SCIM activity logs
SCIM activity logs allow administrators to audit how SCIM provisioning events in an identity provider (such as create, update, and delete) affect a user's identity and group membership in Zero Trust. You can compare your Zero Trust SCIM logs with your identity provider's SCIM logs to track how identity data is shared between the two services and pinpoint the source of any provisioning errors.
For an overview of SCIM events across all users, log in to Zero Trust ↗ and go to Logs > SCIM provisioning. This page lists the inbound SCIM requests from all identity providers configured with SCIM. You can select an individual request to view more details about the SCIM operation.
To investigate how SCIM events impacted a specific user, go to their User Registry identity.
SCIM provisioning logs show the following information for each inbound SCIM request:
- IdP name: Name of the identity provider
- Timestamp: Date and time of the request
- Action: HTTP request method (
POST,PUT,PATCH,DELETE) - User email: User who received the SCIM identity update
- Group name: Group that received the SCIM identity update
- Resource type: SCIM resource that was modified (
GROUPorUSER) - CF resource ID: Persistent identifier for the user or group created by Cloudflare SCIM
- IDP resource ID: Identifier for the user or group provided by the identity provider
- Outcome: Whether the SCIM request was applied successfully (
SUCCESSorERROR) - Request body: HTTP request body containing the data that was added, modified, or removed
- JSON log: SCIM request log in JSON format
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Products
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark