Summary and recommendation
Cisco Umbrella supports SCIM 2.0 provisioning, but only on Enterprise plans ($4-8/user/month). The implementation includes a critical limitation: maximum 200 groups can be provisioned via SCIM. For security teams managing complex policy structures across departments, business units, and locations, this cap becomes a significant constraint. Additionally, Virtual Appliances require on-premises AD connectors rather than cloud SCIM, creating deployment complexity for hybrid environments.
This 200-group limit undermines the core value of automated provisioning for DNS security. Security policies in Umbrella are typically assigned by group membership, so hitting the ceiling means manual user management for your most nuanced controls. For organizations with sophisticated security requirements, you're forced to choose between simplified group structures or manual provisioning overhead.
The strategic alternative
Cisco Umbrella gates SCIM behind Enterprise. That can unlock provisioning, but it still does not complete the offboarding, access review, or license workflow across the rest of your stack. Stitchflow builds and maintains the IT workflows your team still runs manually, across every app, including the ones without APIs.
Quick SCIM facts
| SCIM available? | Yes |
| SCIM tier required | Enterprise |
| SSO required first? | Yes |
| SSO available? | Yes |
| SSO protocol | SAML 2.0 |
| Documentation | Official docs |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ✓ | OIN app with full provisioning |
| Microsoft Entra ID | ✓ | ✓ | Gallery app with SCIM |
| Google Workspace | ✓ | JIT only | SAML SSO with just-in-time provisioning |
| OneLogin | ✓ | ✓ | Supported |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages Cisco Umbrella accounts manually. Here's what that costs:
The Cisco Umbrella pricing problem
Cisco Umbrella gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Plan Structure
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| DNS Essentials | $2.25-3.67/user/mo | ||
| DNS (Annual) | ~$3.67/user/mo | ||
| Pro/Enterprise | $4-8/user/mo | ||
| SIG Advantage | Custom pricing |
Note: Exact Enterprise pricing varies by user count, contract length, and reseller. SIG Advantage includes advanced SASE features with custom enterprise pricing.
What this means in practice
For organizations currently on DNS-level plans who need SCIM access:
| Team Size | Upgrade Cost (Conservative $4/mo) | Upgrade Cost (High-end $8/mo) |
|---|---|---|
| 100 users | +$14,400-38,400/year | +$52,800-86,400/year |
| 250 users | +$36,000-96,000/year | +$132,000-216,000/year |
| 500 users | +$72,000-192,000/year | +$264,000-432,000/year |
Calculation: (Enterprise price - current DNS price) × users × 12 months
Additional constraints
Summary of challenges
- Cisco Umbrella supports SCIM but only at Enterprise tier (custom pricing)
- Google Workspace users get JIT provisioning only, not full SCIM
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What the upgrade actually includes
Cisco Umbrella doesn't sell SCIM separately. It's only available on Enterprise plans, bundled with advanced security features:
The catch: Virtual Appliances require on-premises AD connector instead of SCIM, limiting cloud-native provisioning. Plus, you're paying Enterprise prices ($4-8/user/month) when you might only need DNS security at $2.25/user/month.
Stitchflow Insight
If you need advanced SASE capabilities anyway, the Enterprise upgrade makes sense. But if you just want automated provisioning for basic DNS security, you're paying 2-3x more for features most IT teams won't use. We estimate ~60% of Enterprise features are irrelevant for organizations that only need SCIM provisioning.
What IT admins are saying
Community sentiment on Cisco Umbrella's SCIM implementation is mixed, with frustration around specific limitations overshadowing the overall functionality.
- The 200 group limit creates real operational constraints for larger organizations
- Virtual Appliance deployments can't use SCIM - still require on-premises AD connectors
- Token refresh requirements every 90-180 days add maintenance overhead
- Forced migration from Roaming Client to Secure Client disrupts existing workflows
The 200 group limit is a real pain when you're trying to map complex org structures through SCIM. We hit that ceiling fast.
Why can't Virtual Appliances use SCIM? Having to maintain AD connectors defeats the whole point of cloud identity management.
The recurring theme
While Cisco Umbrella offers solid SCIM functionality, arbitrary limits and hybrid deployment restrictions force admins into workarounds that undermine automation benefits.
The decision
| Your Situation | Recommendation |
|---|---|
| Need SCIM but not on Enterprise tier | Use Stitchflow: avoid the $4-8/user/month Enterprise upgrade |
| Managing Virtual Appliances with AD | Use Stitchflow: native SCIM doesn't support VA provisioning |
| Need more than 200 groups provisioned | Use Stitchflow: bypass the 200 group SCIM limit |
| Already on Enterprise with light SCIM needs | Use native SCIM: you're paying for it already |
| Small security team, infrequent user changes | Manual may work: but monitor for policy assignment gaps |
The bottom line
Cisco Umbrella gates SCIM behind Enterprise. The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Close the Cisco Umbrella workflow gap
Cisco Umbrella gates SCIM behind Enterprise, but the bigger issue is the workflow around it. Stitchflow builds and maintains the offboarding, access review, or license workflow underneath.
Technical specifications
SCIM Version
2.0
Supported Operations
Create, Update, Deactivate, Groups
Supported Attributes
Not specifiedPlan requirement
Enterprise
Prerequisites
SSO must be configured first
Key limitations
- Max 200 groups can be provisioned via SCIM
- Virtual Appliances require on-prem AD connector (not SCIM)
- Multi-org SSO config requires direct org admin access
- Roaming Client EOL April 2025 - migrate to Secure Client
- Nested groups not supported
Configuration for Okta
Integration type
Okta Integration Network (OIN) app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
SCIM endpoint URL and bearer token (generated in app admin console).
Configuration steps
Enable Create Users, Update User Attributes, and Deactivate Users.
Provisioning trigger
Okta provisions based on app assignments (users or groups).
Enterprise required for SCIM
Cisco Umbrella gates SCIM behind Enterprise. The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Configuration for Entra ID
Integration type
Microsoft Entra Gallery app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
Tenant URL (SCIM endpoint) and Secret token (bearer token from app admin console).
Configuration steps
Set Provisioning Mode = Automatic, configure SCIM connection.
Provisioning trigger
Entra provisions based on user/group assignments to the enterprise app.
Sync behavior
Entra provisioning runs on a scheduled cycle (typically every 40 minutes).
Enterprise required for SCIM
Cisco Umbrella gates SCIM behind Enterprise. The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Close the workflow gap in
Cisco Umbrella
Cisco Umbrella gates SCIM behind Enterprise plan. That can unlock provisioning, but it still does not complete the offboarding, access review, or license workflow across your stack, and it can add a 118% markup just to get there.
Start with the free gap diagnostic
