SCIM v1 to v2 Migration

Cloudflare's first iteration of SCIM integration introduced a concept called Virtual Groups, typically identified by the pattern CF-<accountID>-<Role Name> in your IdP. Virtual Groups were an early implementation of group-based access control: they acted as placeholders created automatically by SCIM to map IdP groups to account memberships.

While customers could add or remove members from these groups within their IdP, Virtual Groups had important limitations:

• They could not be renamed or deleted in the IdP.
• They could not be managed within Cloudflare.
• Functionally, managing a Virtual Group was equivalent to syncing users and editing each member’s policies individually.

With the GA of User Groups, Virtual Groups are now deprecated. Customers should migrate to User Groups, which provide a more flexible and scalable way to assign and manage policies. To maintain SCIM synchronization with the Cloudflare Dashboard, we strongly recommend migrating to SCIM User Groups.

If you have never synced a group linked to a CF-<accountID>-<Role Name> Virtual Group from your IdP to Cloudflare, no action is needed.

Migration steps

1. Create a new SCIM integration in your IdP using an Account Owned Token provisioned in Cloudflare.
2. Assign users & groups to your new Application in your IdP, following a naming convention that aligns with your internal processes.
3. Sync groups to Cloudflare and verify they appear in the User Groups pane of the Cloudflare Dashboard.
4. Attach permission policies to the new User Groups so members inherit the correct access upon assignment to the group.
5. Migrate users into the new groups incrementally, testing synchronization of users & groups into the Cloudflare Dashboard.
6. Clean up legacy resources by removing SCIM v1 Virtual Groups and IdP mappings that follow the CF-<accountID>-<Role Name> pattern.

More resources

• User Groups changelog
• User Groups documentation
• Create an Account Owned Token
• SCIM provisioning setup guide