Summary and recommendation
Abnormal Security, the AI-powered email security platform protecting against BEC and phishing attacks, does not offer SCIM provisioning on any plan. While the platform supports SAML 2.0 SSO integration with identity providers like Okta and Entra ID, this only handles authentication—not automated user lifecycle management. Security teams must manually provision and deprovision analyst access through Abnormal's portal, creating operational overhead and potential security gaps in a platform specifically designed to protect against email-based threats.
This manual provisioning model creates significant challenges for security operations. When new SOC analysts join or existing team members change roles, IT admins must coordinate manual account creation and permission updates in Abnormal Security. For a platform that's critical to threat detection and incident response, delays in provisioning can leave security gaps, while delayed deprovisioning creates compliance risks. The irony is stark: a security platform designed to prevent account takeover and credential abuse lacks the automated provisioning controls that prevent exactly these risks.
The strategic alternative
Stitchflow provides SCIM-level provisioning through resilient browser automation for Abnormal Security without requiring any custom development work. Works with any Abnormal Security deployment and any IdP. Flat pricing under $5K/year.
Quick SCIM facts
| SCIM available? | No |
| SCIM tier required | N/A |
| SSO required first? | No |
| SSO available? | Yes |
| SSO protocol | SAML 2.0 |
| Documentation | Not available |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ❌ | No dedicated Abnormal Security app in Okta OIN. Abnormal integrates with Okta for threat detection (API-based), not user provisioning. |
| Microsoft Entra ID | ✓ | ❌ | Microsoft Sentinel data connector for threat/case log ingestion. No Entra ID user provisioning integration documented. |
| Google Workspace | Via third-party | ❌ | No native support |
| OneLogin | Via third-party | ❌ | No native support |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages Abnormal Security accounts manually. Here's what that costs:
The Abnormal Security pricing problem
Abnormal Security gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Tier comparison
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Enterprise | Custom (~$87K/year or ~$3/user/mo) |
Pricing structure
| Plan | Pricing | SCIM | SSO |
|---|---|---|---|
| Enterprise | Custom (~$87K/year or ~$3/user/mo) | ❌ Not available | ✓ SAML (requires support) |
Key pricing details
What this means in practice
Without SCIM, security teams face significant operational overhead:
Manual user lifecycle management
Audit and compliance gaps
Operational friction
Additional constraints
Summary of challenges
- Abnormal Security does not provide native SCIM at any price tier
- Organizations must rely on third-party tools or manual provisioning
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What Abnormal Security actually offers for identity
SAML SSO (Enterprise only)
Abnormal Security supports SAML 2.0 integration, but documentation is locked behind their customer support portal:
| Setting | Details |
|---|---|
| Protocol | SAML 2.0 |
| Supported IdPs | Okta, Entra ID, custom SAML providers |
| Configuration | Customer support required |
| JIT Provisioning | ❌ No |
| User requirement | Manual account creation via portal |
Critical limitation: No JIT (just-in-time) provisioning means you must manually create each security analyst account in Abnormal's portal before they can authenticate via SSO.
Manual User Management Only
Abnormal Security forces IT teams to manage security platform access manually:
Third-Party Integration Gaps
While Abnormal integrates with Microsoft Sentinel for threat data, these integrations don't solve user management:
| Integration | Purpose | User Provisioning |
|---|---|---|
| Microsoft Sentinel | Threat/case log ingestion | ❌ No |
| Okta API | Threat detection data | ❌ No |
| Various SIEMs | Security event export | ❌ No |
The reality: These are data connectors for security monitoring, not identity management solutions. Your security team still manages Abnormal user access manually, creating audit gaps for this critical security platform.
What IT admins are saying
Community sentiment on Abnormal Security's manual provisioning highlights the disconnect between enterprise security tools and modern IT operations:
- No SCIM support means manual user management for every security analyst
- SSO configuration requires opening support tickets instead of self-service setup
- Custom enterprise pricing makes budgeting and ROI calculations difficult
- Documentation for identity integrations is locked behind customer portals
User accounts must be manually provisioned through the Abnormal Security portal. There's no automated way to sync from our identity provider.
Even though we have SAML SSO working, we still have to manually add each security team member to Abnormal. When someone leaves, it's easy to forget to deprovision them from this critical security tool.
The recurring theme
For a platform protecting against insider threats and account compromise, the irony isn't lost on IT teams that Abnormal Security itself requires manual account management that creates audit trail gaps and potential security risks.
The decision
| Your Situation | Recommendation |
|---|---|
| Small security team (<10 analysts) | Manual management is workable short-term |
| SOC with low analyst turnover | Manual management with SAML SSO for authentication |
| Growing security organization (25+ users) | Use Stitchflow: automation essential for security team scaling |
| Enterprise with compliance requirements | Use Stitchflow: automated audit trail critical for security platform access |
| Multi-team security operations (SOC, incident response, threat hunting) | Use Stitchflow: role-based provisioning automation required |
The bottom line
Abnormal Security delivers critical email threat protection, but offers no SCIM provisioning despite enterprise-level pricing starting around $87K annually. Security teams are left managing analyst access manually in a platform that should be securing the organization. For security operations that need reliable, auditable user provisioning, Stitchflow eliminates the manual overhead while maintaining the security controls your team demands.
Automate Abnormal Security without third-party complexity
Stitchflow delivers SCIM-level provisioning through resilient browser automation, backed by 24/7 human in the loop for Abnormal Security at <$5K/year, flat, regardless of team size.
Technical specifications
SCIM Version
Not specifiedSupported Operations
Not specifiedSupported Attributes
Plan requirement
Not specifiedPrerequisites
Not specifiedKey limitations
- No SCIM provisioning support documented
- SSO configuration requires customer support
- Manual user management via portal RBAC
- Enterprise-only pricing with custom quotes
Documentation not available.
Configuration for Entra ID
Integration type
Microsoft Entra Gallery app
Where to enable
Microsoft Sentinel data connector for threat/case log ingestion. No Entra ID user provisioning integration documented.
Use Stitchflow for automated provisioning.
Unlock SCIM for
Abnormal Security
Abnormal Security doesn't offer SCIM. Get an enterprise-grade SCIM endpoint in your IdP, even without native support.
See how it works
