From 6712b5b2c27d6f4ad9fcb06335181ebeaf5392ff Mon Sep 17 00:00:00 2001
From: dledfordcf <158224609+dledfordcf@users.noreply.github.com>
Date: Fri, 20 Jun 2025 18:23:15 -0500
Subject: [PATCH] Added steps to pass Entra OID through Access

Found adding OID to ODIC claims is pretty simple but not really documented anywhere. Added steps to add these steps.
---
 .../identity/idp-integration/entra-id.mdx       | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/entra-id.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/entra-id.mdx
index f06d6e7b81420a..c9fd8535e6e77a 100644
--- a/src/content/docs/cloudflare-one/identity/idp-integration/entra-id.mdx
+++ b/src/content/docs/cloudflare-one/identity/idp-integration/entra-id.mdx
@@ -165,6 +165,21 @@ To receive an email claim in the `id_token` from Microsoft Entra, you must:
 3. If you gave your email claim another name than `email`, you must update your configuration in the Cloudflare dashboard. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **Authentication** > **Azure AD** > **Edit**.
 4. Under **Optional configurations** > **Email claim**, enter the name of the claim representing your organization's email addresses.
 
+#### Adding Entra user Object ID to JWT
+If you're concerned users emails or UPNs may change, and you use information held within the JWT for identification on your origin, you can pass the Entra Object ID (OID) and add this to your JWT.
+
+1. Under "OIDC Claims" in the Zero Trust IdP configuration, add *oid* as a claim. No changes should be needed from the Entra side.
+2. Save your changes and click *Test* to verify the OID is shown.
+3. Once you verify the OID is visible in the test, it will now be passed to origins behind Access within a JWT. Once decoded the OID will be shown under the *custom* field like the below example:
+
+```
+custom
+{
+  "oid": "d14b1e08-6dd9-4ced-ae86-16783c733bd8"
+}
+```
+
+
 ## Synchronize users and groups
 
 The Microsoft Entra ID integration allows you to synchronize IdP groups and automatically deprovision users using [SCIM](/cloudflare-one/identity/users/scim/).
@@ -308,4 +323,4 @@ You can require users to re-enter their credentials into Entra ID whenever they
 			code = {{
 				mark: [16]
 			}}
-		/>
\ No newline at end of file
+		/>