Summary and recommendation
Cisco Umbrella supports SCIM 2.0 provisioning, but only on Enterprise plans ($4-8/user/month). The implementation includes a critical limitation: maximum 200 groups can be provisioned via SCIM. For security teams managing complex policy structures across departments, business units, and locations, this cap becomes a significant constraint. Additionally, Virtual Appliances require on-premises AD connectors rather than cloud SCIM, creating deployment complexity for hybrid environments.
This 200-group limit undermines the core value of automated provisioning for DNS security. Security policies in Umbrella are typically assigned by group membership, so hitting the ceiling means manual user management for your most nuanced controls. For organizations with sophisticated security requirements, you're forced to choose between simplified group structures or manual provisioning overhead.
The strategic alternative
Cisco Umbrella gates SCIM behind Enterprise. Skip the Enterprise plan upgrade and automate complete outcomes across your stack. We maintain the integration layer underneath. You focus on judgment, not plumbing.
Quick SCIM facts
| SCIM available? | Yes |
| SCIM tier required | Enterprise |
| SSO required first? | Yes |
| SSO available? | Yes |
| SSO protocol | SAML 2.0 |
| Documentation | Official docs |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ✓ | OIN app with full provisioning |
| Microsoft Entra ID | ✓ | ✓ | Gallery app with SCIM |
| Google Workspace | ✓ | JIT only | SAML SSO with just-in-time provisioning |
| OneLogin | ✓ | ✓ | Supported |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages Cisco Umbrella accounts manually. Here's what that costs:
The Cisco Umbrella pricing problem
Cisco Umbrella gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Plan Structure
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| DNS Essentials | $2.25-3.67/user/mo | ||
| DNS (Annual) | ~$3.67/user/mo | ||
| Pro/Enterprise | $4-8/user/mo | ||
| SIG Advantage | Custom pricing |
Note: Exact Enterprise pricing varies by user count, contract length, and reseller. SIG Advantage includes advanced SASE features with custom enterprise pricing.
What this means in practice
For organizations currently on DNS-level plans who need SCIM access:
| Team Size | Upgrade Cost (Conservative $4/mo) | Upgrade Cost (High-end $8/mo) |
|---|---|---|
| 100 users | +$14,400-38,400/year | +$52,800-86,400/year |
| 250 users | +$36,000-96,000/year | +$132,000-216,000/year |
| 500 users | +$72,000-192,000/year | +$264,000-432,000/year |
Calculation: (Enterprise price - current DNS price) × users × 12 months
Additional constraints
Summary of challenges
- Cisco Umbrella supports SCIM but only at Enterprise tier (custom pricing)
- Google Workspace users get JIT provisioning only, not full SCIM
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What the upgrade actually includes
Cisco Umbrella doesn't sell SCIM separately. It's only available on Enterprise plans, bundled with advanced security features:
The catch: Virtual Appliances require on-premises AD connector instead of SCIM, limiting cloud-native provisioning. Plus, you're paying Enterprise prices ($4-8/user/month) when you might only need DNS security at $2.25/user/month.
Stitchflow Insight
If you need advanced SASE capabilities anyway, the Enterprise upgrade makes sense. But if you just want automated provisioning for basic DNS security, you're paying 2-3x more for features most IT teams won't use. We estimate ~60% of Enterprise features are irrelevant for organizations that only need SCIM provisioning.
What IT admins are saying
Community sentiment on Cisco Umbrella's SCIM implementation is mixed, with frustration around specific limitations overshadowing the overall functionality.
- The 200 group limit creates real operational constraints for larger organizations
- Virtual Appliance deployments can't use SCIM - still require on-premises AD connectors
- Token refresh requirements every 90-180 days add maintenance overhead
- Forced migration from Roaming Client to Secure Client disrupts existing workflows
The 200 group limit is a real pain when you're trying to map complex org structures through SCIM. We hit that ceiling fast.
Why can't Virtual Appliances use SCIM? Having to maintain AD connectors defeats the whole point of cloud identity management.
The recurring theme
While Cisco Umbrella offers solid SCIM functionality, arbitrary limits and hybrid deployment restrictions force admins into workarounds that undermine automation benefits.
The decision
| Your Situation | Recommendation |
|---|---|
| Need SCIM but not on Enterprise tier | Use Stitchflow: avoid the $4-8/user/month Enterprise upgrade |
| Managing Virtual Appliances with AD | Use Stitchflow: native SCIM doesn't support VA provisioning |
| Need more than 200 groups provisioned | Use Stitchflow: bypass the 200 group SCIM limit |
| Already on Enterprise with light SCIM needs | Use native SCIM: you're paying for it already |
| Small security team, infrequent user changes | Manual may work: but monitor for policy assignment gaps |
The bottom line
Cisco Umbrella's SCIM requires Enterprise tier pricing and has a strict 200 group limit that blocks complex policy structures. For security teams needing automated provisioning without the Enterprise upgrade or group limitations, Stitchflow delivers full automation at flat-rate pricing.
Make Cisco Umbrella workflows AI-native
Cisco Umbrella gates SCIM behind Enterprise. We build complete offboarding, user access reviews, and license workflows without that SCIM Tax upgrade.
Technical specifications
SCIM Version
2.0
Supported Operations
Create, Update, Deactivate, Groups
Supported Attributes
Not specifiedPlan requirement
Enterprise
Prerequisites
SSO must be configured first
Key limitations
- Max 200 groups can be provisioned via SCIM
- Virtual Appliances require on-prem AD connector (not SCIM)
- Multi-org SSO config requires direct org admin access
- Roaming Client EOL April 2025 - migrate to Secure Client
- Nested groups not supported
Configuration for Okta
Integration type
Okta Integration Network (OIN) app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
SCIM endpoint URL and bearer token (generated in app admin console).
Configuration steps
Enable Create Users, Update User Attributes, and Deactivate Users.
Provisioning trigger
Okta provisions based on app assignments (users or groups).
Enterprise required for SCIM
Cisco Umbrella gates SCIM behind Enterprise. Stitchflow automates complete workflows without that SCIM Tax upgrade.
Configuration for Entra ID
Integration type
Microsoft Entra Gallery app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
Tenant URL (SCIM endpoint) and Secret token (bearer token from app admin console).
Configuration steps
Set Provisioning Mode = Automatic, configure SCIM connection.
Provisioning trigger
Entra provisions based on user/group assignments to the enterprise app.
Sync behavior
Entra provisioning runs on a scheduled cycle (typically every 40 minutes).
Enterprise required for SCIM
Cisco Umbrella gates SCIM behind Enterprise. Stitchflow automates complete workflows without that SCIM Tax upgrade.
Unlock SCIM for
Cisco Umbrella
Cisco Umbrella gates SCIM behind Enterprise plan. We automate complete offboarding and access reviews across your stack without that SCIM Tax upgrade, avoiding a 118% markup.
See how it works
