Summary and recommendation
Automox offers native SCIM 2.0 provisioning, but only on their Enterprise plan with custom pricing. Lower tiers (Pro starting at $1/endpoint/month and Automate Essentials) are limited to JIT provisioning through SAML, which creates users only on first login with default Read Only permissions. This forces manual role adjustments for every new user and creates a gap between when access is granted in your IdP and when users can actually perform their job functions in Automox.
The JIT-only approach on lower tiers creates compliance headaches for IT teams. Users appear "provisioned" in your identity provider but remain non-functional until they log in and administrators manually adjust their permissions. For patch management and endpoint security tools like Automox, this delay can leave critical systems unmanaged while you wait for manual intervention.
The strategic alternative
Stitchflow provides SCIM-level provisioning through resilient browser automation for Automox without requiring the Enterprise tier upgrade. Works with Pro and Automate Essentials plans and any IdP. Flat pricing under $5K/year.
Quick SCIM facts
| SCIM available? | Yes |
| SCIM tier required | Unknown |
| SSO required first? | No |
| SSO available? | Yes |
| SSO protocol | SAML 2.0 |
| Documentation | Not available |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ✓ | OIN app with full provisioning |
| Microsoft Entra ID | ✓ | ✓ | Gallery app with SCIM |
| Google Workspace | ✓ | JIT only | SAML SSO with just-in-time provisioning |
| OneLogin | ✓ | ✓ | Supported |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages Automox accounts manually. Here's what that costs:
The Automox pricing problem
Automox gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Plan Structure
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Pro | Patch OS (from $1/endpoint/mo) | ||
| Business | Automate Essentials (custom) | ||
| Enterprise | Automate Enterprise (custom) |
Note: Pro and Business tiers include JIT provisioning via SAML, where users are automatically created on first login but start with Read Only permissions requiring manual role adjustments.
What this means in practice
Since Enterprise pricing is custom and significantly higher than the $1/endpoint Pro tier, organizations face substantial cost increases for SCIM access:
Typical scenarios
JIT provisioning limitations
Additional constraints
Summary of challenges
- Automox supports SCIM but only at Unknown tier (Automate Enterprise (custom))
- Google Workspace users get JIT provisioning only, not full SCIM
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What the upgrade actually includes
Automox doesn't gate SCIM behind expensive tiers. SSO, MFA, and RBAC come free on all plans, but full SCIM provisioning requires Enterprise:
The catch: provisioned users start as Read Only regardless of tier. You'll manually adjust roles for every new hire. JIT provisioning works but creates the same role assignment overhead. For teams that just want seamless user lifecycle management, you're paying Enterprise prices for features you may not need, while still handling manual role assignments.
What IT admins are saying
Community sentiment on Automox's SCIM implementation reveals a mixed picture. Common frustrations include:
- SCIM provisioning limited to Enterprise tier only
- All provisioned users default to Read Only role, requiring manual permission adjustments
- Multi-org environments require separate SAML configurations for each organization
- IDP-initiated login mandatory for multi-org provisioning to work properly
Users are provisioned but they come in as Read Only by default. You have to go in and manually change their roles every time, which defeats the purpose of automation.
The multi-org setup is painful - you need separate SAML configs for each org and users must use IDP-initiated login or it breaks.
The recurring theme
While Automox offers native SCIM, the implementation creates ongoing manual overhead that undermines the automation benefits IT teams expect.
The decision
| Your Situation | Recommendation |
|---|---|
| On Pro or Business plans, need SCIM | Use Stitchflow: avoid the Enterprise tier upgrade |
| Already on Enterprise with SCIM included | Use native SCIM: you're paying for it |
| Need Enterprise features beyond SCIM | Evaluate Enterprise: SCIM comes bundled |
| Using Entra ID, comfortable with JIT limitations | Native JIT may suffice: but all users start Read Only |
| Small team, low turnover, comfortable with manual role assignment | Manual provisioning may work: monitor for security gaps |
The bottom line
Automox gates SCIM behind their Enterprise tier while offering only JIT provisioning with manual role assignment on other plans. For organizations that need full provisioning automation without the Enterprise upgrade, Stitchflow delivers SCIM-level capabilities at a predictable cost.
Automate Automox without the tier upgrade
Stitchflow delivers SCIM-level provisioning through resilient browser automation, backed by 24/7 human in the loop for Automox at <$5K/year, flat, regardless of team size.
Technical specifications
SCIM Version
2.0
Supported Operations
Create, Update, Deactivate, Groups
Supported Attributes
Not specifiedPlan requirement
Unknown
Prerequisites
None
Key limitations
- SSO, MFA, RBAC included free on all plans
- JIT provisioning available - users created on first login
- Provisioned users start as Read Only - must manually adjust roles
- Multi-org SAML supported but requires separate config per org
- IDP-initiated login required for multi-org provisioning
- SOC 2, SOC 3, TX-RAMP, CSA STAR certified
Documentation not available.
Configuration for Okta
Integration type
Okta Integration Network (OIN) app with SCIM provisioning
Where to enable
Required credentials
SCIM endpoint URL and bearer token (generated in app admin console).
Configuration steps
Enable Create Users, Update User Attributes, and Deactivate Users.
Provisioning trigger
Okta provisions based on app assignments (users or groups).
Docs
Supports Group Push, Group Linking, Schema Discovery, Attribute Writeback
Native SCIM is available on Unknown. Use Stitchflow if you need provisioning without the tier upgrade.
Configuration for Entra ID
Integration type
Microsoft Entra Gallery app with SCIM provisioning
Where to enable
Required credentials
Tenant URL (SCIM endpoint) and Secret token (bearer token from app admin console).
Configuration steps
Set Provisioning Mode = Automatic, configure SCIM connection.
Provisioning trigger
Entra provisions based on user/group assignments to the enterprise app.
Sync behavior
Entra provisioning runs on a scheduled cycle (typically every 40 minutes).
Optional Provision New Users checkbox enables automatic user creation on first login
Native SCIM is available on Unknown. Use Stitchflow if you need provisioning without the tier upgrade.
Unlock SCIM for
Automox
Stop paying the SCIM Tax for Automox. Get enterprise-grade SCIM at a fraction of the enterprise plan cost.
See how it works
