SCIM provisioning

Cloudflare supports bulk provisioning of users into the Cloudflare dashboard by using the System for Cross-domain Identity Management (SCIM) protocol. This allows you to connect your external identity provider (IdP) to Cloudflare and quickly onboard and manage users and their permissions. Cloudflare supports SCIM onboarding with Okta and Microsoft Entra.

Note

This section covers SCIM provisioning for the Cloudflare dashboard only. If you need to provision SCIM for Cloudflare Zero Trust, refer to Zero Trust SCIM provisioning.

Expected behaviors

Expectations for user lifecycle management with SCIM:

Expected Cloudflare dash behavior	Identity provider action
User is added to account as member	Assign the user to a SCIM application. They will be assigned the Minimal Account Access role so that their dash experience is not broken.
User is removed from account as member	Unassign the user from the SCIM application.
Add role to user	Add the user to a group in the IdP which is pushed via SCIM. They must also be assigned to the SCIM application and exist as an account member.
Remove role from user	Remove the user from the corresponding group in the IdP.
Retain user in account but with no permissions	Remove the user from all role groups but leave them assigned to the SCIM application. They will be an account member with only the role Minimal Account Access.

Limitations

• If a user is the only Super Administrator on an Enterprise account, they will not be deprovisioned.

Prerequisites

• Cloudflare provisioning with SCIM is only available to Enterprise customers using Okta or Microsoft Entra.
• You must be a Super Administrator on the account.
• In your identity provider, you must have the ability to create applications and groups.

---

Gather the required data

To start, you will need to collect a couple of pieces of data from Cloudflare and set these aside for later use.

Get your Account ID

1. In the Cloudflare dashboard ↗, go to the Cloudflare account that you want to configure for SCIM provisioning.
2. Copy your account ID from the account home page.

Create an API token

1. Create an API token with the following permissions:

   Type	Item	Permission
   Account	SCIM Provisioning	Edit

   Note

   Cloudflare recommends using Account Owned API Tokens for SCIM Provisioning. Using user-specific API tokens, while supported, will lead to a broken SCIM connection in the event that the user's policies are revoked from the account with the SCIM integration. Learn more about account owned tokens.

2. Under Account Resources, select the specific account to include or exclude from the dropdown menu, if applicable.

3. Select Continue to summary.

4. Validate the permissions and select Create Token.

5. Copy the token value.