Summary and recommendation
Datto offers SCIM provisioning exclusively through Okta's Partner Portal integration—a narrow solution that only addresses MSP partner access, not the broader user management needs across Datto's ecosystem of RMM, Workplace, and backup products. While Datto supports SAML 2.0 SSO for RMM and Workplace, these require manual user creation with matching email addresses between your IdP and Datto systems. The SSO implementation also requires certificate management, with the current RMM certificate expiring in September 2026.
For MSPs managing multiple Datto products, this creates a fragmented provisioning experience where Partner Portal users flow automatically through SCIM, but technicians accessing RMM or Workplace must be manually provisioned despite having SSO authentication. This hybrid approach leaves IT teams managing users across multiple interfaces while maintaining email synchronization between systems—exactly the type of manual overhead that automated provisioning should eliminate.
The strategic alternative
Datto gates SCIM behind Enterprise/Partner. Skip the Enterprise/Partner plan upgrade and automate complete outcomes across your stack. We maintain the integration layer underneath. You focus on judgment, not plumbing.
Quick SCIM facts
| SCIM available? | Yes |
| SCIM tier required | Enterprise |
| SSO required first? | Yes |
| SSO available? | Yes |
| SSO protocol | SAML 2.0 |
| Documentation | Official docs |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ✓ | OIN app with full provisioning |
| Microsoft Entra ID | ✓ | ❌ | SSO only |
| Google Workspace | ✓ | JIT only | SAML SSO with just-in-time provisioning |
| OneLogin | ✓ | ✓ | Supported |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages Datto accounts manually. Here's what that costs:
The Datto pricing problem
Datto gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Tier comparison
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Partner Portal | SCIM via Okta | Okta subscription, Partner status | |
| RMM | SAML SSO only | Manual user creation, certificate management | |
| Workplace | SAML SSO only | Manual user creation, matching email addresses | |
| Backup | Manual |
Provisioning structure
| Product | Provisioning Method | Requirements |
|---|---|---|
| Partner Portal | SCIM via Okta | Okta subscription, Partner status |
| RMM | SAML SSO only | Manual user creation, certificate management |
| Workplace | SAML SSO only | Manual user creation, matching email addresses |
| Backup | Manual | No automation available |
Key limitation: SCIM provisioning is restricted to the Partner Portal and requires Okta. The core Datto products that MSPs use daily (RMM, Workplace) only support SAML SSO with manual user creation.
What this means in practice
For MSPs managing multiple Datto products
For non-Okta environments
Additional constraints
Summary of challenges
- Datto supports SCIM but only at Enterprise tier (custom pricing)
- Google Workspace users get JIT provisioning only, not full SCIM
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What Datto actually offers for identity
SCIM Provisioning (Partner Portal via Okta only)
Datto's SCIM support is limited to their Partner Portal and exclusively available through Okta:
| Feature | Supported? |
|---|---|
| Create users | ✓ Yes (Partner Portal only) |
| Update attributes | ✓ Yes (Partner Portal only) |
| Deactivate users | ✓ Yes (Partner Portal only) |
| Group management | ✓ Yes (via Okta Group Linking) |
| Multi-product access | ❌ No (Partner Portal only) |
Critical limitation: SCIM provisioning only works for the Datto Partner Portal through Okta's Integration Network. This doesn't cover Datto's main products like RMM, Workplace, or Backup solutions.
SAML SSO (RMM and Workplace)
For Datto's core products, you're limited to SAML 2.0 authentication:
| Setting | Details |
|---|---|
| Protocol | SAML 2.0 |
| Supported products | RMM, Workplace |
| IdP support | Okta, Azure AD, ADFS, generic SAML |
| User requirement | Must exist in both Workplace and IdP with matching emails |
| Certificate management | Required - expires September 2026 |
Why this falls short: You get basic federated login but no automated user management. For MSPs managing dozens of technicians across multiple Datto products, you're still manually creating and managing accounts in each system.
The reality is that most MSPs need provisioning across Datto's entire product suite (RMM, Backup, Workplace), not just the Partner Portal. With certificate renewals required by 2026 and no SCIM for core products, you're looking at ongoing manual overhead for what should be automated identity management.
What IT admins are saying
Datto's fragmented provisioning approach creates challenges for MSP IT teams managing multiple products:
- SCIM only works for Partner Portal through Okta, leaving RMM and Workplace users to manage manually
- SSO certificates require regular updates - RMM certificate expires September 2026
- Users must be pre-created in both Workplace and your IdP with matching email addresses
- Multi-product access means separate provisioning workflows across Datto's suite
Users must exist in both Workplace and IdP with matching emails
RMM SSO certificate expires Sept 2026
The recurring theme
Even though Datto offers SCIM for Partner Portal, MSPs still face manual user management across RMM and Workplace products, plus ongoing certificate maintenance for SSO functionality.
The decision
| Your Situation | Recommendation |
|---|---|
| Small MSP (<10 technicians) using basic Datto products | Manual management with SAML SSO is sufficient |
| Growing MSP using Okta with Partner Portal access | Native Okta SCIM integration works well |
| Large MSP (25+ technicians) across multiple Datto products | Use Stitchflow: automation across RMM, Workplace, and Backup |
| Enterprise MSP with compliance requirements | Use Stitchflow: automation essential for audit trail |
| MSP using Entra ID or Google Workspace | Use Stitchflow: native SCIM only available via Okta |
The bottom line
Datto's SCIM provisioning is limited to the Partner Portal via Okta, leaving RMM and Workplace products requiring manual user management. For MSPs managing large technician teams across multiple Datto products or using non-Okta identity providers, Stitchflow provides comprehensive automation without the Okta dependency.
Make Datto workflows AI-native
Datto gates SCIM behind Enterprise/Partner. We build complete offboarding, user access reviews, and license workflows without that SCIM Tax upgrade.
Technical specifications
SCIM Version
2.0
Supported Operations
Create, Update, Deactivate, Groups
Supported Attributes
Not specifiedPlan requirement
Enterprise
Prerequisites
SSO must be configured first
Key limitations
- SCIM primarily for Partner Portal via Okta
- RMM SSO certificate expires Sept 2026
- Users must exist in both Workplace and IdP with matching emails
Configuration for Okta
Integration type
Okta Integration Network (OIN) app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
SCIM endpoint URL and bearer token (generated in app admin console).
Configuration steps
Enable Create Users, Update User Attributes, and Deactivate Users.
Provisioning trigger
Okta provisions based on app assignments (users or groups).
Datto Partner Portal available in OIN. Supports Group Linking, Schema Discovery, Attribute Writeback.
Datto gates SCIM behind Enterprise/Partner. Stitchflow automates complete workflows without that SCIM Tax upgrade.
Unlock SCIM for
Datto
Datto gates SCIM behind Enterprise/Partner plan. We automate complete offboarding and access reviews across your stack without that SCIM Tax upgrade.
See how it works
