Atlassian Bitbucket SCIM Provisioning: Pricing & Limitations

Summary
At a glance
Identity providers
Hidden costs
Pricing analysis
Upgrade bundle
Summary of challenges
What admins say
Recommendation
Technical specs

Summary and recommendation

Atlassian Bitbucket supports SCIM 2.0 for user provisioning, but requires an additional Atlassian Guard subscription on top of your existing Bitbucket plan. More critically, Bitbucket's SCIM implementation only provisions users—group sync is completely unavailable. This means while your IdP can create and deactivate user accounts, all repository permissions and team memberships must be managed manually within Bitbucket itself.

For development teams handling sensitive source code, this creates a significant security and operational gap. Repository access controls are critical for IP protection, but without group sync, IT admins must rely on developers to manually assign the correct permissions in Bitbucket after SCIM provisions the accounts. This manual step defeats the purpose of automated provisioning and creates compliance risks when developers leave or change roles.

The strategic alternative

Stitchflow provides complete managed provisioning automation for Bitbucket, including group sync capabilities that Atlassian doesn't offer natively. Works with any Bitbucket plan without requiring Atlassian Guard. Flat pricing under $5K/year, regardless of team size.

Quick SCIM facts

SCIM available?	Yes
SCIM tier required	Enterprise
SSO required first?	Yes
SSO available?	Yes
SSO protocol	SAML 2.0
Documentation	Official docs

Supported identity providers

IdP	SSO	SCIM	Notes
Okta	✓	✓	OIN app with full provisioning
Microsoft Entra ID	✓	✓	Gallery app with SCIM
Google Workspace	✓	JIT only	SAML SSO with just-in-time provisioning
OneLogin	✓	✓	Supported

The cost of not automating

Without SCIM (or an alternative like Stitchflow), your IT team manages Atlassian Bitbucket accounts manually. Here's what that costs:

Source: Stitchflow customers using Atlassian Bitbucket, normalized to 500 employees:

Orphaned accounts (ex-employees with access)16

Unused licenses16

IT hours spent on manual management/year96 hours

Unused license cost/year$2,338

IT labor cost/year$5,784

Cost of compliance misses/year$3,825

Total annual financial impact$11,946

The Atlassian Bitbucket pricing problem

Atlassian Bitbucket gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.

Tier comparison

Plan	Price	SCIM
Free	Free (5 users)
Standard	$3.30/user/mo	Requires Guard
Premium	$6.60/user/mo	Requires Guard

Plan Structure

Plan	Price	SCIM
Free	Free (5 users)	❌
Standard	$3.30/user/mo	Requires Guard
Premium	$6.60/user/mo	Requires Guard

Note: SCIM requires a separate Atlassian Guard subscription on top of your Bitbucket plan. Guard pricing varies but adds significant cost to your monthly spend.

What this means in practice

The core limitation: SCIM only provisions user accounts - not repository access. Development teams still need to:

Manually assign users to repositories

Manage repository permissions in Bitbucket's interface

Handle team-based access controls separately from IdP groups

Cost impact: Adding Atlassian Guard to enable basic (incomplete) SCIM:

Team Size	Base Bitbucket Cost	+ Guard Subscription	Total Impact
25 developers	$990/year	+ Guard fees	Significant increase
50 developers	$1,980/year	+ Guard fees	Doubles overall cost
100 developers	$3,960/year	+ Guard fees	Major budget impact

Additional constraints

Third-party dependency

Full group sync requires marketplace apps like "User Sync - SCIM Provisioning & Group Sync" at additional cost.

API key management

SCIM API keys expire after one year, requiring manual renewal to maintain provisioning.

Limited scope

Even with SCIM enabled, repository-level permissions remain a manual process for IT teams.

Guard subscription complexity

Adding Guard changes your billing relationship and support structure with Atlassian.

Summary of challenges

Atlassian Bitbucket supports SCIM but only at Enterprise tier (custom pricing)
Google Workspace users get JIT provisioning only, not full SCIM
Our research shows teams manually provisioning this app spend significant hidden costs annually

What the upgrade actually includes

Bitbucket doesn't sell SCIM à la carte. It requires an Atlassian Guard subscription on top of your existing plan:

SCIM automated provisioning (users only - no group sync)

SAML single sign-on (SSO)

Advanced security policies and audit logs

Domain verification and management

API token management and monitoring

Data residency options

Enhanced admin controls across Atlassian products

If you need organization-wide security controls across multiple Atlassian products, Guard may justify the cost. But if you just want automated provisioning for Bitbucket specifically, you're paying for a security bundle while still handling the most critical part (repository access) manually. We estimate ~60% of Guard features are irrelevant for teams that only need Bitbucket user provisioning with proper group sync.

Stitchflow Insight

Bitbucket's SCIM only provisions users, not groups. Repository permissions and team assignments must still be managed manually in Bitbucket, or through third-party marketplace apps that add complexity and cost.

What IT admins are saying

Community sentiment on Atlassian Bitbucket's SCIM implementation is mixed, with significant frustration around core limitations. Common complaints:

No group sync for Bitbucket - users provision but repository permissions require manual management
Requiring separate Atlassian Guard subscription adds complexity and cost
Need to purchase third-party marketplace apps for full functionality
API keys expiring annually creates maintenance overhead

“

"GROUP SYNC NOT AVAILABLE for Bitbucket - users only" is the most cited limitation across forums and documentation.

“

Group sync requires third-party marketplace apps

consistently mentioned as a major gap in native functionality.

The recurring theme

Bitbucket's SCIM provisions users but stops short of the group sync that makes automated access management truly valuable for development teams managing sensitive code repositories.

The decision

Your Situation	Recommendation
Need group sync for repository permissions	Use Stitchflow: Bitbucket's native SCIM can't sync groups
Want to avoid Atlassian Guard subscription costs	Use Stitchflow: no additional Guard licensing required
On Standard/Premium, don't need other Guard features	Use Stitchflow: avoid paying for unused Guard capabilities
Already have Guard, only need basic user provisioning	Use native SCIM: you're paying for Guard anyway
Small dev team with simple access needs	Manual may work: but consider security risks for code access

The bottom line

Bitbucket's native SCIM requires an Atlassian Guard subscription and crucially lacks group sync—forcing you to manage repository permissions manually even with provisioning enabled. For development teams where code access security matters, Stitchflow provides complete provisioning automation including the group sync that Bitbucket's native implementation can't deliver.

Automate Atlassian Bitbucket without the tier upgrade

Stitchflow delivers SCIM-level provisioning through resilient browser automation, backed by 24/7 human in the loop for Atlassian Bitbucket at <$5K/year, flat, regardless of team size.

Works alongside or instead of native SCIM

Syncs with your existing IdP (Okta, Entra ID, Google Workspace)

Automates onboarding and offboarding

SOC 2 Type II certified

24/7 human-in-the-loop monitoring

Book a Demo

Technical specifications

SCIM Version

2.0

Supported Operations

Create, Update, Deactivate, Groups

Supported Attributes

Not specified

Plan requirement

Enterprise

Prerequisites

SSO must be configured first

Key limitations

GROUP SYNC NOT AVAILABLE for Bitbucket
Requires Atlassian Guard subscription
Group sync requires third-party marketplace apps
API keys expire after 1 year

View Official Documentation

Configuration for Okta

Integration type

Okta Integration Network (OIN) app with SCIM provisioning

Prerequisite

SSO must be configured before enabling SCIM.

Where to enable

Okta Admin Console → Applications → Atlassian Bitbucket → Provisioning

Required credentials

SCIM endpoint URL and bearer token (generated in app admin console).

Configuration steps

Enable Create Users, Update User Attributes, and Deactivate Users.

Provisioning trigger

Okta provisions based on app assignments (users or groups).

Docs

Okta integration Atlassian Bitbucket SCIM setup

Atlassian Cloud app in OIN. Requires Atlassian Guard Standard subscription. Copy SCIM base URL and API key from admin.atlassian.com. Store credentials - not shown again. Group sync only for Jira/Confluence, NOT Bitbucket.

Native SCIM is available on Enterprise. Use Stitchflow if you need provisioning without the tier upgrade.

Configuration for Entra ID

Integration type

Microsoft Entra Gallery app with SCIM provisioning

Prerequisite

SSO must be configured before enabling SCIM.

Where to enable

Entra admin center → Enterprise applications → Atlassian Bitbucket → Provisioning

Required credentials

Tenant URL (SCIM endpoint) and Secret token (bearer token from app admin console).

Configuration steps

Set Provisioning Mode = Automatic, configure SCIM connection.

Provisioning trigger

Entra provisions based on user/group assignments to the enterprise app.

Sync behavior

Entra provisioning runs on a scheduled cycle (typically every 40 minutes).