Summary and recommendation
Brex, the corporate spend management platform, supports SCIM provisioning starting with the Premium plan ($12/user/month), with full integration available for Okta and Microsoft Entra ID users. However, Brex's SCIM implementation comes with several operational complexities that create headaches for IT teams. The most significant is the rigid configuration requirement—SSO and SCIM must be set up in a specific order for Okta, and you cannot configure both Enterprise IdP sign-in and SSO simultaneously. Additionally, Azure users with certain statuses get completely deleted (not just deactivated) when deprovisioned, and SSO users bypass Brex's native MFA entirely.
These limitations create real operational risks for finance teams managing corporate card access. When employees leave, immediate deactivation is critical to prevent unauthorized spending—but the complex setup requirements and deletion behaviors make reliable automated deprovisioning difficult to achieve. The setup complexity also means IT teams often struggle with initial implementation, leading to manual workarounds that defeat the purpose of automated provisioning.
The strategic alternative
Stitchflow provides SCIM-level provisioning through resilient browser automation for Brex without the configuration complexity or deletion risks. Works with any Brex plan and any IdP (Okta, Entra, Google Workspace, OneLogin). Flat pricing under $5K/year with 24/7 human-in-the-loop support to ensure reliable financial controls.
Quick SCIM facts
| SCIM available? | Yes |
| SCIM tier required | Enterprise |
| SSO required first? | Yes |
| SSO available? | Yes |
| SSO protocol | OIDC, SAML 2.0 |
| Documentation | Official docs |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ✓ | OIN app with full provisioning |
| Microsoft Entra ID | ✓ | ✓ | Gallery app with SCIM |
| Google Workspace | ✓ | JIT only | SAML SSO with just-in-time provisioning |
| OneLogin | ✓ | ✓ | Supported |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages Brex accounts manually. Here's what that costs:
The Brex pricing problem
Brex gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Tier comparison
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Essentials | Free | ||
| Premium | $12/user/month | ||
| Enterprise | Custom pricing |
Pricing structure
| Plan | Price | SCIM |
|---|---|---|
| Essentials | Free | ❌ |
| Premium | $12/user/month | ✓ Okta/Entra only |
| Enterprise | Custom pricing | ✓ Okta/Entra only |
What this means in practice
If you're using Google Workspace or OneLogin as your primary IdP, you have no automated provisioning options. Manual user management becomes your only choice for a platform that handles sensitive financial data and corporate card access.
Even with supported IdPs, Brex's SCIM implementation creates operational friction:
Additional constraints
For finance teams managing corporate card access, these limitations mean delayed onboarding for new hires and potential security gaps during offboarding - exactly when you need the tightest financial controls.
Summary of challenges
- Brex supports SCIM but only at Enterprise tier (Custom pricing)
- Google Workspace users get JIT provisioning only, not full SCIM
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What Brex actually offers for identity
SCIM Provisioning (Premium+)
Brex provides SCIM 2.0 integration with select identity providers, but with significant setup complexity:
| Feature | Details |
|---|---|
| Protocol | SCIM 2.0 |
| Supported IdPs | Okta, Microsoft Entra ID |
| User creation | ✓ Yes |
| User updates | ✓ Yes |
| User deactivation | ✓ Yes |
| Attribute mapping | ✓ Yes (Department, Cost Center, Division) |
| Credentials | Via secure document from Brex support |
Critical setup requirement: For Okta users, SSO and SCIM must be configured in a specific order or the integration will fail. This isn't clearly documented and trips up many IT teams.
Data handling quirk: Azure users with "Archived," "Invited," or "Not invited" status are automatically deleted when deactivated through SCIM, rather than simply disabled.
SSO Options (Premium+)
| Setting | Details |
|---|---|
| Protocols | OIDC, SAML 2.0 |
| JIT provisioning | ✓ Yes |
| MFA handling | Bypassed for SSO users (Brex doesn't prompt) |
| Limitation | Cannot run Enterprise IdP sign-in and SSO simultaneously |
The Premium tier reality
Brex Premium costs $12/user/month and includes SCIM, but also bundles:
The math problem: If you only need SCIM for corporate card provisioning, roughly 80% of Premium features are irrelevant to your use case. You're paying for travel booking tools when you just want automated user lifecycle management.
What IT admins are saying
Brex's SCIM implementation creates configuration headaches for IT teams managing corporate spend access:
- SSO and SCIM must be configured in a specific order with Okta - get it wrong and you start over
- Azure users with certain statuses get deleted entirely when deactivated instead of just disabled
- Enterprise SSO and regular IdP sign-in can't be used simultaneously, forcing all-or-nothing decisions
- SCIM credentials are only available through "secure document" delivery, adding setup friction
SSO and SCIM must be configured in specific order for Okta
Azure users with Archived/Invited/Not invited status deleted when deactivated
The recurring theme
Brex's SCIM works once properly configured, but the setup process is unnecessarily complex with specific ordering requirements and integration gotchas that waste IT time on what should be straightforward provisioning.
The decision
| Your Situation | Recommendation |
|---|---|
| Small finance team (<20 employees) | Manual management acceptable with SSO |
| Growing company with frequent hiring | Use Stitchflow: card access needs immediate automation |
| Enterprise with strict financial controls | Use Stitchflow: auto-deactivation critical for compliance |
| Multi-entity organization | Use Stitchflow: complex attribute mapping required |
| High employee turnover environment | Use Stitchflow: manual deprovisioning creates security risk |
The bottom line
Brex offers solid SCIM capabilities, but only for Premium/Enterprise customers and with setup complexity that can trip up IT teams. For organizations where corporate card access must be tightly controlled and instantly revoked, Stitchflow eliminates the manual overhead and ensures financial security through automated provisioning.
Automate Brex without the tier upgrade
Stitchflow delivers SCIM-level provisioning through resilient browser automation, backed by 24/7 human in the loop for Brex at <$5K/year, flat, regardless of team size.
Technical specifications
SCIM Version
2.0
Supported Operations
Create, Update, Deactivate, Groups
Supported Attributes
Not specifiedPlan requirement
Enterprise
Prerequisites
SSO must be configured first
Key limitations
- SSO and SCIM must be configured in specific order for Okta
- Azure users with Archived/Invited/Not invited status deleted when deactivated
- SSO users not prompted for MFA by Brex
- Enterprise IDP sign-in and SSO cannot be configured simultaneously
Configuration for Okta
Integration type
Okta Integration Network (OIN) app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
SCIM endpoint URL and bearer token (generated in app admin console).
Configuration steps
Enable Create Users, Update User Attributes, and Deactivate Users.
Provisioning trigger
Okta provisions based on app assignments (users or groups).
Enterprise required for SCIM
Native SCIM is available on Enterprise. Use Stitchflow if you need provisioning without the tier upgrade.
Configuration for Entra ID
Integration type
Microsoft Entra Gallery app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
Tenant URL (SCIM endpoint) and Secret token (bearer token from app admin console).
Configuration steps
Set Provisioning Mode = Automatic, configure SCIM connection.
Provisioning trigger
Entra provisions based on user/group assignments to the enterprise app.
Sync behavior
Entra provisioning runs on a scheduled cycle (typically every 40 minutes).
Enterprise required for SCIM
Native SCIM is available on Enterprise. Use Stitchflow if you need provisioning without the tier upgrade.
Unlock SCIM for
Brex
Brex gates automation behind Premium/Enterprise plan. Stitchflow delivers the same SCIM outcomes for a flat fee.
See how it works
