raw '{
"value": [
{
"key": "BaseAddress",
"value": "https://api.cloudflare.com/client/v4/accounts/<ACCOUNT_ID>/scim/v2"
},
{
"key": "SecretToken",
"value": "<SCIM_PROVISIONING_API_TOKEN_VALUE>"
}
]
}'
```

After completing the tasks above, the next steps in Entra include:

- Additional group/provisioning configuration
- Test and save after updating the config.
- Provisioning after configuration is complete

## Expected behaviors

Expectations for user lifecycle management with SCIM:

| Expected Cloudflare dash behavior | Identity provider action |
| ---------------------------------------------- |-------------------------------|
| User is added to account as member | Assign the user to a SCIM application. They will be assigned the Minimal Account Access role so that their dash experience is not broken. |
| User is removed from account as member | Unassign the user from the SCIM application. |
| Add role to user | Add the user to a group in the IdP which is pushed via SCIM. They must also be assigned to the SCIM application and exist as an account member. |
| Remove role from user | Remove the user from the corresponding group in the IdP. |
| Retain user in account but with no permissions | Remove the user from all role groups but leave them assigned to the SCIM application. They will be an account member with only the role Minimal Account Access. |
65 changes: 65 additions & 0 deletions src/content/docs/fundamentals/account/account-security/scim-setup/index.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,65 @@
---
pcx_content_type: how-to
title: SCIM provisioning
updated: 2024-12-04

---

Cloudflare supports bulk provisioning of users into the Cloudflare dashboard by using the System for Cross-domain Identity Management (SCIM) protocol. This allows you to connect your external identity provider (IdP) to Cloudflare and quickly onboard and manage users and their permissions. Cloudflare supports SCIM onboarding with Okta and Microsoft Entra.

:::note
This section covers SCIM provisioning for the Cloudflare dashboard only. If you need to provision SCIM for Cloudflare Zero Trust, refer to [Zero Trust SCIM provisioning](/cloudflare-one/identity/users/scim/).
:::

## Limitations

- If a user is the only Super Administrator on an Enterprise account, they will not be deprovisioned.
- Cloudflare currently only supports [Account-scoped Roles](/fundamentals/manage-members/roles/#account-scoped-roles) and does not support Domain-scoped Roles provisioning via SCIM.
- Cloudflare does not allow custom user groups.

## Prerequisites

- Cloudflare provisioning with SCIM is only available to Enterprise customers using Okta or Microsoft Entra.
- You must be a [Super Administrator](/fundamentals/manage-members/roles/) on the account.
- In your identity provider, you must have the ability to create applications and groups.

---
## Gather the required data

To start, you will need to collect a couple of pieces of data from Cloudflare and set these aside for later use.

### Get your Account ID


1. In the [Cloudflare dashboard](https://dash.cloudflare.com/), go to the Cloudflare account that you want to configure for SCIM provisioning.
2. Copy your account ID from the account home page.

### Create an API token

1. [Create an API token](/fundamentals/api/get-started/create-token/) with the following permissions:

| Type | Item | Permission |
| ------- | ----------------- | ---------- |
| Account | SCIM Provisioning | Edit |

:::note

Cloudflare recommends using Account Owned API Tokens for SCIM Provisioning. Using user-specific API tokens, while supported, will lead to a broken SCIM connection in the event that the user's policies are revoked from the account with the SCIM integration. Learn more about [account owned tokens](/fundamentals/api/get-started/account-owned-tokens/).
:::

2. Under **Account Resources**, select the specific account to include or exclude from the dropdown menu, if applicable.
3. Select **Continue to summary**.
4. Validate the permissions and select **Create Token**.
5. Copy the token value.

## Expected behaviors

Expectations for user lifecycle management with SCIM:

| Expected Cloudflare dash behavior | Identity provider action |
| --------------------------------- | ------------------------- |
| User is added to account as member | Assign the user to a SCIM application. They will be assigned the Minimal Account Access role so that their dash experience is not broken. |
| User is removed from account as member | Unassign the user from the SCIM application. |
| Add role to user | Add the user to a group in the IdP which is pushed via SCIM. They must also be assigned to the SCIM application and exist as an account member. |
| Remove role from user | Remove the user from the corresponding group in the IdP. |
| Retain user in account but with no permissions | Remove the user from all role groups but leave them assigned to the SCIM application. They will be an account member with only the role Minimal Account Access. |
Loading
Loading