diff --git a/docs/tutorials/cloudflare.md b/docs/tutorials/cloudflare.md
index 27f004a70..6190f0c62 100644
--- a/docs/tutorials/cloudflare.md
+++ b/docs/tutorials/cloudflare.md
@@ -21,7 +21,9 @@ Snippet from [Cloudflare - Getting Started](https://api.cloudflare.com/#getting-
 API Token will be preferred for authentication if `CF_API_TOKEN` environment variable is set. 
 Otherwise `CF_API_KEY` and `CF_API_EMAIL` should be set to run ExternalDNS with Cloudflare.
 
-When using API Token authentication the token should be granted Zone `Read` and DNS `Edit` privileges.
+When using API Token authentication, the token should be granted Zone `Read`, DNS `Edit` privileges, and access to `All zones`.
+
+If you would like to further restrict the API permissions to a specific zone (or zones), you also need to use the `--zone-id-filter` so that the underlying API requests only access the zones that you explicitly specify, as opposed to accessing all zones.
 
 ## Deploy ExternalDNS