Summary and recommendation
Databricks supports SCIM provisioning, but only on Premium plans and above. While this covers most production deployments (since Standard is being phased out), the real challenge isn't plan requirements—it's Databricks' architectural complexity. The platform has strict limits (10,000 users, 5,000 groups per account) and doesn't support nested groups via Azure SCIM, forcing IT teams to flatten complex organizational structures. More critically, SCIM only handles basic user/group provisioning, not the granular workspace access and compute permissions that data teams actually need.
This creates a significant gap for data engineering and ML teams. Data scientists need access to specific workspaces with appropriate cluster permissions, not just basic platform access. Manual management of these permissions becomes unmanageable at scale, while incorrect access can expose sensitive datasets or rack up unexpected compute costs. SSO gets users authenticated, but doesn't solve the workspace-level authorization problem that makes Databricks operationally complex.
The strategic alternative
Databricks gates SCIM behind Premium. That can unlock provisioning, but it still does not complete the offboarding, access review, or license workflow across the rest of your stack. Stitchflow builds and maintains the IT workflows your team still runs manually, across every app, including the ones without APIs.
Quick SCIM facts
| SCIM available? | Yes |
| SCIM tier required | Pro |
| SSO required first? | Yes |
| SSO available? | Yes |
| SSO protocol | SAML 2.0, OIDC |
| Documentation | Official docs |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ✓ | OIN app with full provisioning |
| Microsoft Entra ID | ✓ | ✓ | Gallery app with SCIM |
| Google Workspace | ✓ | JIT only | SAML SSO with just-in-time provisioning |
| OneLogin | ✓ | ✓ | Supported |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages Databricks accounts manually. Here's what that costs:
The Databricks pricing problem
Databricks gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Tier comparison
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Standard | Consumption + $0.07-$0.65+/DBU | ||
| Premium | Consumption + $0.07-$0.65+/DBU | ||
| Enterprise | Custom pricing |
Plan Structure
| Plan | Price | SCIM |
|---|---|---|
| Standard | Consumption + $0.07-$0.65+/DBU | ❌ |
| Premium | Consumption + $0.07-$0.65+/DBU | ✓ |
| Enterprise | Custom pricing | ✓ |
Note: Standard tier is being phased out - AWS/GCP customers must upgrade to Premium by October 2025, Azure Standard retires October 2026.
What this means in practice
Premium tier pricing varies significantly based on workload type and cloud provider, but typical costs range from $500-$5,000+ monthly for moderate usage. The challenge is that DBU consumption can be unpredictable:
For a data team running moderate workloads, upgrading to Premium specifically for SCIM could mean:
Additional constraints
Summary of challenges
- Databricks supports SCIM but only at Pro tier (custom pricing)
- Google Workspace users get JIT provisioning only, not full SCIM
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What the upgrade actually includes
Databricks doesn't sell SCIM separately. It's bundled with Premium plan features across their entire data platform:
The real cost consideration: Premium pricing is consumption-based with DBU rates of $0.07-$0.65+ per hour, plus underlying cloud infrastructure costs (often 50-200% of DBU charges). Total monthly costs typically range $500-$5,000+ depending on usage patterns.
Stitchflow Insight
The Premium upgrade brings substantial data platform capabilities, but if you're just looking for automated user provisioning, you're paying for extensive data engineering and ML features you may not need. We estimate ~60% of Premium features are irrelevant for organizations that primarily need identity management automation.
What IT admins are saying
Community sentiment on Databricks's SCIM implementation reveals frustration with platform complexity and limitations. Common complaints:
- Premium plan requirement adds significant cost for basic identity automation
- Azure SCIM connector cannot sync nested groups, breaking organizational hierarchies
- Account-level vs workspace-level SCIM confusion with legacy deprecation
- User and group limits (10K users, 5K groups) insufficient for large enterprises
"Nested groups not supported via Azure SCIM" is a recurring pain point in Microsoft forums, forcing admins to flatten complex organizational structures.
The workspace-level SCIM deprecation caught us off guard - had to rebuild our entire provisioning setup for account-level
The recurring theme
Databricks forces expensive plan upgrades for SCIM while maintaining architectural limitations that don't work for enterprise identity management at scale.
The decision
| Your Situation | Recommendation |
|---|---|
| On Standard tier, need SCIM | Use Stitchflow: avoid the Premium upgrade and DBU cost increases |
| Already on Premium with SCIM included | Use native SCIM: you're paying for it already |
| Large organization (>5K users/groups) | Use Stitchflow: sidestep Databricks' hard account limits |
| Using nested Azure groups | Use Stitchflow: Azure SCIM connector can't sync nested groups |
| Small data team, infrequent access changes | Manual may work: but monitor workspace security gaps |
The bottom line
Databricks gates SCIM behind Premium. The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Close the Databricks workflow gap
Databricks gates SCIM behind Premium, but the bigger issue is the workflow around it. Stitchflow builds and maintains the offboarding, access review, or license workflow underneath.
Technical specifications
SCIM Version
2.0
Supported Operations
Create, Update, Deactivate, Groups
Supported Attributes
Not specifiedPlan requirement
Pro
Prerequisites
SSO must be configured first
Key limitations
- Premium plan required for SCIM
- Max 10,000 users/service principals per account
- Max 5,000 groups per account
- Cannot sync nested groups via Azure SCIM connector
Configuration for Okta
Integration type
Okta Integration Network (OIN) app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
SCIM endpoint URL and bearer token (generated in app admin console).
Configuration steps
Enable Create Users, Update User Attributes, and Deactivate Users.
Provisioning trigger
Okta provisions based on app assignments (users or groups).
Full SCIM provisioning in OIN. Supports SSO, SCIM, entitlements, universal logout, workflows. Supports Create users, Update user attributes, Deactivate users. Don't rename groups in Okta.
Databricks gates SCIM behind Premium. The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Configuration for Entra ID
Integration type
Microsoft Entra Gallery app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
Tenant URL (SCIM endpoint) and Secret token (bearer token from app admin console).
Configuration steps
Set Provisioning Mode = Automatic, configure SCIM connection.
Provisioning trigger
Entra provisions based on user/group assignments to the enterprise app.
Sync behavior
Entra provisioning runs on a scheduled cycle (typically every 40 minutes).
Azure Databricks SCIM Provisioning Connector in gallery. Automatic identity management also available. Cannot sync nested groups via SCIM connector. Initial sync immediate, subsequent every 20-40 minutes.
Databricks gates SCIM behind Premium. The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Close the workflow gap in
Databricks
Databricks gates SCIM behind Premium plan. That can unlock provisioning, but it still does not complete the offboarding, access review, or license workflow across your stack.
Start with the free gap diagnostic
