Group B — Elevated

Access gated by elevated Entra group membership, synchronised to Cloudflare via SCIM provisioning.

Your Identity

Loading...

How This Works

This page works identically to Group A at the technical level — SCIM provisioning syncs group membership from Entra, and the Cloudflare Access policy permits only members of CF-Demo-Group-B.

The intent is to demonstrate tiered access: Group A represents a broader, restricted-scope set of users, while Group B represents a smaller elevated-access group. A user in Group A cannot reach this page unless they are also in Group B.

In a real deployment this pattern maps to role separation — e.g. standard staff vs administrators, or read-only vs read-write access to a tool.

Entra Configuration

1. Create the Elevated Group

1. Entra ID → Groups → New group
2. Name: CF-Demo-Group-B, assign only the elevated-access members

2. Add Group to SCIM Scope

1. Enterprise Application → Users and groups → Add user/group
2. Add CF-Demo-Group-B to the application scope
3. Trigger a provisioning cycle or wait for the next automatic sync
4. Confirm the group appears in Zero Trust → Settings → Authentication → your IdP → SCIM groups

Cloudflare Configuration

Add Access Application

1. Zero Trust → Access → Applications → Add an Application → Self-hosted
2. Domain: barbicancloud.co.uk/scim-b/* (path) or scim-b.barbicancloud.co.uk (subdomain)
3. Add a policy: Action = Allow, Selector = Azure Groups → select CF-Demo-Group-B

The SCIM token and provisioning setup is shared with Group A — no additional token is needed.

Routing