PostHog · inkeep · Feb 26, 2026 · Feb 26, 2026
diff --git a/contents/docs/settings/activity-logs.mdx b/contents/docs/settings/activity-logs.mdx
@@ -46,6 +46,12 @@ These events track changes to organization-wide settings and membership.
 | Domain verified | An authentication domain was verified |
 | Organization settings changed | Organization name, logo, or other settings were updated |
 | 2FA enforcement changed | Two-factor authentication requirements were modified |
+| SCIM user provisioned | A user was created or added via SCIM |
+| SCIM user updated | A user was modified via SCIM |
+| SCIM user deprovisioned | A user was removed or deactivated via SCIM |
+| SCIM group provisioned | A role was created via SCIM |
+| SCIM group updated | A role was modified via SCIM |
+| SCIM group deprovisioned | A role was removed via SCIM |
 | *+ many more* | |
 
 ### Project-level events

diff --git a/contents/docs/settings/sso.mdx b/contents/docs/settings/sso.mdx
@@ -347,6 +347,16 @@ Before setting up SCIM, you need:
 2. SAML SSO configured and working for your domain
 3. Identity Provider that supports SCIM 2.0 (e.g., Okta, Entra ID, OneLogin)
 
+### Domain requirements
+
+SCIM can only provision users whose email domain matches your organization's verified authentication domain. For example, if your verified domain is `example.com`, SCIM can only create or manage users with `@example.com` email addresses. Attempts to provision users with mismatched email domains are rejected.
+
+<CalloutBox icon="IconWarning" title="Cross-domain provisioning is blocked" type="caution">
+
+This validation prevents cross-tenant user adoption. Your Identity Provider can only provision users for domains your organization has verified in PostHog.
+
+</CalloutBox>
+
 ### Setting up SCIM
 
 1. In PostHog, navigate to Organization settings and go to [Authentication domains](https://app.posthog.com/settings/organization-authentication).