Add caution about 'active' attribute mapping for deprovisioning

src/content/docs/fundamentals/account/account-security/scim-setup/entra.mdx

@@ -38,6 +38,18 @@ Once you have [gathered the required data](/fundamentals/account/account-securit
 To successfully synchronize the group details into Cloudflare the `User Principal Name` (of `Identity`) and `Email` (of `Contact Information`) fields of each user must be identical. Values are case-sensitive, and the User Principal Name can only contain alphanumeric characters. Learn more about [how to create, invite, and delete users](https://learn.microsoft.com/entra/fundamentals/how-to-create-delete-users).
 :::
 
+:::caution[Required: configure the `active` attribute mapping]
+The `active` attribute mapping controls whether Entra ID sends a deprovisioning signal to Cloudflare when a user goes out of provisioning scope (for example, when removed from all assigned groups). Without this mapping, the user's account membership will remain active in Cloudflare. For group-based deprovisioning to work, the `active` attribute must use the default Microsoft expression that evaluates provisioning scope:
+1. Navigate to **Provisioning** > **Mappings** > **Provision Microsoft Entra ID Users**.
+2. Find or add the `active` attribute mapping.
+3. Set **Mapping type** to `Expression`.
+4. Enter this expression exactly:
+   `Switch([IsSoftDeleted], , "False", "True", "True", "False")`
+5. Ensure **Target attribute** is set to `active`.
+6. Select **Ok**, then **Save**.
+Using `accountEnabled` as the source attribute will not trigger deprovisioning when a user is removed from a group, because the user's directory account remains enabled.
+:::
+
 4. To validate which users and groups have been synchronized, navigate to **Provisioning logs** on the sidebar menu. You can also [review the Cloudflare Audit Logs](/fundamentals/account/account-security/review-audit-logs/).
 
 :::caution[Read-only group]