diff --git a/src/content/docs/fundamentals/account/account-security/scim-setup/entra.mdx b/src/content/docs/fundamentals/account/account-security/scim-setup/entra.mdx index 9224750804d1753..07cd29ee7b28249 100644 --- a/src/content/docs/fundamentals/account/account-security/scim-setup/entra.mdx +++ b/src/content/docs/fundamentals/account/account-security/scim-setup/entra.mdx @@ -38,6 +38,18 @@ Once you have [gathered the required data](/fundamentals/account/account-securit To successfully synchronize the group details into Cloudflare the `User Principal Name` (of `Identity`) and `Email` (of `Contact Information`) fields of each user must be identical. Values are case-sensitive, and the User Principal Name can only contain alphanumeric characters. Learn more about [how to create, invite, and delete users](https://learn.microsoft.com/entra/fundamentals/how-to-create-delete-users). ::: +:::caution[Required: configure the `active` attribute mapping] +The `active` attribute mapping controls whether Entra ID sends a deprovisioning signal to Cloudflare when a user goes out of provisioning scope (for example, when removed from all assigned groups). Without this mapping, the user's account membership will remain active in Cloudflare. For group-based deprovisioning to work, the `active` attribute must use the default Microsoft expression that evaluates provisioning scope: +1. Navigate to **Provisioning** > **Mappings** > **Provision Microsoft Entra ID Users**. +2. Find or add the `active` attribute mapping. +3. Set **Mapping type** to `Expression`. +4. Enter this expression exactly: + `Switch([IsSoftDeleted], , "False", "True", "True", "False")` +5. Ensure **Target attribute** is set to `active`. +6. Select **Ok**, then **Save**. +Using `accountEnabled` as the source attribute will not trigger deprovisioning when a user is removed from a group, because the user's directory account remains enabled. +::: + 4. To validate which users and groups have been synchronized, navigate to **Provisioning logs** on the sidebar menu. You can also [review the Cloudflare Audit Logs](/fundamentals/account/account-security/review-audit-logs/). :::caution[Read-only group]