Summary and recommendation
BeyondTrust supports SCIM for automated user provisioning, but only on Enterprise plans with custom pricing starting at $75,000+/year. While the SCIM implementation covers standard operations (create, update, deactivate users and groups), it requires complex security provider configuration that varies across BeyondTrust's different products (PRA, Remote Support, Password Safe). Some integrations even require AWS Lambda functions to handle OAuth client credentials properly.
For privileged access management, this creates a significant barrier. Organizations need automated provisioning for BeyondTrust more than most applications—privileged accounts require strict lifecycle management, and manual provisioning of vendor/contractor access creates security gaps. The enterprise-only pricing means smaller security teams face a massive licensing jump just to automate what should be standard user management.
The strategic alternative
BeyondTrust gates SCIM behind Enterprise. Skip the Enterprise plan upgrade and automate complete outcomes across your stack. We maintain the integration layer underneath. You focus on judgment, not plumbing.
Quick SCIM facts
| SCIM available? | Yes |
| SCIM tier required | Enterprise |
| SSO required first? | Yes |
| SSO available? | Yes |
| SSO protocol | SAML 2.0, OIDC, LDAP, Kerberos |
| Documentation | Official docs |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ✓ | OIN app with full provisioning |
| Microsoft Entra ID | ✓ | ✓ | Gallery app with SCIM |
| Google Workspace | ✓ | JIT only | SAML SSO with just-in-time provisioning |
| OneLogin | ✓ | ✓ | Supported |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages BeyondTrust accounts manually. Here's what that costs:
The BeyondTrust pricing problem
BeyondTrust gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Plan Structure
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Standard | Quote-based | ||
| Enterprise | $75,000+/year |
Note: BeyondTrust uses custom enterprise pricing across all tiers. SCIM is available through security provider configurations for automated user provisioning and deprovisioning.
What this means in practice
The Enterprise requirement creates substantial cost increases:
For privileged access management, this pricing structure is particularly problematic because:
Additional constraints
Summary of challenges
- BeyondTrust supports SCIM but only at Enterprise tier ($75,000+/year (quote-based))
- Google Workspace users get JIT provisioning only, not full SCIM
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What the upgrade actually includes
BeyondTrust doesn't sell SCIM à la carte. It's bundled with Enterprise-level privileged access management features:
The complexity compounds with BeyondTrust's modular architecture—different products (PRA, Remote Support, Password Safe) may require separate SCIM configurations through different security providers.
Stitchflow Insight
The challenge: BeyondTrust's Enterprise licensing starts at $75,000+/year because you're buying a comprehensive PAM platform. If your primary need is just automated user provisioning for basic privileged access, you're paying for vault management, session recording, and compliance features you may not need. We estimate ~60% of BeyondTrust's Enterprise features are overkill for organizations that simply want to automate onboarding/offboarding for their privileged accounts.
What IT admins are saying
Community sentiment on BeyondTrust's SCIM implementation is mixed, with most complaints centered around complexity and enterprise pricing barriers. Common complaints:
- Enterprise licensing requirement blocks access for smaller security teams
- Complex security provider configuration across different BeyondTrust products
- Inconsistent SCIM behavior between Password Safe and Remote Support
- High minimum pricing that forces evaluation of alternatives
The configuration complexity for getting SCIM working properly with our identity provider was much higher than expected. Different products seem to handle it differently.
We wanted automated provisioning but the enterprise pricing was a non-starter. Ended up staying on manual processes.
The recurring theme
BeyondTrust's enterprise-only SCIM creates a significant barrier for security teams that need automated privileged access provisioning but can't justify the high licensing costs.
The decision
| Your Situation | Recommendation |
|---|---|
| Not on Enterprise, need SCIM | Use Stitchflow: avoid the $75K+ enterprise commitment |
| Small PAM footprint with privileged users | Use Stitchflow: get SCIM without enterprise licensing overhead |
| Managing vendor/contractor privileged access | Use Stitchflow: automate temp access without complex security provider configs |
| Already on Enterprise with security providers configured | Use native SCIM: you're paying for enterprise features |
| Large enterprise PAM deployment | Evaluate Enterprise: SCIM bundled with advanced security controls |
The bottom line
BeyondTrust gates SCIM behind Enterprise. Stitchflow automates complete workflows without that SCIM Tax upgrade.
Make BeyondTrust workflows AI-native
BeyondTrust gates SCIM behind Enterprise. We build complete offboarding, user access reviews, and license workflows without that SCIM Tax upgrade.
Technical specifications
SCIM Version
2.0
Supported Operations
Create, Update, Deactivate, Groups
Supported Attributes
Not specifiedPlan requirement
Enterprise
Prerequisites
SSO must be configured first
Key limitations
- Enterprise licensing required
- Security provider configuration complexity
- Different products (PRA, RS) may have different configs
Configuration for Okta
Integration type
Okta Integration Network (OIN) app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
SCIM endpoint URL and bearer token (generated in app admin console).
Configuration steps
Enable Create Users, Update User Attributes, and Deactivate Users.
Provisioning trigger
Okta provisions based on app assignments (users or groups).
Password Safe uses AWS Lambda for SCIM due to OAuth client credentials. Supports Group Push. Remote Support uses SAML JIT.
BeyondTrust gates SCIM behind Enterprise. Stitchflow automates complete workflows without that SCIM Tax upgrade.
Configuration for Entra ID
Integration type
Microsoft Entra Gallery app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
Tenant URL (SCIM endpoint) and Secret token (bearer token from app admin console).
Configuration steps
Set Provisioning Mode = Automatic, configure SCIM connection.
Provisioning trigger
Entra provisions based on user/group assignments to the enterprise app.
Sync behavior
Entra provisioning runs on a scheduled cycle (typically every 40 minutes).
SAML SSO with Entra ID. SCIM available for PRA. Some products may use SailPoint for provisioning.
BeyondTrust gates SCIM behind Enterprise. Stitchflow automates complete workflows without that SCIM Tax upgrade.
Unlock SCIM for
BeyondTrust
BeyondTrust gates SCIM behind Enterprise plan. We automate complete offboarding and access reviews across your stack without that SCIM Tax upgrade.
See how it works
