Summary and recommendation
Commvault supports SCIM 2.0 provisioning, but only through Microsoft Entra ID (Azure AD) as a non-gallery application. The integration is limited to Enterprise-tier plans starting at $25,000/year, while lower tiers (Operational Recovery and Autonomous Recovery) rely on manual user management. This creates a significant gap for organizations using other identity providers like Okta, Google Workspace, or OneLogin, which can only leverage SSO through the Okta Integration Network but get no automated provisioning.
For mid-market companies on lower-tier plans, this limitation forces a choice between expensive Enterprise licensing just for automated provisioning or accepting the operational burden and security risks of manual user lifecycle management across backup and recovery systems. With Commvault protecting critical business data, manual deprovisioning creates compliance risks when former employees retain access to backup repositories and recovery points.
The strategic alternative
Commvault gates SCIM behind Enterprise. That can unlock provisioning, but it still does not complete the offboarding, access review, or license workflow across the rest of your stack. Stitchflow builds and maintains the IT workflows your team still runs manually, across every app, including the ones without APIs.
Quick SCIM facts
| SCIM available? | Yes |
| SCIM tier required | Enterprise |
| SSO required first? | No |
| SSO available? | Yes |
| SSO protocol | SAML 2.0 |
| Documentation | Not available |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ❌ | SSO only |
| Microsoft Entra ID | ✓ | ✓ | Gallery app with SCIM |
| Google Workspace | ✓ | JIT only | SAML SSO with just-in-time provisioning |
| OneLogin | ✓ | ✓ | Supported |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages Commvault accounts manually. Here's what that costs:
The Commvault pricing problem
Commvault gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Tier comparison
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Operational Recovery | Custom pricing | ||
| Autonomous Recovery | Custom pricing | ||
| Enterprise Cyber Recovery | Custom, from $25K/year |
Plan Structure
| Plan | Price | SCIM |
|---|---|---|
| Operational Recovery | Custom pricing | ❌ |
| Autonomous Recovery | Custom pricing | ❌ |
| Enterprise Cyber Recovery | Custom, from $25K/year | ✓ |
Note: SCIM is only available through Microsoft Entra ID (Azure AD) non-gallery application integration. No SCIM support through Okta despite having SSO integration in the OIN.
What this means in practice
The Enterprise tier requirement creates substantial cost barriers:
Small to mid-size teams: Organizations with basic backup and recovery needs face a minimum $25K annual commitment just to access SCIM provisioning. This pricing floor makes automated user management cost-prohibitive for smaller IT operations.
SaaS customers: Even teams using Commvault's SaaS offering at $1.70/user/month must upgrade to Enterprise licensing to enable SCIM, creating a dramatic price jump from operational SaaS pricing to enterprise-grade contracts.
Multi-vendor complexity: Organizations already invested in Okta workflows cannot leverage SCIM provisioning at all, forcing them to either switch identity providers or accept manual user management.
Additional constraints
Summary of challenges
- Commvault supports SCIM but only at Enterprise tier (Cyber Recovery (custom, from $25K/year))
- Google Workspace users get JIT provisioning only, not full SCIM
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What the upgrade actually includes
Commvault doesn't sell SCIM à la carte. It's bundled with Enterprise-tier data protection features:
The reality: You're paying enterprise data protection prices (starting at $25K/year) to get basic user provisioning. If you need comprehensive backup and recovery anyway, the upgrade makes sense. If you just want automated user provisioning, you're paying for a massive bundle you won't fully use.
Stitchflow Insight
We estimate ~80% of Enterprise features are irrelevant for teams that only need SCIM. Plus, the SCIM implementation only works with Entra ID non-gallery applications - no support for Okta, Google Workspace, or other major IdPs.
What IT admins are saying
Community sentiment on Commvault's SCIM implementation reveals mixed experiences with deployment complexity and vendor lock-in concerns. Common complaints:
- SCIM only available through Entra ID non-gallery apps, limiting IdP flexibility
- Complex configuration requiring deep technical expertise to set up properly
- Enterprise-tier pricing barriers starting at $25K/year exclude mid-market organizations
- Limited community documentation compared to other backup solutions
Getting Commvault SCIM working with Azure AD was more complex than it should be - the non-gallery app setup had several gotchas that weren't well documented.
Love the backup capabilities but the pricing jump to get proper user provisioning is steep. We're stuck with manual user management on the lower tiers.
The recurring theme
While Commvault offers native SCIM, the implementation complexity and high pricing thresholds create barriers for organizations seeking straightforward identity automation.
The decision
| Your Situation | Recommendation |
|---|---|
| On Operational/Autonomous Recovery, need SCIM | Use Stitchflow: avoid the Enterprise upgrade starting at $25K/year |
| Using Okta as your IdP | Use Stitchflow: Commvault's OIN integration is SSO-only |
| Need Entra ID SCIM but want simpler setup | Use Stitchflow: skip the non-gallery app configuration complexity |
| Already on Enterprise with Entra ID | Use native SCIM: you're paying for it and it's fully supported |
| Small backup team, infrequent user changes | Manual may work: but monitor for compliance gaps in data recovery access |
The bottom line
Commvault gates SCIM behind Enterprise. The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Close the Commvault workflow gap
Commvault gates SCIM behind Enterprise, but the bigger issue is the workflow around it. Stitchflow builds and maintains the offboarding, access review, or license workflow underneath.
Technical specifications
SCIM Version
2.0
Supported Operations
Create, Update, Deactivate, Groups
Supported Attributes
Not specifiedPlan requirement
Enterprise
Prerequisites
None
Key limitations
- SCIM available through Entra ID non-gallery application
- SCIM can modify user properties and delete users
- Attribute mappings configurable in Entra
- SaaS pricing starts at $1.70/user/month
- HyperScale Appliance starts under $25K/year for 29TB
- Office 365 backup has Standard and Enterprise subscription levels
Documentation not available.
Configuration for Okta
Integration type
Okta Integration Network (OIN) app
Where to enable
Docs
Commvault InnerVault integration - SSO only, no provisioning in OIN
Use Stitchflow for automated provisioning.
Configuration for Entra ID
Integration type
Microsoft Entra Gallery app with SCIM provisioning
Where to enable
Required credentials
Tenant URL (SCIM endpoint) and Secret token (bearer token from app admin console).
Configuration steps
Set Provisioning Mode = Automatic, configure SCIM connection.
Provisioning trigger
Entra provisions based on user/group assignments to the enterprise app.
Sync behavior
Entra provisioning runs on a scheduled cycle (typically every 40 minutes).
Full SCIM provisioning via non-gallery app in Azure AD with automatic sync
Commvault gates SCIM behind Enterprise. The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Close the workflow gap in
Commvault
Commvault gates SCIM behind Enterprise plan. That can unlock provisioning, but it still does not complete the offboarding, access review, or license workflow across your stack.
Start with the free gap diagnostic
