Atlassian SCIM Provisioning: Pricing & Limitations

Summary
At a glance
Identity providers
Hidden costs
Pricing analysis
Upgrade bundle
Summary of challenges
What admins say
Recommendation
Technical specs

Summary and recommendation

Atlassian supports SCIM (the protocol that lets your identity provider automatically create, update, and remove user accounts), but requires a separate Atlassian Guard subscription on top of your existing product licenses. Guard Standard costs $3-4/user/month additional, meaning a 100-person organization pays $3,600-4,800/year extra just for provisioning capabilities. The hidden complexity: Guard billing is per "managed user" across your entire Atlassian organization, not per active product license.

Recent changes make this even more operationally burdensome. As of January 2025, SCIM API keys now expire after one year, requiring mandatory annual rotation. Plus, portal-only accounts (common in Jira Service Management for external users) won't support SCIM until Q2 2025, leaving a provisioning gap for customer support workflows.

The strategic alternative

Stitchflow provides managed SCIM automation for Atlassian without the Guard subscription requirement or key rotation overhead. Works with any Atlassian plan. Flat pricing under $5K/year with 24/7 human-in-the-loop support.

Quick SCIM facts

SCIM available?	Yes
SCIM tier required	Enterprise
SSO required first?	Yes
SSO available?	Yes
SSO protocol	SAML 2.0
Documentation	Official docs

Supported identity providers

IdP	SSO	SCIM	Notes
Okta	✓	✓	OIN app with full provisioning
Microsoft Entra ID	✓	✓	Gallery app with SCIM
Google Workspace	✓	JIT only	SAML SSO with just-in-time provisioning
OneLogin	✓	✓	Supported

The cost of not automating

Without SCIM (or an alternative like Stitchflow), your IT team manages Atlassian accounts manually. Here's what that costs:

Source: Stitchflow customers using Atlassian, normalized to 500 employees:

Orphaned accounts (ex-employees with access)16

Unused licenses16

IT hours spent on manual management/year96 hours

Unused license cost/year$2,338

IT labor cost/year$5,784

Cost of compliance misses/year$3,825

Total annual financial impact$11,946

The Atlassian pricing problem

Atlassian gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.

Tier comparison

Plan	Price	SSO	SCIM
Standard Products	Varies by product
+ Guard Standard	+$3-4/user/month
+ Guard Premium	+$8/user/month
Enterprise Cloud	Includes Guard Standard

Guard Pricing Structure

Plan	Price	SSO	SCIM
Standard Products	Varies by product
+ Guard Standard	+$3-4/user/month
+ Guard Premium	+$8/user/month
Enterprise Cloud	Includes Guard Standard

Note: Guard Standard includes SSO, SCIM, and API controls. Guard Premium adds anomaly detection, SIEM integrations, and data classification. Enterprise Cloud bundles Guard Standard at no additional cost.

What this means in practice

Guard subscriptions are billed per managed user across your entire Atlassian organization, not per product:

Organization Size	Guard Standard Cost	Guard Premium Cost
100 users	+$3,600-4,800/year	+$9,600/year
250 users	+$9,000-12,000/year	+$24,000/year
500 users	+$18,000-24,000/year	+$48,000/year

This is in addition to your existing Jira, Confluence, and other product licenses, which can already run $100K+ annually for mid-sized teams.

Additional constraints

SCIM key expiration

API keys now expire after 1 year (as of January 2025), requiring annual rotation.

Billing complexity

Guard charges per managed user across all Atlassian products, regardless of which products they actually use.

Portal-only limitations

SCIM support for Jira Service Management portal-only accounts won't arrive until Q2 2025.

Group sync gaps

While SCIM works across most products, Bitbucket still has limited group synchronization support.

Summary of challenges

Atlassian supports SCIM but only at Enterprise tier (custom pricing)
Google Workspace users get JIT provisioning only, not full SCIM
Our research shows teams manually provisioning this app spend significant hidden costs annually

What the upgrade actually includes

Atlassian doesn't sell SCIM standalone. It's bundled with Atlassian Guard, a separate security subscription on top of your existing product licenses:

Atlassian Guard Standard ($3-4/user/month)

SCIM 2.0 automated provisioning

SAML single sign-on (SSO)

API access controls

Security audit logs

Domain verification

Session management

Atlassian Guard Premium ($8/user/month)

Everything in Standard, plus:

Anomaly detection and alerts

SIEM integrations (Splunk, QRadar)

Data loss prevention (DLP)

Advanced threat detection

Data classification controls

The reality: Guard is billed per managed user across your entire Atlassian organization, not per product. So if you have 100 users across Jira, Confluence, and Bitbucket, you're paying Guard costs for all 100 users even if only 20 actively use SCIM provisioning.

For teams that just want automated user provisioning, roughly 60-70% of Guard's features are security theater you won't use. You're essentially paying double licensing costs (product + Guard) to get basic identity automation that should be standard in 2025.

What IT admins are saying

Community sentiment on Atlassian's SCIM pricing is mixed to negative, with most complaints centered on the additional Guard subscription cost. Common complaints:

Having to purchase Atlassian Guard on top of already-expensive product licenses
Guard billing complexity with per-managed-user pricing across the entire organization
Annual SCIM API key rotation requirement adding operational overhead
Confusing pricing structure with multiple Guard tiers and product dependencies

“

The Guard pricing model is frustrating - we're already paying premium prices for Jira and Confluence, now we need another subscription just for basic provisioning features.

Reddit r/sysadmin

“

SCIM keys expiring after a year is going to be a nightmare for our automation. One more thing to track and rotate annually.

Atlassian Community Forum

The recurring theme

IT teams feel nickeled-and-dimed by having to pay for a separate Guard subscription when SCIM should be included with their existing high-cost Atlassian product licenses.

The decision

Your Situation	Recommendation
Don't have Guard subscription, need SCIM	Use Stitchflow: avoid the $3-8/user/month Guard add-on
Have Guard Standard, comfortable with annual key rotation	Use native SCIM: you're already paying for it
Need Guard Premium features beyond SCIM	Evaluate Guard Premium: SCIM comes bundled with anomaly detection
Small team, low employee turnover	Manual may work: but consider automation as you scale
Complex multi-product setup across Jira/Confluence/JSM	Use Stitchflow: avoid Guard billing complexity and key management

The bottom line

Atlassian Guard adds $3-8 per user monthly on top of already-expensive product licenses, plus mandatory annual SCIM key rotation starting in 2025. For organizations wanting automated provisioning without the Guard subscription overhead, Stitchflow provides simpler, flat-rate automation.

Automate Atlassian without the tier upgrade

Stitchflow delivers SCIM-level provisioning through resilient browser automation, backed by 24/7 human in the loop for Atlassian at <$5K/year, flat, regardless of team size.

Works alongside or instead of native SCIM

Syncs with your existing IdP (Okta, Entra ID, Google Workspace)

Automates onboarding and offboarding

SOC 2 Type II certified

24/7 human-in-the-loop monitoring

Book a Demo

Technical specifications

SCIM Version

2.0

Supported Operations

Create, Update, Deactivate, Groups

Supported Attributes

Not specified

Plan requirement

Enterprise

Prerequisites

SSO must be configured first

Key limitations

Requires separate Atlassian Guard subscription in addition to product licenses
SCIM API keys now expire after 1 year (as of Jan 2025)
Portal-only accounts (JSM) SCIM support expected Q2 2025

View Official Documentation

Configuration for Okta

Integration type

Okta Integration Network (OIN) app with SCIM provisioning

Prerequisite

SSO must be configured before enabling SCIM.

Where to enable

Okta Admin Console → Applications → Atlassian → Provisioning

Required credentials

SCIM endpoint URL and bearer token (generated in app admin console).

Configuration steps

Enable Create Users, Update User Attributes, and Deactivate Users.

Provisioning trigger

Okta provisions based on app assignments (users or groups).

Docs

Okta integration Atlassian SCIM setup

Full SCIM 2.0 support via Atlassian Cloud app in OIN. Group sync available for Jira, Confluence, Trello (not Bitbucket). SCIM API keys expire after 1 year (as of Jan 2025).

Native SCIM is available on Enterprise. Use Stitchflow if you need provisioning without the tier upgrade.

Configuration for Entra ID

Integration type

Microsoft Entra Gallery app with SCIM provisioning

Prerequisite

SSO must be configured before enabling SCIM.

Where to enable

Entra admin center → Enterprise applications → Atlassian → Provisioning

Required credentials

Tenant URL (SCIM endpoint) and Secret token (bearer token from app admin console).

Configuration steps

Set Provisioning Mode = Automatic, configure SCIM connection.

Provisioning trigger

Entra provisions based on user/group assignments to the enterprise app.

Sync behavior

Entra provisioning runs on a scheduled cycle (typically every 40 minutes).