Summary and recommendation
Automox offers native SCIM 2.0 provisioning, but only on their Enterprise plan with custom pricing. Lower tiers (Pro starting at $1/endpoint/month and Automate Essentials) are limited to JIT provisioning through SAML, which creates users only on first login with default Read Only permissions. This forces manual role adjustments for every new user and creates a gap between when access is granted in your IdP and when users can actually perform their job functions in Automox.
The JIT-only approach on lower tiers creates compliance headaches for IT teams. Users appear "provisioned" in your identity provider but remain non-functional until they log in and administrators manually adjust their permissions. For patch management and endpoint security tools like Automox, this delay can leave critical systems unmanaged while you wait for manual intervention.
The strategic alternative
Automox has native SCIM. Provisioning is only one part of the job. Offboarding, access reviews, and license cleanup still break across the rest of the stack. Stitchflow builds and maintains the IT workflows your team still runs manually, across every app, including the ones without APIs.
Quick SCIM facts
| SCIM available? | Yes |
| SCIM tier required | Unknown |
| SSO required first? | No |
| SSO available? | Yes |
| SSO protocol | SAML 2.0 |
| Documentation | Not available |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ✓ | OIN app with full provisioning |
| Microsoft Entra ID | ✓ | ✓ | Gallery app with SCIM |
| Google Workspace | ✓ | JIT only | SAML SSO with just-in-time provisioning |
| OneLogin | ✓ | ✓ | Supported |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages Automox accounts manually. Here's what that costs:
The Automox pricing problem
Automox gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Plan Structure
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Pro | Patch OS (from $1/endpoint/mo) | ||
| Business | Automate Essentials (custom) | ||
| Enterprise | Automate Enterprise (custom) |
Note: Pro and Business tiers include JIT provisioning via SAML, where users are automatically created on first login but start with Read Only permissions requiring manual role adjustments.
What this means in practice
Since Enterprise pricing is custom and significantly higher than the $1/endpoint Pro tier, organizations face substantial cost increases for SCIM access:
Typical scenarios
JIT provisioning limitations
Additional constraints
Summary of challenges
- Automox supports SCIM but only at Unknown tier (Automate Enterprise (custom))
- Google Workspace users get JIT provisioning only, not full SCIM
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What the upgrade actually includes
Automox doesn't gate SCIM behind expensive tiers. SSO, MFA, and RBAC come free on all plans, but full SCIM provisioning requires Enterprise:
The catch: provisioned users start as Read Only regardless of tier. You'll manually adjust roles for every new hire. JIT provisioning works but creates the same role assignment overhead. For teams that just want seamless user lifecycle management, you're paying Enterprise prices for features you may not need, while still handling manual role assignments.
What IT admins are saying
Community sentiment on Automox's SCIM implementation reveals a mixed picture. Common frustrations include:
- SCIM provisioning limited to Enterprise tier only
- All provisioned users default to Read Only role, requiring manual permission adjustments
- Multi-org environments require separate SAML configurations for each organization
- IDP-initiated login mandatory for multi-org provisioning to work properly
Users are provisioned but they come in as Read Only by default. You have to go in and manually change their roles every time, which defeats the purpose of automation.
The multi-org setup is painful - you need separate SAML configs for each org and users must use IDP-initiated login or it breaks.
The recurring theme
While Automox offers native SCIM, the implementation creates ongoing manual overhead that undermines the automation benefits IT teams expect.
The decision
| Your Situation | Recommendation |
|---|---|
| On Pro or Business plans, need SCIM | Use Stitchflow: avoid the Enterprise tier upgrade |
| Already on Enterprise with SCIM included | Use native SCIM: you're paying for it |
| Need Enterprise features beyond SCIM | Evaluate Enterprise: SCIM comes bundled |
| Using Entra ID, comfortable with JIT limitations | Native JIT may suffice: but all users start Read Only |
| Small team, low turnover, comfortable with manual role assignment | Manual provisioning may work: monitor for security gaps |
The bottom line
Automox has native SCIM, but the workflow still spans more than one system. Provisioning is only one part of the job.
Close the Automox workflow gap
Automox has native SCIM, but the workflow still spans more than one system. Stitchflow builds and maintains the full workflow across the rest of your stack.
Technical specifications
SCIM Version
2.0
Supported Operations
Create, Update, Deactivate, Groups
Supported Attributes
Not specifiedPlan requirement
Unknown
Prerequisites
None
Key limitations
- SSO, MFA, RBAC included free on all plans
- JIT provisioning available - users created on first login
- Provisioned users start as Read Only - must manually adjust roles
- Multi-org SAML supported but requires separate config per org
- IDP-initiated login required for multi-org provisioning
- SOC 2, SOC 3, TX-RAMP, CSA STAR certified
Documentation not available.
Configuration for Okta
Integration type
Okta Integration Network (OIN) app with SCIM provisioning
Where to enable
Required credentials
SCIM endpoint URL and bearer token (generated in app admin console).
Configuration steps
Enable Create Users, Update User Attributes, and Deactivate Users.
Provisioning trigger
Okta provisions based on app assignments (users or groups).
Docs
Supports Group Push, Group Linking, Schema Discovery, Attribute Writeback
Automox has native SCIM, but the workflow still spans more than one system. Provisioning is only one part of the job.
Configuration for Entra ID
Integration type
Microsoft Entra Gallery app with SCIM provisioning
Where to enable
Required credentials
Tenant URL (SCIM endpoint) and Secret token (bearer token from app admin console).
Configuration steps
Set Provisioning Mode = Automatic, configure SCIM connection.
Provisioning trigger
Entra provisions based on user/group assignments to the enterprise app.
Sync behavior
Entra provisioning runs on a scheduled cycle (typically every 40 minutes).
Optional Provision New Users checkbox enables automatic user creation on first login
Automox has native SCIM, but the workflow still spans more than one system. Provisioning is only one part of the job.
Close the workflow gap in
Automox
Automox has native SCIM, but the workflow still spans more than one system. Provisioning is only one part of the job.
Start with the free gap diagnostic
