diff --git a/public/_redirects b/public/_redirects
index ac90068f0055a34..251cc7e2df341e3 100644
--- a/public/_redirects
+++ b/public/_redirects
@@ -1739,6 +1739,7 @@
/cloudflare-one/identity/devices/require-warp/ /cloudflare-one/identity/devices/warp-client-checks/require-warp/ 301
/cloudflare-one/identity/devices/sentinel-one/ /cloudflare-one/identity/devices/warp-client-checks/sentinel-one/ 301
/cloudflare-one/identity/idp-integration/azuread/ /cloudflare-one/identity/entra-id/ 301
+/cloudflare-one/identity/entra-id/ /cloudflare-one/identity/idp-integration/entra-id/ 301
/cloudflare-one/identity/idp-integration/one-time-pin/ /cloudflare-one/identity/one-time-pin/ 301
/cloudflare-one/identity/idp-integration/saml-centrify/ /cloudflare-one/identity/idp-integration/centrify-saml/ 301
/cloudflare-one/identity/idp-integration/ping-saml/ /cloudflare-one/identity/idp-integration/pingfederate-saml/ 301
diff --git a/src/assets/images/cloudflare-one/identity/azure/entra-email-claim.png b/src/assets/images/cloudflare-one/identity/azure/entra-email-claim.png
new file mode 100644
index 000000000000000..d8751affc156480
Binary files /dev/null and b/src/assets/images/cloudflare-one/identity/azure/entra-email-claim.png differ
diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/entra-id.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/entra-id.mdx
index 51d66ac873662dd..3b7ffcadbedb15d 100644
--- a/src/content/docs/cloudflare-one/identity/idp-integration/entra-id.mdx
+++ b/src/content/docs/cloudflare-one/identity/idp-integration/entra-id.mdx
@@ -108,6 +108,24 @@ More narrow permissions may be used, however this is the set of permissions that
To [test](/cloudflare-one/identity/idp-integration/#test-idps-in-zero-trust) that your connection is working, select **Test**.
+#### UPN and email
+
+If your organization's UPNs do not match users' email addresses, you must add a custom claim for email. For example, if your organization's email format is `user@domain.com` but the UPN is `u908080@domain.com`, you must create an email claim if you are configuring email-based policies.
+
+By default, Cloudflare will first look for the unique claim name you created and configured in the Cloudflare dashboard to represent email (for example, `email_identifier`) in the `id_token` JSON response. If you did not configure a unique claim name, Cloudflare will then look for an `email` claim. Last, if neither claim exists, Cloudflare will look for the UPN claim.
+
+To receive an email claim in the `id_token` from Microsoft Entra, you must:
+
+1. In the [Microsoft Entra admin center](https://entra.microsoft.com/), go to **Application** > **App registration** > select the relevant application > **Manage** > **Token configuration**.
+2. Add a claim for email.
+
+ 
+
+ The example above includes both a UPN claim and an email claim. Because an email claim was created in the Microsoft Entra configuration, Cloudflare will look for the `email` key-value pair in the JSON response.
+
+3. If you gave your email claim another name than `email`, you must update your configuration in the Cloudflare dashboard. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **Authentication** > **Azure AD** > **Edit**.
+4. Under **Optional configurations** > **Email claim**, enter the name of the claim representing your organization's email addresses.
+
## Synchronize users and groups
The Microsoft Entra ID integration allows you to synchronize IdP groups and automatically deprovision users using [SCIM](/cloudflare-one/identity/users/scim/).
@@ -120,7 +138,7 @@ The Microsoft Entra ID integration allows you to synchronize IdP groups and auto
### 2. Configure SCIM in Entra ID
@@ -139,9 +157,9 @@ SCIM requires a separate enterprise application from the one created during [ini
5. Once the SCIM application is created, [assign users and groups to the application](https://learn.microsoft.com/entra/identity/enterprise-apps/assign-user-or-group-access-portal).
- :::note
- Groups in this SCIM application should match the groups in your other [Cloudflare Access enterprise application](/cloudflare-one/identity/idp-integration/entra-id/#set-up-entra-id-as-an-identity-provider). Because SCIM group membership updates will overwrite any groups in a user's identity, assigning the same groups to each app ensures consistent policy evaluation.
- :::
+ :::note
+ Groups in this SCIM application should match the groups in your other [Cloudflare Access enterprise application](/cloudflare-one/identity/idp-integration/entra-id/#set-up-entra-id-as-an-identity-provider). Because SCIM group membership updates will overwrite any groups in a user's identity, assigning the same groups to each app ensures consistent policy evaluation.
+ :::
6. Go to **Provisioning** and select **Get started**.
@@ -159,7 +177,7 @@ SCIM requires a separate enterprise application from the one created during [ini
To check which users and groups were synchronized, select **View provisioning logs**.
-
+
### Provisioning attributes
@@ -207,38 +225,39 @@ Access and Gateway policies for an Entra group will also apply to all [nested gr
## Force user interaction during WARP reauthentication
You can require users to re-enter their credentials into Entra ID whenever they [re-authenticate their WARP session](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-sessions/). To configure this setting:
+
1. Make a `GET` request to the [Identity Providers endpoint](/api/resources/zero_trust/subresources/identity_providers/) and copy the response for the Entra ID identity provider.
2. [Update the Entra ID identity provider](/api/resources/zero_trust/subresources/identity_providers/methods/update/) using a `PUT` request. In the request body, include all existing configurations and set the `prompt` parameter to either `login` or `select_account`. For example,
- ```sh {17}
- curl --request PUT \
- https://api.cloudflare.com/client/v4/accounts/{account_id}/access/identity_providers/{identity_provider_id} \
- --header "Authorization: Bearer " \
- --header "Content-Type: application/json" \
- --data '{
- "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
- "type": "azureAD",
- "uid": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
- "name": "Entra ID",
- "version": "31e74e9b4f033e16b604552091a72295",
- "config": {
- "azure_cloud": "default",
- "client_id": "",
- "conditional_access_enabled": false,
- "directory_id": "",
- "redirect_url": "https://.cloudflareaccess.com/cdn-cgi/access/callback",
- "prompt": "login",
- "support_groups": true
- },
- "scim_config": {
- "enabled": true,
- "user_deprovision": true,
- "seat_deprovision": false,
- "group_member_deprovision": false,
- "identity_update_behavior": "automatic"
- },
- "scim_base_url": "https://.cloudflareaccess.com/populations/f174e90a-fafe-4643-bbbc-4a0ed4fc8415/scim/v2"
- }'
- ```
+ ```sh {17}
+ curl --request PUT \
+ https://api.cloudflare.com/client/v4/accounts/{account_id}/access/identity_providers/{identity_provider_id} \
+ --header "Authorization: Bearer " \
+ --header "Content-Type: application/json" \
+ --data '{
+ "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
+ "type": "azureAD",
+ "uid": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
+ "name": "Entra ID",
+ "version": "31e74e9b4f033e16b604552091a72295",
+ "config": {
+ "azure_cloud": "default",
+ "client_id": "",
+ "conditional_access_enabled": false,
+ "directory_id": "",
+ "redirect_url": "https://.cloudflareaccess.com/cdn-cgi/access/callback",
+ "prompt": "login",
+ "support_groups": true
+ },
+ "scim_config": {
+ "enabled": true,
+ "user_deprovision": true,
+ "seat_deprovision": false,
+ "group_member_deprovision": false,
+ "identity_update_behavior": "automatic"
+ },
+ "scim_base_url": "https://.cloudflareaccess.com/populations/f174e90a-fafe-4643-bbbc-4a0ed4fc8415/scim/v2"
+ }'
+ ```
## Example API Configuration
@@ -253,4 +272,4 @@ You can require users to re-enter their credentials into Entra ID whenever they
"type": "azureAD",
"name": "my example idp"
}
-```
\ No newline at end of file
+```