Summary and recommendation
Atlassian supports SCIM (the protocol that lets your identity provider automatically create, update, and remove user accounts), but requires a separate Atlassian Guard subscription on top of your existing product licenses. Guard Standard costs $3-4/user/month additional, meaning a 100-person organization pays $3,600-4,800/year extra just for provisioning capabilities. The hidden complexity: Guard billing is per "managed user" across your entire Atlassian organization, not per active product license.
Recent changes make this even more operationally burdensome. As of January 2025, SCIM API keys now expire after one year, requiring mandatory annual rotation. Plus, portal-only accounts (common in Jira Service Management for external users) won't support SCIM until Q2 2025, leaving a provisioning gap for customer support workflows.
The strategic alternative
Atlassian gates SCIM behind Atlassian Guard subscription. Skip the Atlassian Guard subscription plan upgrade and automate complete outcomes across your stack. We maintain the integration layer underneath. You focus on judgment, not plumbing.
Quick SCIM facts
| SCIM available? | Yes |
| SCIM tier required | Enterprise |
| SSO required first? | Yes |
| SSO available? | Yes |
| SSO protocol | SAML 2.0 |
| Documentation | Official docs |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ✓ | OIN app with full provisioning |
| Microsoft Entra ID | ✓ | ✓ | Gallery app with SCIM |
| Google Workspace | ✓ | JIT only | SAML SSO with just-in-time provisioning |
| OneLogin | ✓ | ✓ | Supported |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages Atlassian accounts manually. Here's what that costs:
The Atlassian pricing problem
Atlassian gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Tier comparison
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Standard Products | Varies by product | ||
| + Guard Standard | +$3-4/user/month | ||
| + Guard Premium | +$8/user/month | ||
| Enterprise Cloud | Includes Guard Standard |
Guard Pricing Structure
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Standard Products | Varies by product | ||
| + Guard Standard | +$3-4/user/month | ||
| + Guard Premium | +$8/user/month | ||
| Enterprise Cloud | Includes Guard Standard |
Note: Guard Standard includes SSO, SCIM, and API controls. Guard Premium adds anomaly detection, SIEM integrations, and data classification. Enterprise Cloud bundles Guard Standard at no additional cost.
What this means in practice
Guard subscriptions are billed per managed user across your entire Atlassian organization, not per product:
| Organization Size | Guard Standard Cost | Guard Premium Cost |
|---|---|---|
| 100 users | +$3,600-4,800/year | +$9,600/year |
| 250 users | +$9,000-12,000/year | +$24,000/year |
| 500 users | +$18,000-24,000/year | +$48,000/year |
This is in addition to your existing Jira, Confluence, and other product licenses, which can already run $100K+ annually for mid-sized teams.
Additional constraints
Summary of challenges
- Atlassian supports SCIM but only at Enterprise tier (custom pricing)
- Google Workspace users get JIT provisioning only, not full SCIM
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What the upgrade actually includes
Atlassian doesn't sell SCIM standalone. It's bundled with Atlassian Guard, a separate security subscription on top of your existing product licenses:
Atlassian Guard Standard ($3-4/user/month)
Atlassian Guard Premium ($8/user/month)
The reality: Guard is billed per managed user across your entire Atlassian organization, not per product. So if you have 100 users across Jira, Confluence, and Bitbucket, you're paying Guard costs for all 100 users even if only 20 actively use SCIM provisioning.
For teams that just want automated user provisioning, roughly 60-70% of Guard's features are security theater you won't use. You're essentially paying double licensing costs (product + Guard) to get basic identity automation that should be standard in 2025.
What IT admins are saying
Community sentiment on Atlassian's SCIM pricing is mixed to negative, with most complaints centered on the additional Guard subscription cost. Common complaints:
- Having to purchase Atlassian Guard on top of already-expensive product licenses
- Guard billing complexity with per-managed-user pricing across the entire organization
- Annual SCIM API key rotation requirement adding operational overhead
- Confusing pricing structure with multiple Guard tiers and product dependencies
The Guard pricing model is frustrating - we're already paying premium prices for Jira and Confluence, now we need another subscription just for basic provisioning features.
SCIM keys expiring after a year is going to be a nightmare for our automation. One more thing to track and rotate annually.
The recurring theme
IT teams feel nickeled-and-dimed by having to pay for a separate Guard subscription when SCIM should be included with their existing high-cost Atlassian product licenses.
The decision
| Your Situation | Recommendation |
|---|---|
| Don't have Guard subscription, need SCIM | Use Stitchflow: avoid the $3-8/user/month Guard add-on |
| Have Guard Standard, comfortable with annual key rotation | Use native SCIM: you're already paying for it |
| Need Guard Premium features beyond SCIM | Evaluate Guard Premium: SCIM comes bundled with anomaly detection |
| Small team, low employee turnover | Manual may work: but consider automation as you scale |
| Complex multi-product setup across Jira/Confluence/JSM | Use Stitchflow: avoid Guard billing complexity and key management |
The bottom line
Atlassian Guard adds $3-8 per user monthly on top of already-expensive product licenses, plus mandatory annual SCIM key rotation starting in 2025. For organizations wanting automated provisioning without the Guard subscription overhead, Stitchflow provides simpler, flat-rate automation.
Make Atlassian workflows AI-native
Atlassian gates SCIM behind Atlassian Guard subscription. We build complete offboarding, user access reviews, and license workflows without that SCIM Tax upgrade.
Technical specifications
SCIM Version
2.0
Supported Operations
Create, Update, Deactivate, Groups
Supported Attributes
Not specifiedPlan requirement
Enterprise
Prerequisites
SSO must be configured first
Key limitations
- Requires separate Atlassian Guard subscription in addition to product licenses
- SCIM API keys now expire after 1 year (as of Jan 2025)
- Portal-only accounts (JSM) SCIM support expected Q2 2025
Configuration for Okta
Integration type
Okta Integration Network (OIN) app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
SCIM endpoint URL and bearer token (generated in app admin console).
Configuration steps
Enable Create Users, Update User Attributes, and Deactivate Users.
Provisioning trigger
Okta provisions based on app assignments (users or groups).
Full SCIM 2.0 support via Atlassian Cloud app in OIN. Group sync available for Jira, Confluence, Trello (not Bitbucket). SCIM API keys expire after 1 year (as of Jan 2025).
Atlassian gates SCIM behind Atlassian Guard subscription. Stitchflow automates complete workflows without that SCIM Tax upgrade.
Configuration for Entra ID
Integration type
Microsoft Entra Gallery app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
Tenant URL (SCIM endpoint) and Secret token (bearer token from app admin console).
Configuration steps
Set Provisioning Mode = Automatic, configure SCIM connection.
Provisioning trigger
Entra provisions based on user/group assignments to the enterprise app.
Sync behavior
Entra provisioning runs on a scheduled cycle (typically every 40 minutes).
Full SCIM 2.0 provisioning support. Can sync job title, department attributes. Provisioning cycle runs every 40 minutes. Supports switching between SCIM and Azure AD nested groups.
Atlassian gates SCIM behind Atlassian Guard subscription. Stitchflow automates complete workflows without that SCIM Tax upgrade.
Unlock SCIM for
Atlassian
Atlassian gates SCIM behind Atlassian Guard subscription plan. We automate complete offboarding and access reviews across your stack without that SCIM Tax upgrade.
See how it works
