IDP - Identity Providers
Pin Only
Helps Allowed Users to receive a PIN in their e-mailbox and be granted access.
Cloudflare will always show that a PIN has been sent, however this is NOT TRUE for those without access to the specific application.
Azure AD Integration and SCIM(Users/Groups Retrieval)
SCIM Setup
Synchronize users and groups The Microsoft Entra ID integration allows you to synchronize IdP groups and automatically deprovision users using SCIM.
Prerequisites Microsoft Entra ID P1 or P2 license
- Enable SCIM in Zero Trust In Zero Trust, go to Settings > Authentication.
Find the Entra ID integration and select Edit.
Turn on Enable SCIM props.supportgroups && and Support groups.
(Optional) Configure the following settings:
Enable user deprovisioning: Revoke a user's active session when they are removed from the SCIM application in Entra ID. This will invalidate all active Access sessions and prompt for reauthentication for any WARP session policies. Remove user seat on deprovision: Remove a user's seat from your Zero Trust account when they are removed from the SCIM application in Entra ID. SCIM identity update behavior: Choose what happens in Zero Trust when the user's identity updates in Entra ID. Automatic identity updates: Automatically update the User Registry identity when Entra ID sends an updated identity or group membership through SCIM. This identity is used for Gateway policies and WARP device profiles; Access will read the user's updated identity when they reauthenticate. Group membership change reauthentication: Revoke a user's active session when their group membership changes in Entra ID. This will invalidate all active Access sessions and prompt for reauthentication for any WARP session policies. Access will read the user's updated group membership when they reauthenticate. No action: Update the user's identity the next time they reauthenticate to Access or WARP. Select Regenerate Secret. Copy the SCIM Endpoint and SCIM Secret. You will need to enter these values into Entra ID.
Select Save.
The SCIM secret never expires, but you can manually regenerate the secret at any time.
- Configure SCIM in Entra ID Note: SCIM requires a separate enterprise application from the one created during initial setup.
In the Microsoft Entra ID menu, go to Enterprise applications.
Select New application > Create your own application.
Name your application (for example, Cloudflare Access SCIM).
Select Integrate any other application you don't find in the gallery (Non-gallery). If offered, do not select any of the gallery applications. Select Create.
After you have created the application, go to Provisioning > select New Configuration.
In the Tenant URL field, enter the SCIM Endpoint obtained from your Entra ID integration in Zero Trust in the previous step.
In the Secret token field, enter the SCIM Secret obtained from your Entra ID integration in Zero Trust in the previous step.
Select Test Connection to ensure that the credentials were entered correctly. If the test fails, go to your Entra ID integration in Zero Trust, select Regenerate Secret, select Save, and enter your new SCIM Secret in the Secret token field.
Select Create.
Once the SCIM application is created, assign users and groups to the application.
Note: Groups in this SCIM application should match the groups in your other Cloudflare Access enterprise application. Because SCIM group membership updates will overwrite any groups in a user's identity, assigning the same groups to each app ensures consistent policy evaluation.
Go to Provisioning and select Start provisioning.
For Provisioning Mode, the default mode should be set by Microsoft to Automatic.
On the Overview page in Entra ID, you will see the synchronization status.
To check which users and groups were synchronized, select Provisioning logs.
To check if user identities were updated in Zero Trust, view your SCIM provisioning logs.
To monitor the exchange of identity details between Cloudflare Access and Microsoft Entra ID, go to Zero Trust > Logs > SCIM provisioning and view the SCIM activity logs.
Provisioning attributes Provisioning attributes define the user properties that Entra ID will synchronize with Cloudflare Access. To modify your provisioning attributes, go to the Attribute mapping and select Provision Microsoft Entra ID Users.
If not already configured, Cloudflare recommends enabling the following user attribute mappings:
customappsso Attribute Entra ID Attribute Recommendation emails[type eq "work"].value mail Required name.givenName givenName Recommended name.familyName surname Recommended Entra groups in Zero Trust policies Automatic entry When SCIM synchronization is enabled, your Entra group names will automatically appear in the Access and Gateway policy builders.
If building an Access policy, choose the Azure Groups selector.Azure group names displayed in the Access policy builder
If building a Gateway policy, choose the User Group Names selector.
Manual entry You can create Access and Gateway policies for groups that are not synchronized with SCIM. Entra ID exposes directory groups in a format that consists of random strings, the Object Id, that is distinct from the Name.
Make sure you enable Support groups as you set up Microsoft Entra ID in Zero Trust.
In your Microsoft Entra dashboard, note the Object Id for the Entra group. In the example below, the group named Admins has an ID of 61503835-b6fe-4630-af88-de551dd59a2.
Viewing the Azure group ID on the Azure dashboard
If building an Access policy, choose the Azure Groups selector. If building a Gateway policy, choose the User Group IDs selector.
In the Value field, enter the Object Id for the Entra group.
Entering an Azure group ID in Zero Trust
Nested groups Access and Gateway policies for an Entra group will also apply to all nested groups. For example, if a user belongs to the group US devs, and US devs is part of the broader group Devs, the user would be allowed or blocked by all policies created for Devs.