Update Microsoft Entra SCIM docs

src/pages/manage/team/idp-sync/microsoft-entra-id-scim-sync.mdx

@@ -21,7 +21,7 @@ Before you begin the integration process, ensure you have the necessary admin pe
 
 To enable SCIM synchronization in NetBird, navigate to `Integrations > Identity Provider Sync` in your NetBird dashboard.
 
-![Microsoft Entra ID SCIM Integration Connection](/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/entra-connect.png)
+<img src="/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/entra-connect.png" alt="Microsoft Entra ID SCIM Integration Connection" className="imagewrapper-big"/>
 
 <Note>
     Before starting the Entra ID SCIM integration you will need to be logged in via Microsoft Login. <br/>
@@ -31,24 +31,24 @@ To enable SCIM synchronization in NetBird, navigate to `Integrations > Identity
 Click the `Connect Microsoft Entra ID` button to begin the configuration process.
 This action will trigger a pop-up window that will present you with a user-friendly wizard, guiding you through the synchronization process between NetBird and Entra ID.
 
-![Microsoft Entra ID SCIM Getting Started Wizard](/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/entra-scim-getting-started.png)
+<img src="/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/entra-scim-getting-started.png" alt="Microsoft Entra ID SCIM Getting Started Wizard" className="imagewrapper-big"/>
 
 
 ## Configure SCIM Provisioning in Microsoft Entra ID
 
 Click on the `Get Started` button to initiate the integration process.
 A new wizard screen will appear, offering step-by-step instructions for creating and configuring your Microsoft Entra ID application. To simplify the process, the wizard also provides quick-copy buttons for essential information:
 
-![Microsoft Entra ID SCIM Configuration Setup](/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/entra-configure-scim.png)
+<img src="/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/entra-configure-scim.png" alt="Microsoft Entra ID SCIM Configuration Setup" className="imagewrapper-big"/>
 
 
 In the [Azure portal](https://portal.azure.com), navigate to `Azure Active Directory` → `Enterprise applications`.
 
-![Microsoft Entra ID Enterprise Applications](/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/entra-enterprise-applications.png)
+<img src="/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/entra-enterprise-applications.png" alt="Microsoft Entra ID Enterprise Applications" className="imagewrapper-big"/>
 
 Click `New application` to create a new enterprise application.
 
-![Microsoft Entra ID New Application Creation](/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/entra-new-application.png)
+<img src="/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/entra-new-application.png" alt="Microsoft Entra ID New Application Creation" className="imagewrapper-big"/>
 
 Click `Create your own application`.
 
@@ -57,62 +57,100 @@ Fill out the application form with the following details:
 * **What's the name of your app?**: `NetBird SCIM`
 * **What are you looking to do with your application?**: Select `Integrate any other application you don't find in the gallery (Non-gallery)`
 
-![Microsoft Entra ID Application Form](/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/entra-application-form.png)
+<img src="/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/entra-application-form.png" alt="Microsoft Entra ID Application Form" className="imagewrapper-big"/>
 
 Click `Create`.
 
-![Microsoft Entra ID Application Created Successfully](/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/entra-application-created.png)
+<img src="/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/entra-application-created.png" alt="Microsoft Entra ID Application Created Successfully" className="imagewrapper-big"/>
 
 ### Enable Provisioning
 
 On the NetBird dashboard click the Continue → button. A new wizard screen will appear, offering step-by-step instructions for enabling provisioning.
-![Microsoft Entra ID Enable Provisioning Setup](/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/entra-enable-provisioning.png)
+<img src="/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/entra-enable-provisioning.png" alt="Microsoft Entra ID Enable Provisioning Setup" className="imagewrapper-big"/>
 
 Once the application is created, you'll be redirected to a getting started page. Click `Get started` in the `Provision User Accounts` section.
 
-![Microsoft Entra ID Provisioning Get Started](/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/entra-provisioning-get-started.png)
+<img src="/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/entra-provisioning-get-started.png" alt="Microsoft Entra ID Provisioning Get Started" className="imagewrapper-big"/>
 
 Under the `Create configuration` section, click `connect your application`.
 
 Fill out the `New provisioning configuration` form with the following details:
 
 * **Select authentication method**: `Bearer authentication`
-* **Tenant URL**: `https://api.netbird.io/api/scim/v2` (paste the Base URL you copied from NetBird)
+* **Tenant URL**: `https://api.netbird.io/api/scim/v2?aadOptscim062020`
 * **Secret token**: Paste the Token Key you copied from the Entra ID SCIM Setup process in the NetBird integration
 
-![Microsoft Entra ID Connect Application Configuration](/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/entra-connect-application.png)
+<Note>
+    The `?aadOptscim062020` flag appended to the Tenant URL is required to ensure Microsoft Entra ID sends SCIM 2.0 compliant requests.
+    Without this flag, Entra ID uses non-standard PATCH operations that can cause provisioning issues such as incorrect boolean values and malformed group membership updates.
+    See [Microsoft's SCIM compatibility documentation](https://learn.microsoft.com/en-us/entra/identity/app-provisioning/application-provisioning-config-problem-scim-compatibility#flags-to-alter-the-scim-behavior) for more details.
+</Note>
+
+<img src="/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/entra-connect-application.png" alt="Microsoft Entra ID Connect Application Configuration" className="imagewrapper-big"/>
 
 Click `Test Connection` to verify the SCIM connection. If the connection is successful, click `Create` to save the configuration.
 
-![Microsoft Entra ID Connection Success](/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/entra-connection-success.png)
+<img src="/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/entra-connection-success.png" alt="Microsoft Entra ID Connection Success" className="imagewrapper-big"/>
 
 ### Configure Attribute Mapping
 
 On the NetBird dashboard click the Continue → button. A new wizard screen will appear, offering step-by-step instructions for configuring attribute mapping.
 
-![Microsoft Entra ID Configure Attribute Mapping](/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/entra-configure-attribute-mapping.png)
+<img src="/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/entra-configure-attribute-mapping.png" alt="Microsoft Entra ID Configure Attribute Mapping" className="imagewrapper-big"/>
+
+After creating the provisioning configuration, you need to configure the attribute mappings for both groups and users.
+Navigate to the `Attribute mapping` section.
+
+<img src="/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/attribute-mapping.png" alt="Microsoft Entra ID Attribute Mapping" className="imagewrapper-big"/>
+
+#### Group Attribute Mapping
+
+Click `Provision Microsoft Entra ID Groups` to configure the group attribute mapping.
+
+<img src="/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/entra-group-attribute-mapping.png" alt="Microsoft Entra ID Group Attribute Mapping" className="imagewrapper-big"/>
+
+In the attribute mappings list, locate the `externalId` row and click `Delete`.
+
+Click `Save` to apply the updated group attribute mapping configuration.
 
-After creating the provisioning configuration, you need to configure the attribute mapping to ensure the `externalId` is mapped to the user's `objectId`.
+<img src="/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/entra-group-attribute-mapping-updated.png" alt="Microsoft Entra ID Group Attribute Mapping After Deletion" className="imagewrapper-big"/>
 
-Navigate to the `Attribute mapping` section and click `Provision Microsoft Entra ID Users`.
+#### User Attribute Mapping
+
+Navigate back to the `Attribute mapping` section and click `Provision Microsoft Entra ID Users` to configure the user attribute mapping.
+
+<img src="/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/entra-user-attribute-mapping.png" alt="Microsoft Entra ID Default User Attribute Mapping" className="imagewrapper-big"/>
+
+Remove all attribute mappings except for the following:
+
+* `userName`
+* `active`
+* `displayName`
+* `emails[type eq "work"].value`
+* `name.givenName`
+* `name.familyName`
+* `externalId`
+
+Click `Save` to apply the updated user attribute mapping configuration.
+
+<img src="/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/entra-user-attribute-mapping-clean.png" alt="Microsoft Entra ID Updated User Attribute Mapping" className="imagewrapper-big"/>
 
-![Microsoft Entra ID Default Attribute Mapping](/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/entra-default-attribute-mapping.png)
 
 In the attribute mappings list, locate the `externalId` row and click `Edit`.
 
 Change the **Source attribute** from `mailNickname` to `objectId`.
 
-![Microsoft Entra ID Edit External ID Attribute](/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/entra-edit-externalid.png)
+<img src="/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/entra-edit-externalid.png" alt="Microsoft Entra ID Edit External ID Attribute" className="imagewrapper-big"/>
 
-Click `Ok` to save the change, then click `Save` to apply the new attribute mapping configuration.
+Click `Ok` to save the change, then click `Save` to apply the final user attribute mapping configuration.
 
-![Microsoft Entra ID Updated Attribute Mapping](/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/entra-updated-attribute-mapping.png)
+<img src="/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/entra-user-attribute-mapping-updated.png" alt="Microsoft Entra ID Final User Attribute Mapping" className="imagewrapper-big"/>
 
 ## Assign Users and Groups
 
 On the NetBird dashboard click the Continue → button. A new wizard screen will appear, offering step-by-step instructions for assigning users and groups.
 
-![Microsoft Entra ID Assign Users and Groups](/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/entra-assign-users-and-groups.png)
+<img src="/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/entra-assign-users-and-groups.png" alt="Microsoft Entra ID Assign Users and Groups" className="imagewrapper-big"/>
 
 
 To enable SCIM synchronization of users and groups to NetBird, you need to assign them to the NetBird enterprise application.
@@ -124,21 +162,26 @@ In the Azure portal, navigate to your NetBird enterprise application:
 * Select the users and groups you want to synchronize to NetBird
 * Click `Assign` to save the assignments
 
-![Microsoft Entra ID Assign Users and Groups Interface](/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/entra-assign-users-groups.png)
+<img src="/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/entra-assign-users-groups.png" alt="Microsoft Entra ID Assign Users and Groups Interface" className="imagewrapper-big"/>
 
 ## Start Provisioning
 
 On the NetBird dashboard click the Continue → button. A new wizard screen will appear, offering step-by-step instructions for starting the provisioning.
 
-![Microsoft Entra ID Run Provisioning](/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/entra-run-provisioning.png)
+<img src="/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/entra-run-provisioning.png" alt="Microsoft Entra ID Run Provisioning" className="imagewrapper-big"/>
 
 
 After assigning users and groups, navigate back to the provisioning configuration and click the `Start provisioning` button to enable automatic synchronization. The first sync will begin shortly after provisioning is started.
 
-![Microsoft Entra ID Provisioning Started](/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/entra-provisioning-started.png)
+<img src="/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/entra-provisioning-started.png" alt="Microsoft Entra ID Provisioning Started" className="imagewrapper-big"/>
 
 Once started, Microsoft Entra ID will automatically synchronize the assigned users and groups to NetBird.
 
+<Note>
+    After the initial sync, Microsoft Entra ID runs provisioning cycles approximately every 40 minutes by default.
+    If you need to synchronize changes immediately, you can use [Provisioning on demand](https://learn.microsoft.com/en-us/entra/identity/app-provisioning/provision-on-demand?pivots=app-provisioning) to provision individual users or groups without waiting for the next cycle.
+</Note>
+
 Click `Finish Setup` in the NetBird Dashboard to finalize the integration process.
 
 ## Verify Synchronization
@@ -159,25 +202,25 @@ have been successfully synchronized by navigating to `Team > Users` in your NetB
 You can access some configuration settings inside the NetBird Dashboard. E.g. if you want to regenerate the authentication token or want to filter users and groups based on a specific prefix.
 Simply go to the Integrations page and click the settings icon of your integration.
 
-![Microsoft Entra ID SCIM Configuration Options](/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/entra-configuration-options.png)
+<img src="/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/entra-configuration-options.png" alt="Microsoft Entra ID SCIM Configuration Options" className="imagewrapper-big"/>
 
 ### Regenerate Auth Token
 
 If your authentication token has expired or you need to update it, click **Regenerate Auth Token** in the configuration window to generate a new token.
 
-![Microsoft Entra ID Regenerate Authentication Token](/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/entra-regenerate-auth-token.png)
+<img src="/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/entra-regenerate-auth-token.png" alt="Microsoft Entra ID Regenerate Authentication Token" className="imagewrapper-big"/>
 
 
 ### Groups to be synchronized
 
 By default, all groups assigned to the NetBird application in Entra will be synchronized. If you want to synchronize only assigned groups that start with a specific prefix, you can specify them in the filter. Keep in mind that the prefix matching is case-sensitive.
 
-![Microsoft Entra ID Group Prefix Filter](/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/entra-group-prefix.png)
+<img src="/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/entra-group-prefix.png" alt="Microsoft Entra ID Group Prefix Filter" className="imagewrapper-big"/>
 
 Click `Continue` to proceed to the next step.
 
 ### Users to be synchronized
 
 By default, all users from the groups assigned to the NetBird application in Entra will be synchronized. If you want to further filter and synchronize only users from specific assigned groups, you can specify those group names in the filter. The group name matching is case-sensitive.
 
-![Microsoft Entra ID User Prefix Filter](/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/entra-user-prefix.png)
+<img src="/docs-static/img/manage/team/idp-sync/entra-id-scim-sync/entra-user-prefix.png" alt="Microsoft Entra ID User Prefix Filter" className="imagewrapper-big"/>