Summary and recommendation
Microsoft Entra ID (formerly Azure AD) is itself an identity provider that provisions users TO other applications via SCIM. It includes native SCIM provisioning capabilities, but only for Premium P1 ($6/user/month) or P2 ($9/user/month) license holders. Organizations on the free tier cannot automate user provisioning to their SaaS applications at all. Key limitations include 20-40 minute sync intervals, no support for nested groups, and removed attributes not syncing back to target applications.
For organizations with hundreds or thousands of users, the Premium licensing requirement creates a significant cost barrier. A 500-person company moving from free Entra ID to P1 just for provisioning would pay $36,000/year in additional licensing. Many organizations need automated provisioning for compliance and security, but don't require the other Premium features like conditional access policies or advanced security reports.
The strategic alternative
Microsoft Azure / Entra ID gates SCIM behind Premium P1/P2. That can unlock provisioning, but it still does not complete the offboarding, access review, or license workflow across the rest of your stack. Stitchflow builds and maintains the IT workflows your team still runs manually, across every app, including the ones without APIs.
Quick SCIM facts
| SCIM available? | Yes |
| SCIM tier required | Pro |
| SSO required first? | Yes |
| SSO available? | Yes |
| SSO protocol | SAML 2.0, OIDC, WS-Federation |
| Documentation | Official docs |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ❌ | SSO only |
| Microsoft Entra ID | ✓ | ✓ | Gallery app with SCIM |
| Google Workspace | ✓ | JIT only | SAML SSO with just-in-time provisioning |
| OneLogin | ✓ | ✓ | Supported |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages Microsoft Azure / Entra ID accounts manually. Here's what that costs:
The Microsoft Azure / Entra ID pricing problem
Microsoft Azure / Entra ID gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Tier comparison
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Entra ID Free | $0/user/mo | ||
| Entra ID Premium P1 | $6/user/mo | ||
| Entra ID Premium P2 | $9/user/mo |
Plan Structure
| Plan | Price | SCIM Provisioning |
|---|---|---|
| Entra ID Free | $0/user/mo | ❌ |
| Entra ID Premium P1 | $6/user/mo | ✓ |
| Entra ID Premium P2 | $9/user/mo | ✓ |
Note: Premium P1 and P2 are also included in Microsoft 365 E3 and E5 plans respectively. Organizations already on these M365 plans have SCIM provisioning available.
What this means in practice
For organizations currently on Entra ID Free wanting automated provisioning:
| Team Size | Upgrade to P1 | Upgrade to P2 |
|---|---|---|
| 100 users | $7,200/year | $10,800/year |
| 500 users | $36,000/year | $54,000/year |
| 1,000 users | $72,000/year | $108,000/year |
Calculation: License price × users × 12 months
Additional constraints
Summary of challenges
- Microsoft Azure / Entra ID supports SCIM but only at Pro tier (custom pricing)
- Google Workspace users get JIT provisioning only, not full SCIM
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What the upgrade actually includes
Entra ID Premium P1/P2 isn't just about SCIM provisioning. You're buying Microsoft's full enterprise identity platform:
The bigger issue: Entra ID's SCIM sync runs every 20-40 minutes, doesn't support nested groups, and requires extensive configuration for each target application. You get the feature, but not necessarily the smooth automation experience you're expecting.
Stitchflow Insight
The reality: if you're already using Microsoft 365 E3/E5, you likely have Premium P1/P2 included. But if you're upgrading specifically for SCIM provisioning, you're paying for enterprise-grade identity features that smaller teams rarely need. We estimate ~60% of Premium features are overkill for organizations that just want to automate user provisioning to their SaaS applications.
What IT admins are saying
Community sentiment on Microsoft Entra ID's SCIM provisioning is mixed, with licensing costs being the primary pain point. Common complaints:
- Premium P1/P2 licensing required just to enable SCIM provisioning ($6-9/user/month)
- Nested group limitations breaking organizational hierarchies in target apps
- 20-40 minute sync delays causing user access issues during onboarding
- Complex licensing tiers making cost planning difficult for large deployments
We're paying $6 per user per month just to get basic provisioning that should be included. It adds up fast when you have 500+ users.
The nested group limitation is a real problem. Our organizational structure doesn't map cleanly without that support.
20-40 minute sync delays mean new hires are sitting around waiting for access. Not exactly the smooth onboarding experience we want.
The recurring theme
While Entra ID offers robust SCIM capabilities, the premium licensing requirement and technical limitations create friction for organizations trying to implement automated provisioning at scale.
The decision
| Your Situation | Recommendation |
|---|---|
| On Entra ID Free, need SCIM provisioning | Use Stitchflow: avoid the $6/user/mo P1 upgrade |
| Small team (<100 users), basic provisioning needs | Use native SCIM with P1: it's already cost-competitive |
| Large organization (500+ users), complex provisioning | Use native SCIM with P2: you need the advanced features |
| Need provisioning but don't want Microsoft license dependency | Use Stitchflow: works with any IdP including Google Workspace |
| Nested group requirements or sub-20 minute sync intervals | Use Stitchflow: native SCIM has known limitations here |
The bottom line
Microsoft Azure / Entra ID gates SCIM behind Premium P1/P2. The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Close the Microsoft Azure / Entra ID workflow gap
Microsoft Azure / Entra ID gates SCIM behind Premium P1/P2, but the bigger issue is the workflow around it. Stitchflow builds and maintains the offboarding, access review, or license workflow underneath.
Technical specifications
SCIM Version
2.0
Supported Operations
Create, Update, Deactivate, Groups
Supported Attributes
Not specifiedPlan requirement
Pro
Prerequisites
SSO must be configured first
Key limitations
- Requires P1 or P2 license for SCIM provisioning
- Nested groups not supported in SCIM sync
- Removed attributes not synced back to target apps
- Sync interval 20-40 minutes
- TLS 1.2 required
Configuration for Entra ID
Integration type
Microsoft Entra Gallery app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
Tenant URL (SCIM endpoint) and Secret token (bearer token from app admin console).
Configuration steps
Set Provisioning Mode = Automatic, configure SCIM connection.
Provisioning trigger
Entra provisions based on user/group assignments to the enterprise app.
Sync behavior
Entra provisioning runs on a scheduled cycle (typically every 40 minutes).
Entra ID IS the provisioning source. Supports SCIM 2.0 to provision users to 1000s of gallery apps.
Microsoft Azure / Entra ID gates SCIM behind Premium P1/P2. The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Close the workflow gap in
Microsoft Azure / Entra ID
Microsoft Azure / Entra ID gates SCIM behind Premium P1/P2 plan. That can unlock provisioning, but it still does not complete the offboarding, access review, or license workflow across your stack.
Start with the free gap diagnostic
