cloudflare · dmmulroy · Mar 13, 2026 · Mar 14, 2026 · Mar 17, 2026 · dcpena
@@ -7,7 +7,14 @@ description: >-
 
 import { Render } from "~/components";
 
-If you observe suspicious activity within your Cloudflare account, secure your account with these steps.
+If you observe suspicious activity within your Cloudflare account, secure your account immediately. At a minimum, complete these actions as quickly as possible:
+
+1. **Change your password** — use a strong, unique password not used elsewhere.
+2. **Enable two-factor authentication (2FA)** — if not already enabled.
+3. **Rotate your Global API Key** — regenerate it to invalidate the old key.
+4. **Log out all sessions** — manually sign out of the dashboard to terminate all ongoing sessions.
+
+The sections below walk through each step in detail.
 
 ## Step 1 - Change your password
 

@@ -4,8 +4,27 @@ title: Change Super Administrator
 
 ---
 
-If you or someone in your organization leaves or loses access to email, you can add another Super Administrator using any other Super Administrator on your Account with a [verified email](https://developers.cloudflare.com/fundamentals/account/verify-email-address/) address.
+If you or someone in your organization leaves or loses access to email, you can add another Super Administrator using any other Super Administrator on your account with a [verified email](/fundamentals/user-profiles/verify-email-address/) address.
 
-First, [add a member](/fundamentals/manage-members/manage/) to your account and assign the **Super Administrator** role.
+1. [Add a member](/fundamentals/manage-members/manage/) to your account and assign the **Super Administrator** role.
+2. If needed, remove the previous Super Administrator.
 
-Then, if needed, remove the previous Super Administrator.
+## Swap Super Administrator email addresses
+
+If you need to reassign the Super Administrator role between two existing members, the system will not allow you to assign an email address that is already in use on the account. Use a temporary placeholder:
+
+1. Change the new Super Administrator's email (for example, `newsuperadmin@example.com`) to a temporary placeholder (for example, `temp@example.com`).
+2. Change the old Super Administrator's email (for example, `oldsuperadmin@example.com`) to `newsuperadmin@example.com`.
+3. Change the temporary placeholder (`temp@example.com`) to `oldsuperadmin@example.com`, or remove the temporary member.
+
+:::note
+This process applies to self-serve accounts only. Enterprise accounts should contact their account team.
+:::
+
+## Regain access when the Super Administrator email is lost
+
+If you cannot access the email address associated with the Super Administrator role:
+
+1. **Recover the email account** — contact your email provider to regain access to the mailbox, or set up email forwarding from the old address to one you control.
+2. **Reset your Cloudflare password** — once you can receive email at the Super Administrator address, go to [`https://dash.cloudflare.com/forgot-password`](https://dash.cloudflare.com/forgot-password) to reset your password.
+3. **Add a new Super Administrator** — after logging in, [add a new member](/fundamentals/manage-members/manage/#add-account-members) with the Super Administrator role using an email address you control, then remove the old Super Administrator if needed.
@@ -28,14 +28,13 @@ To transfer a domain from one Cloudflare account to another, you will need:
 ## Transfer your domain
 
 :::caution
+Before transferring an active Cloudflare domain to another Cloudflare account, complete this pre-transfer checklist:
 
-
-Before transferring an active Cloudflare domain to another Cloudflare account, you must remove any [DNSSEC configurations](/dns/dnssec/) and [add-ons or subscriptions](/billing/cancel-subscription/).
-
-We also recommend [exporting](/dns/manage-dns-records/how-to/import-and-export/#export-records) the DNS records of your zone while it is in the previous account. Then, you can [import](/dns/manage-dns-records/how-to/import-and-export/#import-records) the correct DNS records into the new account.
-If you miss this step, Cloudflare will import your proxied DNS records, which might cause your domain to experience a [1000 error](/support/troubleshooting/http-status-codes/cloudflare-1xxx-errors/).
-
-
+1. **Remove DNSSEC configurations** — [disable DNSSEC](/dns/dnssec/) on the domain before moving it. DNSSEC records at the registrar will prevent the domain from activating in the new account.
+2. **Cancel add-ons and subscriptions** — [remove all add-on subscriptions](/billing/cancel-subscription/) associated with the domain.
+3. **Remove custom certificates** — delete any [custom SSL/TLS certificates](/ssl/edge-certificates/custom-certificates/) from the domain. You will need to re-upload them to the new account.
+4. **Export DNS records** — [export your DNS records](/dns/manage-dns-records/how-to/import-and-export/#export-records) while the domain is still in the previous account. Then [import](/dns/manage-dns-records/how-to/import-and-export/#import-records) them into the new account. If you miss this step, Cloudflare will import your proxied DNS records, which might cause your domain to experience a [1000 error](/support/troubleshooting/http-status-codes/cloudflare-1xxx-errors/).
+5. **Back up configuration** — consider using [Terraform](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs) to export and back up your zone configuration before moving. Settings from the original account (page rules, firewall rules, cache settings, and so on) do not transfer to the new account and must be recreated manually.
 :::
 
 If you still have access to your previous Cloudflare account, you can copy over the Cloudflare account settings manually. You must reissue [SSL/TLS certificates](#issue-new-certificates) and [recreate and validate DNS records](/dns/manage-dns-records/how-to/create-dns-records/) when transferring domains between Cloudflare accounts.

@@ -65,3 +65,27 @@ Please also note that domains in the `Initializing (Setup)` or `Pending` statuse
    :::
 
 3. Select **Confirm**.
+
+## Automatic domain removal
+
+Cloudflare periodically checks whether your domain's nameservers still point to Cloudflare. If the nameservers are changed away from Cloudflare, the domain transitions through the following statuses:
+
+1. **Moved** — Cloudflare detects that nameservers no longer point to Cloudflare and marks the domain as **Moved**. An email notification is sent to the account owner.
+2. **Deleted** — For Free zones, Cloudflare automatically transitions the domain from Moved to Deleted after 7 days. At this stage, the domain can still be re-added.
+3. **Purged** — 7 days after being marked Deleted, the zone is permanently purged. Zone settings are not preserved.
+
+For more details on each status, refer to [Domain status](/dns/zone-setups/reference/domain-status/).
+
+:::note
+If you re-add a domain after it has been removed, Cloudflare assigns a new nameserver pair. You will need to update your registrar with the new nameservers.
+:::
+
+### Restore an automatically removed domain
+
+To restore a domain that was automatically removed:
+
+1. [Re-add the domain](/fundamentals/manage-domains/add-site/) to your Cloudflare account.
+2. Update the nameservers at your domain registrar to the new Cloudflare nameservers assigned to your zone.
+3. Wait for the domain to become **Active** in the Cloudflare dashboard.
+
+You will need to reconfigure any settings (DNS records, page rules, firewall rules, and so on) that were previously associated with the domain, as they are not preserved after removal.
@@ -73,7 +73,7 @@ curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/sso_connectors"
   --json '{"email_domain":"{domain}"}'
 ```
 
-```json output
+```json
 {
 	"success": true,
 	"errors": [],
@@ -169,6 +169,23 @@ curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/sso_connectors/
 </TabItem>
 </Tabs>
 
+## Test your IdP before enforcement
+
+Before enabling SSO for your domain, verify that your identity provider is configured correctly:
+
+1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Integrations** > **Identity providers**.
+2. Find your IdP and select **Test**.
+3. Confirm that the test returns a successful authentication result.
+
+If the test fails, review your IdP configuration against the [identity provider setup instructions](/cloudflare-one/integrations/identity-providers/) before enabling the SSO connector.
+
+### Troubleshoot IdP errors
+
+If you encounter errors during IdP setup or testing, provide the following when [contacting support](/support/contacting-cloudflare-support/):
+
+1. The error message returned by the IdP test.
+2. A sanitized [HAR file](/support/troubleshooting/general-troubleshooting/gathering-information-for-troubleshooting-sites/#generate-a-har-file) captured while running the IdP test from the dashboard.
+
 ## Limitations
 
 Cloudflare dashboard SSO does not support:
@@ -243,7 +260,7 @@ If there is an issue with your SSO IdP provider, you can add an alternate IdP us
      | jq '.result[] | select(.type == "dash_sso")'
    ```
 
-   ```json output {2}
+   ```json output
    {
    	"id": "3537a672-e4d8-4d89-aab9-26cb622918a1",
    	"uid": "3537a672-e4d8-4d89-aab9-26cb622918a1",
@@ -305,7 +322,7 @@ The following API calls will disable SSO enforcement for an account. This action
      --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN"
    ```
 
-   ```json output
+   ```json output {2}
    {
    	"result": [
    		{

@@ -70,3 +70,7 @@ If you have been invited to an account and want to remove yourself from the acco
 If you are a Super Administrator for an account that has existing domains and you decide to leave the account, you can invite a new Super Administrator who will have access to the same account privileges.
 
 You can delete your user as a Super Administrator, but you cannot delete your account. Other Super Administrators will continue to have access to the appropriate privileges to manage the account, including billing information.
+
+### Reassign or recover Super Administrator access
+
+If you need to swap Super Administrator email addresses or regain access when the current Super Administrator email is unavailable, refer to [Change Super Administrator](/fundamentals/account/change-super-admin/). That page covers the temporary placeholder process for self-serve accounts and the recovery steps to take when the current mailbox is unavailable.
@@ -6,17 +6,21 @@
 
 Super Administrators can access common compliance documentation, such as PCI, SOC 2, ISO, and more, through the Cloudflare dashboard.
 
-To access compliance documentation:
-
-1. Visit [Compliance Documents](https://dash.cloudflare.com/?to=/:account/compliance-docs) and select your account where you are a **Super Administrator**.
-2. If you have not accessed this page before, read the confidentiality statement and select **I Agree**.
-3. Choose the document you need and select **Download**.
+Public compliance information is also available at [cloudflare.com/trust-hub/compliance-resources/](https://www.cloudflare.com/trust-hub/compliance-resources/).
 
 :::note
-
-For confidentiality purposes, only **Super Administrators** for an account can access compliance documentation.
+For confidentiality purposes, only **Super Administrators** for an account can access compliance documentation through the dashboard.
 :::
 
+To access compliance documentation:
+
+1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com) and select your account.
+2. Go to **Support** > **Compliance Documents**.
+3. If you have not accessed this page before, read the confidentiality statement and select **I Agree**.
+4. Choose the document you need and select **Download**.
+
+You can also access the page directly at [Compliance Documents](https://dash.cloudflare.com/?to=/:account/compliance-docs).
+
 ## Public data protection and compliance documentation
 
 Information and documents about Cloudflare's privacy & data protection are available on our public website at [cloudflare.com/trust-hub/](https://www.cloudflare.com/trust-hub/).
@@ -34,9 +38,9 @@
 * Australia Privacy Act
 * United States California Consumer Privacy Act (CCPA) & Consumer Privacy Rights Act (CPRA)
 * EU Digital Operational Resilience Act (DORA)
 * ISO 27001:2022
 * ISO 27701:2019
 * ISO 27018:2019
 * FedRAMP Moderate
 * SOC 2 Type II
 * PCI DSS 4.0
@@ -44,7 +48,7 @@
 * Global PRP
 * EU Cloud Code of Conduct
 * Cyber Essentials
 * C5:2020
 * ENS
 * IRAP
 * BSI Qualification

@@ -163,6 +163,58 @@ When setting up 2FA, you should have saved your backup codes in a secure locatio
 Once you use a backup code, it becomes invalid.
 :::
 
+## Recover your account
+
+If you do not have access to your 2FA account or backup codes and cannot currently generate a 2FA code, use a verified device that you have logged in from before to request a temporary access code.
+
+1. Log into the [Cloudflare dashboard](https://dash.cloudflare.com/login).
+
+      <DashButton url="/?to=/:account/home" />
+
+2. On the **Two-Factor Authentication** page, select **Try recovery** on **Lost all 2FA devices and backup codes?**.
+3. Select **Begin recovery**.
+4. An access code will be sent to the email address associated with your Cloudflare account.
+5. Enter the temporary access code into the Cloudflare Dashboard and select **Verify email**.
+6. Select **Verify device**. This checks whether you are using a device that has previously logged into your account.
+
+If you see **Device verified**, you will receive an email within 3-5 days with instructions to regain access to your account. It is important to note this process cannot be expedited, so you will need to wait until that email arrives before you can proceed.
+
+If you see **Device verification failed**, you may be able to try again considering the following:
+
+   * If you clear your cookies often or are logging in from a different IP address, you have wiped Cloudflare's memory of your device and will need to use a different device to verify.
+   * Your browser may be set to clear cookies on exit or after browser or OS upgrades. This interferes with the device verification process.
+   * You may be using anti-malware or other software that automatically clears your browser cookies and makes your device unrecognizable by Cloudflare's Dashboard.
+
+If you are still unable to verify your device, follow the instructions to *Request manual verification* on the **Device verification failed** page.
+
+## Troubleshooting and recovery
+
+### Find your backup codes
+
+When you first set up 2FA, your backup codes were saved in a file named `cloudflare-<YOUR_EMAIL>-<DATE>.txt`. Search your computer's downloads folder for a file starting with `cloudflare-` to locate it.
+
+### Self-service recovery from a recognized device
+
+If you have lost your backup codes, you can attempt recovery from a device where you have recently logged in:
+
+1. Go to the [Cloudflare login page](https://dash.cloudflare.com/login) and enter your credentials.
+2. At the 2FA challenge, select **Try recovery** under **Lost all 2FA devices and backup codes?**.
+3. Follow the on-screen steps to verify your device. The device must have an existing Cloudflare login cookie.
+
+:::note
+If device verification fails, your browser may have cleared cookies since your last login. Try from a different device or browser where you previously logged in.
+:::
+
+### Contact support for manual recovery
+
+If both backup codes and device recovery are unavailable, [contact Cloudflare Support](/support/contacting-cloudflare-support/) and follow the account verification steps provided by Support to prove account ownership.
+
+:::caution
+As a last resort, Cloudflare can delete the account so you can re-register with the same email address. This permanently removes all account configuration, domains, and data. This action cannot be undone.
+:::
+
+***
+
 ## Related resources
 
 * [Google Authentication documentation](https://support.google.com/accounts/answer/1066447?hl=en\&ref_topic=2954345\&co=GENIE.Platform%3DiOS\&oco=0)

@@ -61,17 +61,20 @@ If you forget the email address associated with your application:
 
 ## Forgot your password
 
-You must be logged out of the Cloudflare dashboard to view the **Forgot your password?** option. 
+You must be logged out of the Cloudflare dashboard to view the **Forgot your password?** option.
 
 If you forget the password associated with your email address:
 
-1. Go to the [Cloudflare dashboard](https://dash.cloudflare.com/login) and select **Forgot your password?**.
-2. Enter your email address.
+1. Go to [`https://dash.cloudflare.com/forgot-password`](https://dash.cloudflare.com/forgot-password).
+2. Enter your email address and at least one domain on the account. If no domains are on the account, your email address alone is sufficient.
 3. Cloudflare will send an email with instructions to reset your password. If you do not receive an email within 20 minutes, check your spam folder. The message will be sent from `no-reply@cloudflare.com` or `noreply@notify.cloudflare.com`.
 
 :::note
+The password reset code expires after 2 hours. If the code has expired, submit a new reset request.
+:::
 
-This process does not affect your account or share your email address with anyone.
+:::caution
+Cloudflare employees cannot view or change your password. Support can only send a password reset email to the address on file for the account.
 :::
 
 If you still cannot access the email address associated with your Cloudflare account, you may need to [move your domain to another account](/fundamentals/manage-domains/move-domain/).