From f77561605081fd1cc1ef02a74f09300cdf32ca10 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E1=B4=84=CA=9C=CA=80=C9=AAs=E1=B4=9B=E1=B4=8F=E1=B4=98?= =?UTF-8?q?=CA=9C=E1=B4=87=CA=80=20=E1=B4=8D?= Date: Tue, 1 Jul 2025 15:42:34 -0400 Subject: [PATCH 01/15] Update Entra guide --- .../account-security/scim-setup/entra.mdx | 36 +++++++++++-------- 1 file changed, 22 insertions(+), 14 deletions(-) diff --git a/src/content/docs/fundamentals/account/account-security/scim-setup/entra.mdx b/src/content/docs/fundamentals/account/account-security/scim-setup/entra.mdx index d877a1b58018c0..d69c54c82fad65 100644 --- a/src/content/docs/fundamentals/account/account-security/scim-setup/entra.mdx +++ b/src/content/docs/fundamentals/account/account-security/scim-setup/entra.mdx @@ -11,30 +11,38 @@ import { Render } from "~/components"; ## Set up the Enterprise application -1. Go to your Microsoft Entra ID instance and select **Enterprise Applications**. -2. Select **Create your own application** and name your application. -3. Select **Integrate any other application you do not find in the gallery (Non-gallery)**. -4. Select **Create**. +1. Go to the Entra admin center, select **Applications** > **Enterprise Applications**. +2. Select **New application** > **Create your own application**, then choose a name. +3. Select **Integrate any other application you don't find in the gallery (Non-gallery)**. +4. **Create** an application. ## Provision the Enterprise application -1. Under **Manage** on the sidebar menu, select **Provisioning**. -2. Select **Automatic** on the dropdown menu for the Provisioning Mode. -3. Enter your API token value and the tenant URL: `https://api.cloudflare.com/client/v4/accounts//scim/v2`. -4. Select **Test Connection**, then select **Save**. +1. Inside the application just created, under **Manage** on the sidebar menu, select **Provisioning**. +2. Select **New configuration** and enter the **Tenant URL**: `https://api.cloudflare.com/client/v4/accounts//scim/v2`, replace `` with your own [account ID](/fundamentals/account/find-account-and-zone-ids/). +3. Paste the [API token](/fundamentals/account/account-security/scim-setup/#create-an-api-token) value as **Secret token**. +4. Select **Test Connection**, then **Save** the configuration. -## Configure user & group sync in Microsoft Entra ID application +## Configure user & group synchronization in Microsoft Entra ID application -1. Once the SCIM application is created, [assign users and groups to the application](https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/assign-user-or-group-access-portal?pivots=portal). -2. To begin syncing your Users & Groups into Cloudflare, navigate back to **Provisioning**, and under **Provisioning Status**, check *On*, then select **Save**. +1. Navigate to the application just created, under **Manage** on the sidebar menu, select **Provisioning**. +2. Once the SCIM application is created, [assign users and groups to the application](https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/assign-user-or-group-access-portal?pivots=portal). +3. After the users are assigned, begin syncing your Users & Groups into Cloudflare by select **Provisioning** > **Start Provisioning**. :::note -To successfully provision with Microsoft Entra ID, the `user principal name` and `email` fields must match. These values are case-sensitive. +To successfully provision with Microsoft Entra ID: +1. The `User Principal Name` and `Email` fields must match. These values are case-sensitive. +2. The Entra group must match the same name of a Cloudflare user group. +3. User Principal Name should only contain alphanumeric characters. ::: -3. To validate which users and groups were synchronized, select **Provisioning logs** in Microsoft Entra. You can also check the Cloudflare dashboard Audit Logs by navigating to **Manage Account** > **Audit Log**. -4. To grant permissions to Users & Groups in Cloudflare, refer to the Permission Policies guide. +4. To validate which users and groups have been synchronized, navigate to **Provisioning logs** in Microsoft Entra. You can also [review the Cloudflare Audit Logs](/fundamentals/account/account-security/review-audit-logs/). +:::note +Once a Cloudflare user group is managed via SCIM, it will become `Read-only` - its members can only be edited from Entra. +::: + +5. To grant permissions to Users & Groups in Cloudflare, refer to [Roles](/fundamentals/manage-members/roles/) and [Policies](/fundamentals/manage-members/policies/). ## (Optional) Automate Cloudflare's SCIM integration From ce1712b0b191b139e8a4a9c87fa161f292c58a19 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E1=B4=84=CA=9C=CA=80=C9=AAs=E1=B4=9B=E1=B4=8F=E1=B4=98?= =?UTF-8?q?=CA=9C=E1=B4=87=CA=80=20=E1=B4=8D?= Date: Tue, 1 Jul 2025 16:12:13 -0400 Subject: [PATCH 02/15] Update entra.mdx --- .../account/account-security/scim-setup/entra.mdx | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/src/content/docs/fundamentals/account/account-security/scim-setup/entra.mdx b/src/content/docs/fundamentals/account/account-security/scim-setup/entra.mdx index d69c54c82fad65..118a3a7506cfc4 100644 --- a/src/content/docs/fundamentals/account/account-security/scim-setup/entra.mdx +++ b/src/content/docs/fundamentals/account/account-security/scim-setup/entra.mdx @@ -32,14 +32,13 @@ import { Render } from "~/components"; :::note To successfully provision with Microsoft Entra ID: 1. The `User Principal Name` and `Email` fields must match. These values are case-sensitive. -2. The Entra group must match the same name of a Cloudflare user group. -3. User Principal Name should only contain alphanumeric characters. +2. User Principal Name should only contain alphanumeric characters. ::: 4. To validate which users and groups have been synchronized, navigate to **Provisioning logs** in Microsoft Entra. You can also [review the Cloudflare Audit Logs](/fundamentals/account/account-security/review-audit-logs/). -:::note -Once a Cloudflare user group is managed via SCIM, it will become `Read-only` - its members can only be edited from Entra. +:::caution[Group name] +If the Entra group shares the same name of a Cloudflare user group, the Cloudflare user group will become read-only after the provisioning. ::: 5. To grant permissions to Users & Groups in Cloudflare, refer to [Roles](/fundamentals/manage-members/roles/) and [Policies](/fundamentals/manage-members/policies/). From fa211af77fba0206404b1f9ff52a683a8c7ffa91 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E1=B4=84=CA=9C=CA=80=C9=AAs=E1=B4=9B=E1=B4=8F=E1=B4=98?= =?UTF-8?q?=CA=9C=E1=B4=87=CA=80=20=E1=B4=8D?= Date: Tue, 1 Jul 2025 16:16:49 -0400 Subject: [PATCH 03/15] Update index.mdx --- .../account/account-security/scim-setup/index.mdx | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/src/content/docs/fundamentals/account/account-security/scim-setup/index.mdx b/src/content/docs/fundamentals/account/account-security/scim-setup/index.mdx index 12e70b8506410b..2a9f866a5da8e6 100644 --- a/src/content/docs/fundamentals/account/account-security/scim-setup/index.mdx +++ b/src/content/docs/fundamentals/account/account-security/scim-setup/index.mdx @@ -4,7 +4,7 @@ title: SCIM provisioning --- -Cloudflare supports bulk provisioning of users into the Cloudflare dashboard by using the System for Cross-domain Identity Management (SCIM) protocol. This allows you to connect your external identity provider (IdP) to Cloudflare and quickly onboard and manage users and their permissions. Cloudflare supports SCIM onboarding with Okta and Microsoft Entra. +Cloudflare supports bulk provisioning of users into the Cloudflare dashboard by using the System for Cross-domain Identity Management (SCIM) protocol. This allows you to connect your external identity provider (IdP) to Cloudflare, quickly onboard and manage user permissions. Currently, SCIM provisioning is supported with Okta and Microsoft Entra. :::note This section covers SCIM provisioning for the Cloudflare dashboard only. If you need to provision SCIM for Cloudflare Zero Trust, refer to [Zero Trust SCIM provisioning](/cloudflare-one/identity/users/scim/). @@ -29,7 +29,7 @@ Expectations for user lifecycle management with SCIM: ## Prerequisites - Cloudflare provisioning with SCIM is only available to Enterprise customers using Okta or Microsoft Entra. -- You must be a [Super Administrator](/fundamentals/manage-members/roles/) on the account. +- You must be a [Super Administrator](/fundamentals/manage-members/roles/) of the account. - In your identity provider, you must have the ability to create applications and groups. --- @@ -39,8 +39,7 @@ To start, you will need to collect a couple of pieces of data from Cloudflare an ### Get your Account ID -1. In the [Cloudflare dashboard](https://dash.cloudflare.com/), go to the Cloudflare account that you want to configure for SCIM provisioning. -2. Copy your account ID from the account home page. +The account ID can be found via dashboard or API. For more information, refer to [Find account and zone IDs](/fundamentals/account/find-account-and-zone-ids/). ### Create an API token @@ -52,7 +51,7 @@ To start, you will need to collect a couple of pieces of data from Cloudflare an :::note - Cloudflare recommends using Account Owned API Tokens for SCIM Provisioning. Using user-specific API tokens, while supported, will lead to a broken SCIM connection in the event that the user's policies are revoked from the account with the SCIM integration. Learn more about [account owned tokens](/fundamentals/api/get-started/account-owned-tokens/). + Account Owned API Tokens are recommended for SCIM Provisioning. Using user-specific API tokens, while supported, will lead to a broken SCIM connection in the event that the user's policies are revoked from the account with the SCIM integration, or the [API access](/fundamentals/api/how-to/control-api-access/) is unexpected disabled. Learn more about [account owned tokens](/fundamentals/api/get-started/account-owned-tokens/). ::: 2. Under **Account Resources**, select the specific account to include or exclude from the dropdown menu, if applicable. From 4530b3687df6bf7263d1ded923846372825ed77f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E1=B4=84=CA=9C=CA=80=C9=AAs=E1=B4=9B=E1=B4=8F=E1=B4=98?= =?UTF-8?q?=CA=9C=E1=B4=87=CA=80=20=E1=B4=8D?= Date: Tue, 1 Jul 2025 16:19:55 -0400 Subject: [PATCH 04/15] Update entra.mdx --- .../account/account-security/scim-setup/entra.mdx | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/content/docs/fundamentals/account/account-security/scim-setup/entra.mdx b/src/content/docs/fundamentals/account/account-security/scim-setup/entra.mdx index 118a3a7506cfc4..4907c63115c1a3 100644 --- a/src/content/docs/fundamentals/account/account-security/scim-setup/entra.mdx +++ b/src/content/docs/fundamentals/account/account-security/scim-setup/entra.mdx @@ -9,6 +9,8 @@ import { Render } from "~/components"; +Once you have [gathered the required data](/fundamentals/account/account-security/scim-setup/#gather-the-required-data), the following steps will be required to finish the provisioning with Entra. + ## Set up the Enterprise application 1. Go to the Entra admin center, select **Applications** > **Enterprise Applications**. @@ -19,8 +21,8 @@ import { Render } from "~/components"; ## Provision the Enterprise application 1. Inside the application just created, under **Manage** on the sidebar menu, select **Provisioning**. -2. Select **New configuration** and enter the **Tenant URL**: `https://api.cloudflare.com/client/v4/accounts//scim/v2`, replace `` with your own [account ID](/fundamentals/account/find-account-and-zone-ids/). -3. Paste the [API token](/fundamentals/account/account-security/scim-setup/#create-an-api-token) value as **Secret token**. +2. Select **New configuration** and enter the **Tenant URL**: `https://api.cloudflare.com/client/v4/accounts//scim/v2`, replace `` with your own account ID. +3. Paste the SCIM provisioning API token value as **Secret token**. 4. Select **Test Connection**, then **Save** the configuration. ## Configure user & group synchronization in Microsoft Entra ID application From 1980474aa2cf1644a4d780ccb2826581e4a90ed7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E1=B4=84=CA=9C=CA=80=C9=AAs=E1=B4=9B=E1=B4=8F=E1=B4=98?= =?UTF-8?q?=CA=9C=E1=B4=87=CA=80=20=E1=B4=8D?= Date: Tue, 1 Jul 2025 16:20:17 -0400 Subject: [PATCH 05/15] Update entra.mdx --- .../fundamentals/account/account-security/scim-setup/entra.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/fundamentals/account/account-security/scim-setup/entra.mdx b/src/content/docs/fundamentals/account/account-security/scim-setup/entra.mdx index 4907c63115c1a3..1e4d36c5897037 100644 --- a/src/content/docs/fundamentals/account/account-security/scim-setup/entra.mdx +++ b/src/content/docs/fundamentals/account/account-security/scim-setup/entra.mdx @@ -15,7 +15,7 @@ Once you have [gathered the required data](/fundamentals/account/account-securit 1. Go to the Entra admin center, select **Applications** > **Enterprise Applications**. 2. Select **New application** > **Create your own application**, then choose a name. -3. Select **Integrate any other application you don't find in the gallery (Non-gallery)**. +3. Select **"Integrate any other application you don't find in the gallery (Non-gallery)"**. 4. **Create** an application. ## Provision the Enterprise application From 831a5c2e9edb7bc616b459d504ff6b730af1e8a5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E1=B4=84=CA=9C=CA=80=C9=AAs=E1=B4=9B=E1=B4=8F=E1=B4=98?= =?UTF-8?q?=CA=9C=E1=B4=87=CA=80=20=E1=B4=8D?= Date: Tue, 1 Jul 2025 23:31:01 -0400 Subject: [PATCH 06/15] Update index.mdx --- .../account/account-security/scim-setup/index.mdx | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/src/content/docs/fundamentals/account/account-security/scim-setup/index.mdx b/src/content/docs/fundamentals/account/account-security/scim-setup/index.mdx index 2a9f866a5da8e6..6d939cbdf99ba7 100644 --- a/src/content/docs/fundamentals/account/account-security/scim-setup/index.mdx +++ b/src/content/docs/fundamentals/account/account-security/scim-setup/index.mdx @@ -4,10 +4,10 @@ title: SCIM provisioning --- -Cloudflare supports bulk provisioning of users into the Cloudflare dashboard by using the System for Cross-domain Identity Management (SCIM) protocol. This allows you to connect your external identity provider (IdP) to Cloudflare, quickly onboard and manage user permissions. Currently, SCIM provisioning is supported with Okta and Microsoft Entra. +Cloudflare supports bulk provisioning of users into the Cloudflare dashboard by using the System for Cross-domain Identity Management (SCIM) protocol. This allows you to connect an external identity provider (IdP) to Cloudflare, quickly onboard and manage user permissions. Currently, SCIM provisioning has been integrated with Okta and Microsoft Entra. :::note -This section covers SCIM provisioning for the Cloudflare dashboard only. If you need to provision SCIM for Cloudflare Zero Trust, refer to [Zero Trust SCIM provisioning](/cloudflare-one/identity/users/scim/). +This section covers SCIM provisioning for the Cloudflare dashboard. If you need to provision SCIM for Cloudflare Zero Trust, refer to [Zero Trust SCIM provisioning](/cloudflare-one/identity/users/scim/). ::: ## Expected behaviors @@ -28,16 +28,16 @@ Expectations for user lifecycle management with SCIM: ## Prerequisites -- Cloudflare provisioning with SCIM is only available to Enterprise customers using Okta or Microsoft Entra. -- You must be a [Super Administrator](/fundamentals/manage-members/roles/) of the account. -- In your identity provider, you must have the ability to create applications and groups. +- Cloudflare dashboard SCIM provisioning is only available to Enterprise customers using Okta or Microsoft Entra. +- You must be a [Super Administrator](/fundamentals/manage-members/roles/) for the initial setup. +- In the identity provider, you must have the ability to create applications and groups. --- ## Gather the required data To start, you will need to collect a couple of pieces of data from Cloudflare and set these aside for later use. -### Get your Account ID +### Get the Account ID The account ID can be found via dashboard or API. For more information, refer to [Find account and zone IDs](/fundamentals/account/find-account-and-zone-ids/). @@ -51,7 +51,7 @@ The account ID can be found via dashboard or API. For more information, refer to :::note - Account Owned API Tokens are recommended for SCIM Provisioning. Using user-specific API tokens, while supported, will lead to a broken SCIM connection in the event that the user's policies are revoked from the account with the SCIM integration, or the [API access](/fundamentals/api/how-to/control-api-access/) is unexpected disabled. Learn more about [account owned tokens](/fundamentals/api/get-started/account-owned-tokens/). + Account owned API tokens are recommended for SCIM Provisioning. User owned API tokens, while supported, will lead to a broken SCIM connection in the event when the user's policies are revoked from the account with the SCIM integration, or the [API access](/fundamentals/api/how-to/control-api-access/) is unexpectedly disabled. Learn more about [account owned tokens](/fundamentals/api/get-started/account-owned-tokens/). ::: 2. Under **Account Resources**, select the specific account to include or exclude from the dropdown menu, if applicable. From 19208e517800bc47c58b4ee197d761d910055821 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E1=B4=84=CA=9C=CA=80=C9=AAs=E1=B4=9B=E1=B4=8F=E1=B4=98?= =?UTF-8?q?=CA=9C=E1=B4=87=CA=80=20=E1=B4=8D?= Date: Tue, 1 Jul 2025 23:32:02 -0400 Subject: [PATCH 07/15] Update okta.mdx --- .../fundamentals/account/account-security/scim-setup/okta.mdx | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/content/docs/fundamentals/account/account-security/scim-setup/okta.mdx b/src/content/docs/fundamentals/account/account-security/scim-setup/okta.mdx index 5eb7fe86efe619..16ca4ca70754c7 100644 --- a/src/content/docs/fundamentals/account/account-security/scim-setup/okta.mdx +++ b/src/content/docs/fundamentals/account/account-security/scim-setup/okta.mdx @@ -9,6 +9,8 @@ import { Render } from "~/components"; +Once you have [gathered the required data](/fundamentals/account/account-security/scim-setup/#gather-the-required-data), the following steps will be required to finish the provisioning with Okta. + ## Set up your Okta SCIM application 1. In the Okta dashboard, go to **Applications** > **Applications**. @@ -43,4 +45,4 @@ The **Update User Attributes** option is not supported. To verify the integration, select **View Logs** in the Okta SCIM application, and check the Audit Logs in the Cloudflare dashboard by navigating to **Manage Account** > **Audit Log**. -This will provision all of the users in the group(s) affected to your Cloudflare account with "minimal account access." \ No newline at end of file +This will provision all of the users in the group(s) affected to your Cloudflare account with "minimal account access." From a3ad44486475c828d23f818df149460d47e63d86 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E1=B4=84=CA=9C=CA=80=C9=AAs=E1=B4=9B=E1=B4=8F=E1=B4=98?= =?UTF-8?q?=CA=9C=E1=B4=87=CA=80=20=E1=B4=8D?= Date: Wed, 2 Jul 2025 00:51:27 -0400 Subject: [PATCH 08/15] Update index.mdx --- .../account/account-security/scim-setup/index.mdx | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/src/content/docs/fundamentals/account/account-security/scim-setup/index.mdx b/src/content/docs/fundamentals/account/account-security/scim-setup/index.mdx index 6d939cbdf99ba7..0fc66c1bf3e7c0 100644 --- a/src/content/docs/fundamentals/account/account-security/scim-setup/index.mdx +++ b/src/content/docs/fundamentals/account/account-security/scim-setup/index.mdx @@ -10,6 +10,15 @@ Cloudflare supports bulk provisioning of users into the Cloudflare dashboard by This section covers SCIM provisioning for the Cloudflare dashboard. If you need to provision SCIM for Cloudflare Zero Trust, refer to [Zero Trust SCIM provisioning](/cloudflare-one/identity/users/scim/). ::: +## Objectives + +Once the SCIM provisioning is enabled: + +1. A Cloudflare account can receive user group provisioning from the identity provider. +2. Members of each user group can be assigned one or more policies. Each policy defines one or more roles to be applied to all group members thereof. +3. Members can belong to multiple user groups, each group can also be configured with different policies. +4. Policies provisioned via SCIM can coexist with policies configured via the [traditional setup](/fundamentals/manage-members/manage/#edit-member-permissions). + ## Expected behaviors Expectations for user lifecycle management with SCIM: From 645e5c5b02bf1b10685ab5ea7b526cc72a3efc4f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E1=B4=84=CA=9C=CA=80=C9=AAs=E1=B4=9B=E1=B4=8F=E1=B4=98?= =?UTF-8?q?=CA=9C=E1=B4=87=CA=80=20=E1=B4=8D?= Date: Wed, 2 Jul 2025 01:14:22 -0400 Subject: [PATCH 09/15] Update index.mdx --- .../account/account-security/scim-setup/index.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/content/docs/fundamentals/account/account-security/scim-setup/index.mdx b/src/content/docs/fundamentals/account/account-security/scim-setup/index.mdx index 0fc66c1bf3e7c0..4986cf4de3563d 100644 --- a/src/content/docs/fundamentals/account/account-security/scim-setup/index.mdx +++ b/src/content/docs/fundamentals/account/account-security/scim-setup/index.mdx @@ -15,7 +15,7 @@ This section covers SCIM provisioning for the Cloudflare dashboard. If you need Once the SCIM provisioning is enabled: 1. A Cloudflare account can receive user group provisioning from the identity provider. -2. Members of each user group can be assigned one or more policies. Each policy defines one or more roles to be applied to all group members thereof. +2. Members of each user group can be assigned one or more [policies](/fundamentals/manage-members/policies/). Each policy defines one or more [roles](https://developers.cloudflare.com/fundamentals/manage-members/roles/) applied to all group members thereof. 3. Members can belong to multiple user groups, each group can also be configured with different policies. 4. Policies provisioned via SCIM can coexist with policies configured via the [traditional setup](/fundamentals/manage-members/manage/#edit-member-permissions). @@ -38,7 +38,7 @@ Expectations for user lifecycle management with SCIM: ## Prerequisites - Cloudflare dashboard SCIM provisioning is only available to Enterprise customers using Okta or Microsoft Entra. -- You must be a [Super Administrator](/fundamentals/manage-members/roles/) for the initial setup. +- You must be a Super Administrator for the initial setup. - In the identity provider, you must have the ability to create applications and groups. --- From 36e9227a69ea2f137f0cb51d627e00825d35ef9e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E1=B4=84=CA=9C=CA=80=C9=AAs=E1=B4=9B=E1=B4=8F=E1=B4=98?= =?UTF-8?q?=CA=9C=E1=B4=87=CA=80=20=E1=B4=8D?= Date: Wed, 2 Jul 2025 01:16:05 -0400 Subject: [PATCH 10/15] Update entra.mdx --- .../account/account-security/scim-setup/entra.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/content/docs/fundamentals/account/account-security/scim-setup/entra.mdx b/src/content/docs/fundamentals/account/account-security/scim-setup/entra.mdx index 1e4d36c5897037..cc6f5868290889 100644 --- a/src/content/docs/fundamentals/account/account-security/scim-setup/entra.mdx +++ b/src/content/docs/fundamentals/account/account-security/scim-setup/entra.mdx @@ -28,7 +28,7 @@ Once you have [gathered the required data](/fundamentals/account/account-securit ## Configure user & group synchronization in Microsoft Entra ID application 1. Navigate to the application just created, under **Manage** on the sidebar menu, select **Provisioning**. -2. Once the SCIM application is created, [assign users and groups to the application](https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/assign-user-or-group-access-portal?pivots=portal). +2. Once the SCIM application is created, [assign users and groups to the application](https://learn.microsoft.com/entra/identity/enterprise-apps/assign-user-or-group-access-portal). 3. After the users are assigned, begin syncing your Users & Groups into Cloudflare by select **Provisioning** > **Start Provisioning**. :::note @@ -47,7 +47,7 @@ If the Entra group shares the same name of a Cloudflare user group, the Cloudfla ## (Optional) Automate Cloudflare's SCIM integration -Cloudflare's SCIM integration requires one external application per account. Customers with many accounts may want to automate part of the setup to save time and reduce the amount of time spent in the Entra administrative UI. +Cloudflare's SCIM integration requires one external application per account. Customers with multiple accounts may want to automate part of the setup to save time and reduce the amount of time spent in the Entra administrative UI. The initial setup of creating the non-gallery applications and adding the provisioning URL and API key are scriptable via API, but the rest of the setup is dependent on your specific need and IDP configuration. From a700f5e17aad71fd819c388872a86a74e9a93055 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E1=B4=84=CA=9C=CA=80=C9=AAs=E1=B4=9B=E1=B4=8F=E1=B4=98?= =?UTF-8?q?=CA=9C=E1=B4=87=CA=80=20=E1=B4=8D?= Date: Wed, 2 Jul 2025 01:20:55 -0400 Subject: [PATCH 11/15] Update index.mdx --- .../fundamentals/account/account-security/scim-setup/index.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/fundamentals/account/account-security/scim-setup/index.mdx b/src/content/docs/fundamentals/account/account-security/scim-setup/index.mdx index 4986cf4de3563d..fcdf2af14694ec 100644 --- a/src/content/docs/fundamentals/account/account-security/scim-setup/index.mdx +++ b/src/content/docs/fundamentals/account/account-security/scim-setup/index.mdx @@ -60,7 +60,7 @@ The account ID can be found via dashboard or API. For more information, refer to :::note - Account owned API tokens are recommended for SCIM Provisioning. User owned API tokens, while supported, will lead to a broken SCIM connection in the event when the user's policies are revoked from the account with the SCIM integration, or the [API access](/fundamentals/api/how-to/control-api-access/) is unexpectedly disabled. Learn more about [account owned tokens](/fundamentals/api/get-started/account-owned-tokens/). + Account owned API tokens are recommended for SCIM Provisioning. User owned API tokens, while supported, may result in a broken SCIM connection in the event when the user's policies are revoked from the SCIM integration, or the [API access](/fundamentals/api/how-to/control-api-access/) is unexpectedly disabled. Learn more about [account owned tokens](/fundamentals/api/get-started/account-owned-tokens/). ::: 2. Under **Account Resources**, select the specific account to include or exclude from the dropdown menu, if applicable. From 60b9b6833b065809c21e957b6495d5ef5a42e6f3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E1=B4=84=CA=9C=CA=80=C9=AAs=E1=B4=9B=E1=B4=8F=E1=B4=98?= =?UTF-8?q?=CA=9C=E1=B4=87=CA=80=20=E1=B4=8D?= Date: Wed, 2 Jul 2025 01:31:06 -0400 Subject: [PATCH 12/15] Update entra.mdx --- .../account/account-security/scim-setup/entra.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/content/docs/fundamentals/account/account-security/scim-setup/entra.mdx b/src/content/docs/fundamentals/account/account-security/scim-setup/entra.mdx index cc6f5868290889..3cfd00c508a69c 100644 --- a/src/content/docs/fundamentals/account/account-security/scim-setup/entra.mdx +++ b/src/content/docs/fundamentals/account/account-security/scim-setup/entra.mdx @@ -32,8 +32,8 @@ Once you have [gathered the required data](/fundamentals/account/account-securit 3. After the users are assigned, begin syncing your Users & Groups into Cloudflare by select **Provisioning** > **Start Provisioning**. :::note -To successfully provision with Microsoft Entra ID: -1. The `User Principal Name` and `Email` fields must match. These values are case-sensitive. +To successfully synchronize the group details into Cloudflare: +1. The `User Principal Name` (of `Identity`) and `Email` (of `Contact Information`) fields must match of the same group member. These values are case-sensitive. Learn more about [how to create, invite, and delete users](https://learn.microsoft.com/entra/fundamentals/how-to-create-delete-users). 2. User Principal Name should only contain alphanumeric characters. ::: From 8a578a546dc7805b2e0891cc5496e59f18f9545c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E1=B4=84=CA=9C=CA=80=C9=AAs=E1=B4=9B=E1=B4=8F=E1=B4=98?= =?UTF-8?q?=CA=9C=E1=B4=87=CA=80=20=E1=B4=8D?= Date: Wed, 2 Jul 2025 09:57:59 -0400 Subject: [PATCH 13/15] Update entra.mdx --- .../account-security/scim-setup/entra.mdx | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/src/content/docs/fundamentals/account/account-security/scim-setup/entra.mdx b/src/content/docs/fundamentals/account/account-security/scim-setup/entra.mdx index 3cfd00c508a69c..28020da6aa0b57 100644 --- a/src/content/docs/fundamentals/account/account-security/scim-setup/entra.mdx +++ b/src/content/docs/fundamentals/account/account-security/scim-setup/entra.mdx @@ -14,7 +14,7 @@ Once you have [gathered the required data](/fundamentals/account/account-securit ## Set up the Enterprise application 1. Go to the Entra admin center, select **Applications** > **Enterprise Applications**. -2. Select **New application** > **Create your own application**, then choose a name. +2. In the Microsoft Entra Gallery, select **New application** > **Create your own application**, then choose a name. 3. Select **"Integrate any other application you don't find in the gallery (Non-gallery)"**. 4. **Create** an application. @@ -25,25 +25,25 @@ Once you have [gathered the required data](/fundamentals/account/account-securit 3. Paste the SCIM provisioning API token value as **Secret token**. 4. Select **Test Connection**, then **Save** the configuration. -## Configure user & group synchronization in Microsoft Entra ID application +## Configure user & group synchronization -1. Navigate to the application just created, under **Manage** on the sidebar menu, select **Provisioning**. -2. Once the SCIM application is created, [assign users and groups to the application](https://learn.microsoft.com/entra/identity/enterprise-apps/assign-user-or-group-access-portal). -3. After the users are assigned, begin syncing your Users & Groups into Cloudflare by select **Provisioning** > **Start Provisioning**. +1. Navigate to the application just created, under **Manage** on the sidebar menu, select **Users and groups**. +2. [Assign users and groups to the application](https://learn.microsoft.com/entra/identity/enterprise-apps/assign-user-or-group-access-portal). +3. After the users are assigned, navigate to **Provisioning** on the sidebar menu and select **Start Provisioning**. :::note To successfully synchronize the group details into Cloudflare: -1. The `User Principal Name` (of `Identity`) and `Email` (of `Contact Information`) fields must match of the same group member. These values are case-sensitive. Learn more about [how to create, invite, and delete users](https://learn.microsoft.com/entra/fundamentals/how-to-create-delete-users). +1. The `User Principal Name` (of `Identity`) and `Email` (of `Contact Information`) fields of each user must be identical (values are case-sensitive). Learn more about [how to create, invite, and delete users](https://learn.microsoft.com/entra/fundamentals/how-to-create-delete-users). 2. User Principal Name should only contain alphanumeric characters. ::: -4. To validate which users and groups have been synchronized, navigate to **Provisioning logs** in Microsoft Entra. You can also [review the Cloudflare Audit Logs](/fundamentals/account/account-security/review-audit-logs/). +3. To validate which users and groups have been synchronized, navigate to **Provisioning logs** on the sidebar menu. You can also [review the Cloudflare Audit Logs](/fundamentals/account/account-security/review-audit-logs/). -:::caution[Group name] -If the Entra group shares the same name of a Cloudflare user group, the Cloudflare user group will become read-only after the provisioning. +:::caution[Read-only group] +If the Entra group shares the same name of an existing Cloudflare user group, the Cloudflare user group will become read-only after the provisioning. ::: -5. To grant permissions to Users & Groups in Cloudflare, refer to [Roles](/fundamentals/manage-members/roles/) and [Policies](/fundamentals/manage-members/policies/). +4. To grant permissions to users & groups at Cloudflare, refer to [Roles](/fundamentals/manage-members/roles/) and [Policies](/fundamentals/manage-members/policies/). ## (Optional) Automate Cloudflare's SCIM integration From fc242eabbf963199ada77c7045ffaa3aa8a5f94c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Denise=20Pe=C3=B1a?= <75506267+dcpena@users.noreply.github.com> Date: Tue, 8 Jul 2025 10:35:26 -0500 Subject: [PATCH 14/15] Changes to align with style guide --- .../account-security/scim-setup/entra.mdx | 22 +++++++++---------- 1 file changed, 10 insertions(+), 12 deletions(-) diff --git a/src/content/docs/fundamentals/account/account-security/scim-setup/entra.mdx b/src/content/docs/fundamentals/account/account-security/scim-setup/entra.mdx index 28020da6aa0b57..78317986c36b64 100644 --- a/src/content/docs/fundamentals/account/account-security/scim-setup/entra.mdx +++ b/src/content/docs/fundamentals/account/account-security/scim-setup/entra.mdx @@ -13,37 +13,35 @@ Once you have [gathered the required data](/fundamentals/account/account-securit ## Set up the Enterprise application -1. Go to the Entra admin center, select **Applications** > **Enterprise Applications**. +1. Go to the Entra admin center and select **Applications** > **Enterprise Applications**. 2. In the Microsoft Entra Gallery, select **New application** > **Create your own application**, then choose a name. -3. Select **"Integrate any other application you don't find in the gallery (Non-gallery)"**. +3. Select **Integrate any other application you don't find in the gallery (Non-gallery)**. 4. **Create** an application. ## Provision the Enterprise application -1. Inside the application just created, under **Manage** on the sidebar menu, select **Provisioning**. -2. Select **New configuration** and enter the **Tenant URL**: `https://api.cloudflare.com/client/v4/accounts//scim/v2`, replace `` with your own account ID. +1. Inside the newly created application under **Manage** from the sidebar menu, select **Provisioning**. +2. Select **New configuration** and enter the **Tenant URL**: `https://api.cloudflare.com/client/v4/accounts//scim/v2`. Replace `` with your own account ID. 3. Paste the SCIM provisioning API token value as **Secret token**. -4. Select **Test Connection**, then **Save** the configuration. +4. Select **Test Connection** then **Save** the configuration. -## Configure user & group synchronization +## Configure user and group synchronization -1. Navigate to the application just created, under **Manage** on the sidebar menu, select **Users and groups**. +1. Navigate to the newly created application under **Manage** from the sidebar menu, select **Users and groups**. 2. [Assign users and groups to the application](https://learn.microsoft.com/entra/identity/enterprise-apps/assign-user-or-group-access-portal). 3. After the users are assigned, navigate to **Provisioning** on the sidebar menu and select **Start Provisioning**. :::note -To successfully synchronize the group details into Cloudflare: -1. The `User Principal Name` (of `Identity`) and `Email` (of `Contact Information`) fields of each user must be identical (values are case-sensitive). Learn more about [how to create, invite, and delete users](https://learn.microsoft.com/entra/fundamentals/how-to-create-delete-users). -2. User Principal Name should only contain alphanumeric characters. +To successfully synchronize the group details into Cloudflare the `User Principal Name` (of `Identity`) and `Email` (of `Contact Information`) fields of each user must be identical. Values are case-sensitive, and the User Principal Name can only contain alphanumeric characters. Learn more about [how to create, invite, and delete users](https://learn.microsoft.com/entra/fundamentals/how-to-create-delete-users). ::: -3. To validate which users and groups have been synchronized, navigate to **Provisioning logs** on the sidebar menu. You can also [review the Cloudflare Audit Logs](/fundamentals/account/account-security/review-audit-logs/). +4. To validate which users and groups have been synchronized, navigate to **Provisioning logs** on the sidebar menu. You can also [review the Cloudflare Audit Logs](/fundamentals/account/account-security/review-audit-logs/). :::caution[Read-only group] If the Entra group shares the same name of an existing Cloudflare user group, the Cloudflare user group will become read-only after the provisioning. ::: -4. To grant permissions to users & groups at Cloudflare, refer to [Roles](/fundamentals/manage-members/roles/) and [Policies](/fundamentals/manage-members/policies/). +5. To grant permissions to users and groups at Cloudflare, refer to [Roles](/fundamentals/manage-members/roles/) and [Policies](/fundamentals/manage-members/policies/). ## (Optional) Automate Cloudflare's SCIM integration From 51070633dd69067136b5277dce96ba0336c13b0c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Denise=20Pe=C3=B1a?= <75506267+dcpena@users.noreply.github.com> Date: Tue, 8 Jul 2025 10:38:17 -0500 Subject: [PATCH 15/15] Minor updates to align with style guide --- .../account/account-security/scim-setup/index.mdx | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/content/docs/fundamentals/account/account-security/scim-setup/index.mdx b/src/content/docs/fundamentals/account/account-security/scim-setup/index.mdx index fcdf2af14694ec..8a1a2770d19f1a 100644 --- a/src/content/docs/fundamentals/account/account-security/scim-setup/index.mdx +++ b/src/content/docs/fundamentals/account/account-security/scim-setup/index.mdx @@ -14,10 +14,10 @@ This section covers SCIM provisioning for the Cloudflare dashboard. If you need Once the SCIM provisioning is enabled: -1. A Cloudflare account can receive user group provisioning from the identity provider. -2. Members of each user group can be assigned one or more [policies](/fundamentals/manage-members/policies/). Each policy defines one or more [roles](https://developers.cloudflare.com/fundamentals/manage-members/roles/) applied to all group members thereof. -3. Members can belong to multiple user groups, each group can also be configured with different policies. -4. Policies provisioned via SCIM can coexist with policies configured via the [traditional setup](/fundamentals/manage-members/manage/#edit-member-permissions). +- A Cloudflare account can receive user group provisioning from the identity provider. +- Members of each user group can be assigned one or more [policies](/fundamentals/manage-members/policies/). Each policy defines one or more [roles](https://developers.cloudflare.com/fundamentals/manage-members/roles/) applied to all group members thereof. +- Members can belong to multiple user groups, and each group can also be configured with different policies. +- Policies provisioned via SCIM can coexist with policies configured via the [traditional setup](/fundamentals/manage-members/manage/#edit-member-permissions). ## Expected behaviors