Summary and recommendation
BeyondTrust supports SCIM for automated user provisioning, but only on Enterprise plans with custom pricing starting at $75,000+/year. While the SCIM implementation covers standard operations (create, update, deactivate users and groups), it requires complex security provider configuration that varies across BeyondTrust's different products (PRA, Remote Support, Password Safe). Some integrations even require AWS Lambda functions to handle OAuth client credentials properly.
For privileged access management, this creates a significant barrier. Organizations need automated provisioning for BeyondTrust more than most applications—privileged accounts require strict lifecycle management, and manual provisioning of vendor/contractor access creates security gaps. The enterprise-only pricing means smaller security teams face a massive licensing jump just to automate what should be standard user management.
The strategic alternative
BeyondTrust gates SCIM behind Enterprise. That can unlock provisioning, but it still does not complete the offboarding, access review, or license workflow across the rest of your stack. Stitchflow builds and maintains the IT workflows your team still runs manually, across every app, including the ones without APIs.
Quick SCIM facts
| SCIM available? | Yes |
| SCIM tier required | Enterprise |
| SSO required first? | Yes |
| SSO available? | Yes |
| SSO protocol | SAML 2.0, OIDC, LDAP, Kerberos |
| Documentation | Official docs |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ✓ | OIN app with full provisioning |
| Microsoft Entra ID | ✓ | ✓ | Gallery app with SCIM |
| Google Workspace | ✓ | JIT only | SAML SSO with just-in-time provisioning |
| OneLogin | ✓ | ✓ | Supported |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages BeyondTrust accounts manually. Here's what that costs:
The BeyondTrust pricing problem
BeyondTrust gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Plan Structure
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Standard | Quote-based | ||
| Enterprise | $75,000+/year |
Note: BeyondTrust uses custom enterprise pricing across all tiers. SCIM is available through security provider configurations for automated user provisioning and deprovisioning.
What this means in practice
The Enterprise requirement creates substantial cost increases:
For privileged access management, this pricing structure is particularly problematic because:
Additional constraints
Summary of challenges
- BeyondTrust supports SCIM but only at Enterprise tier ($75,000+/year (quote-based))
- Google Workspace users get JIT provisioning only, not full SCIM
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What the upgrade actually includes
BeyondTrust doesn't sell SCIM à la carte. It's bundled with Enterprise-level privileged access management features:
The complexity compounds with BeyondTrust's modular architecture—different products (PRA, Remote Support, Password Safe) may require separate SCIM configurations through different security providers.
Stitchflow Insight
The challenge: BeyondTrust's Enterprise licensing starts at $75,000+/year because you're buying a comprehensive PAM platform. If your primary need is just automated user provisioning for basic privileged access, you're paying for vault management, session recording, and compliance features you may not need. We estimate ~60% of BeyondTrust's Enterprise features are overkill for organizations that simply want to automate onboarding/offboarding for their privileged accounts.
What IT admins are saying
Community sentiment on BeyondTrust's SCIM implementation is mixed, with most complaints centered around complexity and enterprise pricing barriers. Common complaints:
- Enterprise licensing requirement blocks access for smaller security teams
- Complex security provider configuration across different BeyondTrust products
- Inconsistent SCIM behavior between Password Safe and Remote Support
- High minimum pricing that forces evaluation of alternatives
The configuration complexity for getting SCIM working properly with our identity provider was much higher than expected. Different products seem to handle it differently.
We wanted automated provisioning but the enterprise pricing was a non-starter. Ended up staying on manual processes.
The recurring theme
BeyondTrust's enterprise-only SCIM creates a significant barrier for security teams that need automated privileged access provisioning but can't justify the high licensing costs.
The decision
| Your Situation | Recommendation |
|---|---|
| Not on Enterprise, need SCIM | Use Stitchflow: avoid the $75K+ enterprise commitment |
| Small PAM footprint with privileged users | Use Stitchflow: get SCIM without enterprise licensing overhead |
| Managing vendor/contractor privileged access | Use Stitchflow: automate temp access without complex security provider configs |
| Already on Enterprise with security providers configured | Use native SCIM: you're paying for enterprise features |
| Large enterprise PAM deployment | Evaluate Enterprise: SCIM bundled with advanced security controls |
The bottom line
BeyondTrust gates SCIM behind Enterprise. The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Close the BeyondTrust workflow gap
BeyondTrust gates SCIM behind Enterprise, but the bigger issue is the workflow around it. Stitchflow builds and maintains the offboarding, access review, or license workflow underneath.
Technical specifications
SCIM Version
2.0
Supported Operations
Create, Update, Deactivate, Groups
Supported Attributes
Not specifiedPlan requirement
Enterprise
Prerequisites
SSO must be configured first
Key limitations
- Enterprise licensing required
- Security provider configuration complexity
- Different products (PRA, RS) may have different configs
Configuration for Okta
Integration type
Okta Integration Network (OIN) app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
SCIM endpoint URL and bearer token (generated in app admin console).
Configuration steps
Enable Create Users, Update User Attributes, and Deactivate Users.
Provisioning trigger
Okta provisions based on app assignments (users or groups).
Password Safe uses AWS Lambda for SCIM due to OAuth client credentials. Supports Group Push. Remote Support uses SAML JIT.
BeyondTrust gates SCIM behind Enterprise. The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Configuration for Entra ID
Integration type
Microsoft Entra Gallery app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
Tenant URL (SCIM endpoint) and Secret token (bearer token from app admin console).
Configuration steps
Set Provisioning Mode = Automatic, configure SCIM connection.
Provisioning trigger
Entra provisions based on user/group assignments to the enterprise app.
Sync behavior
Entra provisioning runs on a scheduled cycle (typically every 40 minutes).
SAML SSO with Entra ID. SCIM available for PRA. Some products may use SailPoint for provisioning.
BeyondTrust gates SCIM behind Enterprise. The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Close the workflow gap in
BeyondTrust
BeyondTrust gates SCIM behind Enterprise plan. That can unlock provisioning, but it still does not complete the offboarding, access review, or license workflow across your stack.
Start with the free gap diagnostic
