Summary and recommendation
Databricks supports SCIM provisioning, but only on Premium plans and above. While this covers most production deployments (since Standard is being phased out), the real challenge isn't plan requirements—it's Databricks' architectural complexity. The platform has strict limits (10,000 users, 5,000 groups per account) and doesn't support nested groups via Azure SCIM, forcing IT teams to flatten complex organizational structures. More critically, SCIM only handles basic user/group provisioning, not the granular workspace access and compute permissions that data teams actually need.
This creates a significant gap for data engineering and ML teams. Data scientists need access to specific workspaces with appropriate cluster permissions, not just basic platform access. Manual management of these permissions becomes unmanageable at scale, while incorrect access can expose sensitive datasets or rack up unexpected compute costs. SSO gets users authenticated, but doesn't solve the workspace-level authorization problem that makes Databricks operationally complex.
The strategic alternative
Databricks gates SCIM behind Premium. Skip the Premium plan upgrade and automate complete outcomes across your stack. We maintain the integration layer underneath. You focus on judgment, not plumbing.
Quick SCIM facts
| SCIM available? | Yes |
| SCIM tier required | Pro |
| SSO required first? | Yes |
| SSO available? | Yes |
| SSO protocol | SAML 2.0, OIDC |
| Documentation | Official docs |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ✓ | OIN app with full provisioning |
| Microsoft Entra ID | ✓ | ✓ | Gallery app with SCIM |
| Google Workspace | ✓ | JIT only | SAML SSO with just-in-time provisioning |
| OneLogin | ✓ | ✓ | Supported |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages Databricks accounts manually. Here's what that costs:
The Databricks pricing problem
Databricks gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Tier comparison
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Standard | Consumption + $0.07-$0.65+/DBU | ||
| Premium | Consumption + $0.07-$0.65+/DBU | ||
| Enterprise | Custom pricing |
Plan Structure
| Plan | Price | SCIM |
|---|---|---|
| Standard | Consumption + $0.07-$0.65+/DBU | ❌ |
| Premium | Consumption + $0.07-$0.65+/DBU | ✓ |
| Enterprise | Custom pricing | ✓ |
Note: Standard tier is being phased out - AWS/GCP customers must upgrade to Premium by October 2025, Azure Standard retires October 2026.
What this means in practice
Premium tier pricing varies significantly based on workload type and cloud provider, but typical costs range from $500-$5,000+ monthly for moderate usage. The challenge is that DBU consumption can be unpredictable:
For a data team running moderate workloads, upgrading to Premium specifically for SCIM could mean:
Additional constraints
Summary of challenges
- Databricks supports SCIM but only at Pro tier (custom pricing)
- Google Workspace users get JIT provisioning only, not full SCIM
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What the upgrade actually includes
Databricks doesn't sell SCIM separately. It's bundled with Premium plan features across their entire data platform:
The real cost consideration: Premium pricing is consumption-based with DBU rates of $0.07-$0.65+ per hour, plus underlying cloud infrastructure costs (often 50-200% of DBU charges). Total monthly costs typically range $500-$5,000+ depending on usage patterns.
Stitchflow Insight
The Premium upgrade brings substantial data platform capabilities, but if you're just looking for automated user provisioning, you're paying for extensive data engineering and ML features you may not need. We estimate ~60% of Premium features are irrelevant for organizations that primarily need identity management automation.
What IT admins are saying
Community sentiment on Databricks's SCIM implementation reveals frustration with platform complexity and limitations. Common complaints:
- Premium plan requirement adds significant cost for basic identity automation
- Azure SCIM connector cannot sync nested groups, breaking organizational hierarchies
- Account-level vs workspace-level SCIM confusion with legacy deprecation
- User and group limits (10K users, 5K groups) insufficient for large enterprises
"Nested groups not supported via Azure SCIM" is a recurring pain point in Microsoft forums, forcing admins to flatten complex organizational structures.
The workspace-level SCIM deprecation caught us off guard - had to rebuild our entire provisioning setup for account-level
The recurring theme
Databricks forces expensive plan upgrades for SCIM while maintaining architectural limitations that don't work for enterprise identity management at scale.
The decision
| Your Situation | Recommendation |
|---|---|
| On Standard tier, need SCIM | Use Stitchflow: avoid the Premium upgrade and DBU cost increases |
| Already on Premium with SCIM included | Use native SCIM: you're paying for it already |
| Large organization (>5K users/groups) | Use Stitchflow: sidestep Databricks' hard account limits |
| Using nested Azure groups | Use Stitchflow: Azure SCIM connector can't sync nested groups |
| Small data team, infrequent access changes | Manual may work: but monitor workspace security gaps |
The bottom line
Databricks gates SCIM behind Premium. Stitchflow automates complete workflows without that SCIM Tax upgrade.
Make Databricks workflows AI-native
Databricks gates SCIM behind Premium. We build complete offboarding, user access reviews, and license workflows without that SCIM Tax upgrade.
Technical specifications
SCIM Version
2.0
Supported Operations
Create, Update, Deactivate, Groups
Supported Attributes
Not specifiedPlan requirement
Pro
Prerequisites
SSO must be configured first
Key limitations
- Premium plan required for SCIM
- Max 10,000 users/service principals per account
- Max 5,000 groups per account
- Cannot sync nested groups via Azure SCIM connector
Configuration for Okta
Integration type
Okta Integration Network (OIN) app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
SCIM endpoint URL and bearer token (generated in app admin console).
Configuration steps
Enable Create Users, Update User Attributes, and Deactivate Users.
Provisioning trigger
Okta provisions based on app assignments (users or groups).
Full SCIM provisioning in OIN. Supports SSO, SCIM, entitlements, universal logout, workflows. Supports Create users, Update user attributes, Deactivate users. Don't rename groups in Okta.
Databricks gates SCIM behind Premium. Stitchflow automates complete workflows without that SCIM Tax upgrade.
Configuration for Entra ID
Integration type
Microsoft Entra Gallery app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
Tenant URL (SCIM endpoint) and Secret token (bearer token from app admin console).
Configuration steps
Set Provisioning Mode = Automatic, configure SCIM connection.
Provisioning trigger
Entra provisions based on user/group assignments to the enterprise app.
Sync behavior
Entra provisioning runs on a scheduled cycle (typically every 40 minutes).
Azure Databricks SCIM Provisioning Connector in gallery. Automatic identity management also available. Cannot sync nested groups via SCIM connector. Initial sync immediate, subsequent every 20-40 minutes.
Databricks gates SCIM behind Premium. Stitchflow automates complete workflows without that SCIM Tax upgrade.
Unlock SCIM for
Databricks
Databricks gates SCIM behind Premium plan. We automate complete offboarding and access reviews across your stack without that SCIM Tax upgrade.
See how it works
