Summary and recommendation
Microsoft Entra ID (formerly Azure AD) is itself an identity provider that provisions users TO other applications via SCIM. It includes native SCIM provisioning capabilities, but only for Premium P1 ($6/user/month) or P2 ($9/user/month) license holders. Organizations on the free tier cannot automate user provisioning to their SaaS applications at all. Key limitations include 20-40 minute sync intervals, no support for nested groups, and removed attributes not syncing back to target applications.
For organizations with hundreds or thousands of users, the Premium licensing requirement creates a significant cost barrier. A 500-person company moving from free Entra ID to P1 just for provisioning would pay $36,000/year in additional licensing. Many organizations need automated provisioning for compliance and security, but don't require the other Premium features like conditional access policies or advanced security reports.
The strategic alternative
Stitchflow provides SCIM-level provisioning through resilient browser automation that works with any Entra ID plan, including free. Connect your existing Entra ID instance to automate user lifecycle management across all your SaaS applications. Flat pricing under $5K/year, regardless of user count.
Quick SCIM facts
| SCIM available? | Yes |
| SCIM tier required | Pro |
| SSO required first? | Yes |
| SSO available? | Yes |
| SSO protocol | SAML 2.0, OIDC, WS-Federation |
| Documentation | Official docs |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ❌ | SSO only |
| Microsoft Entra ID | ✓ | ✓ | Gallery app with SCIM |
| Google Workspace | ✓ | JIT only | SAML SSO with just-in-time provisioning |
| OneLogin | ✓ | ✓ | Supported |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages Microsoft Azure / Entra ID accounts manually. Here's what that costs:
The Microsoft Azure / Entra ID pricing problem
Microsoft Azure / Entra ID gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Tier comparison
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Entra ID Free | $0/user/mo | ||
| Entra ID Premium P1 | $6/user/mo | ||
| Entra ID Premium P2 | $9/user/mo |
Plan Structure
| Plan | Price | SCIM Provisioning |
|---|---|---|
| Entra ID Free | $0/user/mo | ❌ |
| Entra ID Premium P1 | $6/user/mo | ✓ |
| Entra ID Premium P2 | $9/user/mo | ✓ |
Note: Premium P1 and P2 are also included in Microsoft 365 E3 and E5 plans respectively. Organizations already on these M365 plans have SCIM provisioning available.
What this means in practice
For organizations currently on Entra ID Free wanting automated provisioning:
| Team Size | Upgrade to P1 | Upgrade to P2 |
|---|---|---|
| 100 users | $7,200/year | $10,800/year |
| 500 users | $36,000/year | $54,000/year |
| 1,000 users | $72,000/year | $108,000/year |
Calculation: License price × users × 12 months
Additional constraints
Summary of challenges
- Microsoft Azure / Entra ID supports SCIM but only at Pro tier (custom pricing)
- Google Workspace users get JIT provisioning only, not full SCIM
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What the upgrade actually includes
Entra ID Premium P1/P2 isn't just about SCIM provisioning. You're buying Microsoft's full enterprise identity platform:
The bigger issue: Entra ID's SCIM sync runs every 20-40 minutes, doesn't support nested groups, and requires extensive configuration for each target application. You get the feature, but not necessarily the smooth automation experience you're expecting.
Stitchflow Insight
The reality: if you're already using Microsoft 365 E3/E5, you likely have Premium P1/P2 included. But if you're upgrading specifically for SCIM provisioning, you're paying for enterprise-grade identity features that smaller teams rarely need. We estimate ~60% of Premium features are overkill for organizations that just want to automate user provisioning to their SaaS applications.
What IT admins are saying
Community sentiment on Microsoft Entra ID's SCIM provisioning is mixed, with licensing costs being the primary pain point. Common complaints:
- Premium P1/P2 licensing required just to enable SCIM provisioning ($6-9/user/month)
- Nested group limitations breaking organizational hierarchies in target apps
- 20-40 minute sync delays causing user access issues during onboarding
- Complex licensing tiers making cost planning difficult for large deployments
We're paying $6 per user per month just to get basic provisioning that should be included. It adds up fast when you have 500+ users.
The nested group limitation is a real problem. Our organizational structure doesn't map cleanly without that support.
20-40 minute sync delays mean new hires are sitting around waiting for access. Not exactly the smooth onboarding experience we want.
The recurring theme
While Entra ID offers robust SCIM capabilities, the premium licensing requirement and technical limitations create friction for organizations trying to implement automated provisioning at scale.
The decision
| Your Situation | Recommendation |
|---|---|
| On Entra ID Free, need SCIM provisioning | Use Stitchflow: avoid the $6/user/mo P1 upgrade |
| Small team (<100 users), basic provisioning needs | Use native SCIM with P1: it's already cost-competitive |
| Large organization (500+ users), complex provisioning | Use native SCIM with P2: you need the advanced features |
| Need provisioning but don't want Microsoft license dependency | Use Stitchflow: works with any IdP including Google Workspace |
| Nested group requirements or sub-20 minute sync intervals | Use Stitchflow: native SCIM has known limitations here |
The bottom line
Microsoft Entra ID's SCIM requires Premium P1 ($6/user/mo) or P2 ($9/user/mo) licensing, making it expensive for organizations currently on the free tier. For smaller teams or those wanting to avoid Microsoft's per-user licensing model, Stitchflow delivers the same provisioning automation at flat-rate pricing.
Automate Microsoft Azure / Entra ID without the tier upgrade
Stitchflow delivers SCIM-level provisioning through resilient browser automation, backed by 24/7 human in the loop for Microsoft Azure / Entra ID at <$5K/year, flat, regardless of team size.
Technical specifications
SCIM Version
2.0
Supported Operations
Create, Update, Deactivate, Groups
Supported Attributes
Not specifiedPlan requirement
Pro
Prerequisites
SSO must be configured first
Key limitations
- Requires P1 or P2 license for SCIM provisioning
- Nested groups not supported in SCIM sync
- Removed attributes not synced back to target apps
- Sync interval 20-40 minutes
- TLS 1.2 required
Configuration for Entra ID
Integration type
Microsoft Entra Gallery app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
Tenant URL (SCIM endpoint) and Secret token (bearer token from app admin console).
Configuration steps
Set Provisioning Mode = Automatic, configure SCIM connection.
Provisioning trigger
Entra provisions based on user/group assignments to the enterprise app.
Sync behavior
Entra provisioning runs on a scheduled cycle (typically every 40 minutes).
Entra ID IS the provisioning source. Supports SCIM 2.0 to provision users to 1000s of gallery apps.
Native SCIM is available on Pro. Use Stitchflow if you need provisioning without the tier upgrade.
Unlock SCIM for
Microsoft Azure / Entra ID
Microsoft Azure / Entra ID gates automation behind Premium P1/P2 plan. Stitchflow delivers the same SCIM outcomes for a flat fee.
See how it works
