Important Update: Cloudflare now supports native User Groups for enhanced access control. This new feature replaces the previous method of directly assigning Cloudflare roles based on IdP group mappings (identified by the patternCF-<accountID> - <Role Name>), which is deprecated as of June 2nd, 2025. SCIM Virtual Groups will reach end-of-life on December 2, 2025. Update your SCIM configurations using the instructions below to utilize User Groups for seamless provisioning.
Once you havegathered the required data, the following steps will be required to finish the provisioning with Entra.
- Go to the Entra admin center and selectApplications >Enterprise Applications.
- In the Microsoft Entra Gallery, selectNew application >Create your own application, then choose a name.
- SelectIntegrate any other application you don't find in the gallery (Non-gallery).
- Create an application.
- Inside the newly created application underManage from the sidebar menu, selectProvisioning.
- SelectNew configuration and enter theTenant URL:
https://api.cloudflare.com/client/v4/accounts/<ACCOUNT_ID>/scim/v2. Replace<ACCOUNT_ID>with your own account ID. - Paste the SCIM provisioning API token value asSecret token.
- SelectTest Connection thenSave the configuration.
- Navigate to the newly created application underManage from the sidebar menu, selectUsers and groups.
- Assign users and groups to the application ↗.
- After the users are assigned, navigate toProvisioning on the sidebar menu and selectStart Provisioning.
To successfully synchronize the group details into Cloudflare theUser Principal Name (ofIdentity) andEmail (ofContact Information) fields of each user must be identical. Values are case-sensitive, and the User Principal Name can only contain alphanumeric characters. Learn more abouthow to create, invite, and delete users ↗.
- To validate which users and groups have been synchronized, navigate toProvisioning logs on the sidebar menu. You can alsoreview the Cloudflare Audit Logs.
If the Entra group shares the same name of an existing Cloudflare user group, the Cloudflare user group will become read-only after the provisioning.
Cloudflare's SCIM integration requires one external application per account. Customers with multiple accounts may want to automate part of the setup to save time and reduce the amount of time spent in the Entra administrative UI.
The initial setup of creating the non-gallery applications and adding the provisioning URL and API key are scriptable via API, but the rest of the setup is dependent on your specific need and IDP configuration.
1. Get an access token
Get an Entra access token. Note that the example below is using the Azure CLI.
# Using azure-cliaz loginaz account get-access-token --resource https://graph.microsoft.com(payload with accessToken returned)2. Create a new application via template.
The template ID 8adf8e6e-67b2-4cf2-a259-e3dc5476c621 is the suggested template to create non-gallery apps in the Entra docs. Replace<accessToken> anddisplayName with your values.
curl-XPOST'https://graph.microsoft.com/v1.0/applicationTemplates/8adf8e6e-67b2-4cf2-a259-e3dc5476c621/instantiate'\--header'Content-Type: application/json'\--header'Authorization: Bearer <accessToken>'\--data-raw'{"displayName": "Entra API create application test"}'{"@odata.context":"https://graph.microsoft.com/v1.0/$metadata#microsoft.graph.applicationServicePrincipal","application":{"id":"343a8552-f9d9-471c-b677-d37062117cc8",//"appId":"03d8207b-e837-4be9-b4e6-180492eb3b61","applicationTemplateId":"8adf8e6e-67b2-4cf2-a259-e3dc5476c621","createdDateTime":"2025-01-30T00:37:44Z","deletedDateTime":null,"displayName":"Entra API create application test","description":null,//...snippedrestoflargeapplicationpayload},"servicePrincipal":{"id":"a8cb133d-f841-4eb9-8bc9-c8e9e8c0d417",//NotethisIDforthesubsequentrequest"deletedDateTime":null,"accountEnabled":true,"appId":"03d8207b-e837-4be9-b4e6-180492eb3b61","applicationTemplateId":"8adf8e6e-67b2-4cf2-a259-e3dc5476c621","appDisplayName":"Entra API create application test",//...snippedrestofJSONpayload}}3. Create a provisioning job
To enable provisioning, you will also need to create a job. Note the SERVICE_PRINCIPAL_ID in the previous request will be used in the request below. The SCIM templateId is an Entra provided template.
curl-XPOST'https://graph.microsoft.com/v1.0/servicePrincipals/<SERVICE_PRINCIPAL_ID>/synchronization/jobs'\--header'Content-Type: application/json'\--header'Authorization: Bearer <accessToken>'\--data-raw'{"templateId": "scim"}'{"@odata.context":"https://graph.microsoft.com/v1.0/$metadata#servicePrincipals('a8cb133d-f841-4eb9-8bc9-c8e9e8c0d417')/synchronization/jobs/$entity","id":"scim.5b223a2cc249463bbd9a791550f11c76.03d8207b-e837-4be9-b4e6-180492eb3b61","templateId":"scim","schedule":{"expiration":null,"interval":"PT40M","state":"Disabled"},}//...snippedrestofJSONpayload4. Configure the SCIM provisioning URL and API token
Next, configure the Tenant URL (Cloudflare SCIM endpoint) and API token (SCIM Provisioning API Token).
Replace<accessToken>,<ACCOUNT_ID>,<SCIM_PROVISIONING_API_TOKEN_VALUE> with your values.
--header'Content-Type: application/json'\--header'Authorization: Bearer <accessToken>'\--data-raw'{"value": [{"key": "BaseAddress","value": "https://api.cloudflare.com/client/v4/accounts/<ACCOUNT_ID>/scim/v2"},{"key": "SecretToken","value": "<SCIM_PROVISIONING_API_TOKEN_VALUE>"}]}'After completing the tasks above, the next steps in Entra include:
- Additional group/provisioning configuration
- Test and save after updating the config.
- Provisioning after configuration is complete
- Resources
- API
- New to Cloudflare?
- Directory
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- © 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark
