Stitchflow
Back to directory
Azure DevOps logo

Azure DevOps SCIM guide

Native SCIM

How to automate Azure DevOps user provisioning, and what it actually costs

Native SCIM requires Basic/Enterprise plan

Summary and recommendation

Azure DevOps doesn't offer standard SCIM provisioning - instead, it uses native Microsoft Entra ID integration for user lifecycle management. For Microsoft-centric organizations already using Entra ID, this provides automatic user sync when you connect your Azure DevOps organization to your Entra ID tenant. However, this creates a significant limitation: organizations using non-Microsoft identity providers like Okta, OneLogin, or Google Workspace are left with manual user management. While Azure DevOps supports SAML SSO with these IdPs, provisioning requires custom API work or manual processes.

This Microsoft-only provisioning approach creates operational friction for mixed-vendor IT environments. Teams using Okta or other IdPs can authenticate via SSO but still need manual intervention to provision users, assign project permissions, and manage access to repos and pipelines. For DevOps teams that need rapid onboarding and offboarding - especially contractors and cross-functional collaborators - this manual overhead undermines the automation these teams depend on elsewhere in their stack.

The strategic alternative

Stitchflow provides SCIM-level provisioning through resilient browser automation for Azure DevOps that works with any identity provider - Okta, Entra ID, Google Workspace, or OneLogin. No custom API development required. Flat pricing under $5K/year, regardless of team size.

Quick SCIM facts

SCIM available?Yes
SCIM tier requiredEnterprise
SSO required first?No
SSO available?Yes
SSO protocolMicrosoft Entra ID (native)
DocumentationNot available

Supported identity providers

IdPSSOSCIMNotes
OktaSSO only
Microsoft Entra IDGallery app with SCIM
Google WorkspaceJIT onlySAML SSO with just-in-time provisioning
OneLoginSupported

The cost of not automating

Without SCIM (or an alternative like Stitchflow), your IT team manages Azure DevOps accounts manually. Here's what that costs:

Source: Stitchflow aggregate data across apps with 2+ instances, normalized to 500 employees
Orphaned accounts (ex-employees with access)7
Unused licenses12
IT hours spent on manual management/year101 hours
Unused license cost/year$3,925
IT labor cost/year$6,088
Cost of compliance misses/year$1,741
Total annual financial impact$11,754

The Azure DevOps pricing problem

Azure DevOps gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.

Tier comparison

PlanPriceSSOSCIM
FreeFirst 5 Basic users + unlimited Stakeholders
Basic$6/user/month (after first 5)
Basic + Test Plans$52/user/month
EnterpriseCustom (included with VS subscriptions)

Pricing structure

PlanPriceSSOSCIM
FreeFirst 5 Basic users + unlimited Stakeholders
Basic$6/user/month (after first 5)
Basic + Test Plans$52/user/month
EnterpriseCustom (included with VS subscriptions)

What this means in practice

Microsoft-centric organizations get seamless integration when they connect their Azure DevOps organization to their Entra ID tenant. Users are automatically synced, and group-based licensing handles access levels.

Non-Microsoft IdP users face major limitations

No automated provisioning from Okta, OneLogin, or other IdPs
Manual user creation and permission management required
SSO works but provisioning doesn't, creating operational overhead
Mixed environments require dual identity management workflows

Real-world impact: A 100-person development team using Okta would need to manually provision and deprovision users in Azure DevOps, manage project permissions separately, and coordinate access changes across multiple systems.

Additional constraints

Microsoft ecosystem lock-in
Full automation only works with Entra ID
Project-level permissions complexity
No automated assignment of repository access, pipeline permissions, or project roles
License management gaps
Cannot automatically assign Basic vs. Stakeholder licenses based on IdP groups
Audit trail fragmentation
User lifecycle events split between IdP and Azure DevOps logs

Summary of challenges

  • Azure DevOps supports SCIM but only at Enterprise tier (Custom (included with VS Enterprise subscriptions))
  • Google Workspace users get JIT provisioning only, not full SCIM
  • Our research shows teams manually provisioning this app spend significant hidden costs annually

What Azure DevOps actually offers for identity

Native Microsoft Entra ID Integration (All plans)

Azure DevOps doesn't use SCIM at all. Instead, it relies on native Microsoft Entra ID integration when you connect your organization to an Entra ID tenant:

FeatureDetails
User provisioningAutomatic via Entra ID connection
Group syncYes, with group-based licensing
JIT provisioningYes, when connected to Entra ID
SSO protocolNative Microsoft authentication
License assignmentAutomatic based on Entra ID groups

How it works: Connect your Azure DevOps organization to your Entra ID tenant, and users are automatically provisioned when they access Azure DevOps with their corporate Microsoft account. No SCIM configuration needed.

Non-Microsoft IdP Limitations

If you're not using Microsoft Entra ID as your primary identity provider:

IdPSSO SupportProvisioning Support
Okta✓ Yes (SAML)❌ Manual only
Google Workspace❌ Limited❌ Manual only
OneLogin✓ Yes (SAML)❌ Manual only
Ping Identity✓ Yes (SAML)❌ Manual only

Critical gap: Teams using non-Microsoft identity providers can achieve SSO through SAML, but have no automated provisioning options. User accounts must be created manually in Azure DevOps, and deprovisioning requires manual cleanup.

The Microsoft-centric approach works seamlessly if you're already in the Microsoft ecosystem, but creates significant friction for organizations using other identity platforms.

What IT admins are saying

Azure DevOps's Microsoft-centric provisioning approach creates challenges for mixed-IdP environments:

  • No SCIM endpoint available for non-Microsoft identity providers
  • Must connect entire Azure DevOps organization to Entra ID tenant for automated provisioning
  • Limited integration options outside the Microsoft ecosystem
  • Manual user management required when using Okta, Google Workspace, or other IdPs

Azure DevOps uses native Microsoft Entra ID integration rather than SCIM

Microsoft Documentation

No SCIM for non-Microsoft IdPs

IT Administrator, Reddit

The recurring theme

While Azure DevOps works seamlessly within Microsoft's ecosystem, organizations using other identity providers face significant provisioning limitations, often requiring manual user management or complex workarounds.

The decision

Your SituationRecommendation
Microsoft-first organization with Entra IDUse native Entra ID integration - no automation needed
Mixed IdP environment (Okta, Google + Azure DevOps)Use Stitchflow: bridge non-Microsoft IdPs seamlessly
Large development teams (50+ users) across projectsUse Stitchflow: automate complex project/repo permissions
Multi-organization Azure DevOps setupUse Stitchflow: manage provisioning across organizations
Non-Microsoft IdP with compliance requirementsUse Stitchflow: ensure audit trail and automated deprovisioning

The bottom line

Azure DevOps works brilliantly within the Microsoft ecosystem with native Entra ID integration, but becomes a provisioning headache for organizations using other identity providers. For teams that need seamless automation regardless of their IdP choice, Stitchflow eliminates the Microsoft lock-in while maintaining the same level of automation.

Automate Azure DevOps without the tier upgrade

Stitchflow delivers SCIM-level provisioning through resilient browser automation, backed by 24/7 human in the loop for Azure DevOps at <$5K/year, flat, regardless of team size.

Works alongside or instead of native SCIM
Syncs with your existing IdP (Okta, Entra ID, Google Workspace)
Automates onboarding and offboarding
SOC 2 Type II certified
24/7 human-in-the-loop monitoring
Book a Demo

Technical specifications

SCIM Version

2.0

Supported Operations

Create, Update, Deactivate, Groups

Supported Attributes

Not specified

Plan requirement

Enterprise

Prerequisites

None

Key limitations

  • No standard SCIM endpoint
  • Uses native Entra ID integration instead
  • Must connect organization to Entra ID tenant
  • Group-based licensing available
  • Non-Microsoft IdP users have limited integration

Documentation not available.

Configuration for Entra ID

Integration type

Microsoft Entra Gallery app with SCIM provisioning

Where to enable

Entra admin center → Enterprise applications → Azure DevOps → Provisioning

Required credentials

Tenant URL (SCIM endpoint) and Secret token (bearer token from app admin console).

Configuration steps

Set Provisioning Mode = Automatic, configure SCIM connection.

Provisioning trigger

Entra provisions based on user/group assignments to the enterprise app.

Sync behavior

Entra provisioning runs on a scheduled cycle (typically every 40 minutes).

Docs

Microsoft Entra integration

Native integration with Microsoft Entra ID provides automatic user sync when organization is connected to Entra ID tenant. Not SCIM-based but provides similar functionality.

Native SCIM is available on Enterprise. Use Stitchflow if you need provisioning without the tier upgrade.

Unlock SCIM for
Azure DevOps

Stop paying the SCIM Tax for Azure DevOps. Get enterprise-grade SCIM at a fraction of the enterprise plan cost.

See how it works
Admin Console
Directory
Applications
Azure DevOps logo
Azure DevOps
via Stitchflow

Last updated: 2026-01-11

* Pricing and features sourced from public documentation.

Keep exploring

Related apps

15Five logo

15Five

Has SCIM

Performance Management / Employee Engagement

SCIM StatusIncluded
Manual Cost$11,754/yr

15Five includes SCIM provisioning on all plans starting at $4/user/month, with full support for creating, updating, and deactivating users across Okta, Entra ID, Google Workspace, and OneLogin. However, 15Five's SCIM implementation has a critical prerequisite: SSO must be configured first, and their documentation explicitly warns against using JIT provisioning alongside SCIM due to duplicate user creation risks. This creates operational friction for IT teams managing performance management rollouts. The SSO-first requirement means you can't test SCIM provisioning in isolation, and the JIT conflict forces you to choose between automated onboarding convenience and reliable user lifecycle management. For HR-driven tools like 15Five that need to maintain accurate manager hierarchies and team structures, these provisioning gaps can disrupt performance review cycles and employee engagement tracking.

View full guide
Dropbox logo

Dropbox

Has SCIM
SCIM StatusIncluded
Manual Cost$11,754/yr

Dropbox Business supports SCIM 2.0 provisioning on Standard plans and above ($15/user/month), with solid integration across major identity providers including Okta, Azure AD, and Google Workspace. However, there's a critical architectural limitation: Dropbox Sign (formerly HelloSign) operates as a separate product that doesn't support SCIM at all, despite being a core part of many organizations' document workflows. This creates a significant provisioning gap for IT teams. While your main Dropbox storage accounts can be automatically managed, any users who need access to Dropbox Sign must be manually provisioned and deprovisioned. For organizations relying on both products, this means maintaining hybrid workflows where some users are automated and others require manual intervention—exactly the kind of inconsistency that leads to compliance issues and security gaps during employee transitions.

View full guide
HiBob logo

HiBob

Has SCIM

HRIS / HR Tech

SCIM StatusIncluded
Manual Cost$11,754/yr

HiBob includes native SCIM support across all plans at no additional cost, with bidirectional sync capabilities for Okta, Entra ID, and other major identity providers. However, HiBob creates a unique challenge: as an HRIS platform, it's typically the authoritative source for employee data, meaning it pushes user information TO your IdP rather than receiving it. This reverses the normal provisioning flow and can create complex sync conflicts when managing users across multiple systems. The bidirectional sync complexity becomes particularly problematic when HiBob and your IdP disagree on employee status, department changes, or termination dates. IT teams often struggle with determining which system should be the ultimate source of truth for different attributes, leading to manual intervention and potential security gaps during employee transitions.

View full guide