Summary and recommendation
dbt Cloud supports SCIM (the protocol that lets your identity provider automatically create, update, and remove user accounts). But dbt Cloud gates SCIM functionality behind its Enterprise plan, which starts at $300-333/user/month—a 200-300% price increase from Team ($100/user/month). Enterprise also requires negotiating custom contracts and typically has higher seat minimums.
For data teams managing sensitive transformation code and business logic, this creates a significant security gap. Without SCIM, departing analytics engineers retain access to dbt environments containing valuable IP, while new hires face manual provisioning delays that slow project delivery. SSO alone doesn't solve this—it only handles authentication, not the critical account lifecycle management that ensures people get proper licenses when they join and lose access when they leave.
The strategic alternative
dbt Cloud gates SCIM behind Enterprise or Enterprise+. That can unlock provisioning, but it still does not complete the offboarding, access review, or license workflow across the rest of your stack. Stitchflow builds and maintains the IT workflows your team still runs manually, across every app, including the ones without APIs.
Quick SCIM facts
| SCIM available? | Yes |
| SCIM tier required | Enterprise |
| SSO required first? | Yes |
| SSO available? | Yes |
| SSO protocol | SAML 2.0 |
| Documentation | Official docs |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ✓ | OIN app with full provisioning |
| Microsoft Entra ID | ✓ | ✓ | Gallery app with SCIM |
| Google Workspace | ✓ | JIT only | SAML SSO with just-in-time provisioning |
| OneLogin | ✓ | ✓ | Supported |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages dbt Cloud accounts manually. Here's what that costs:
The dbt Cloud pricing problem
dbt Cloud gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Plan Structure
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Team | $100/user/mo + $0.01/model over 15k | ||
| Enterprise | $175-$333/user/mo (negotiable) |
Note: Enterprise pricing is negotiable but typically starts around $300/user/month. Both tiers include usage-based model charges beyond included limits.
What this means in practice
Using conservative Enterprise pricing at $250/user/month (Team → Enterprise for SCIM):
| Team Size | Annual Upgrade Cost |
|---|---|
| 25 data engineers | +$45,000/year |
| 50 data engineers | +$90,000/year |
| 100 data engineers | +$180,000/year |
Calculation: ($250 - $100) × users × 12 months
For many data teams, this represents a 150% price increase just to enable automated provisioning.
Additional constraints
Summary of challenges
- dbt Cloud supports SCIM but only at Enterprise tier ($175-$333/user/month (negotiable))
- Google Workspace users get JIT provisioning only, not full SCIM
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What the upgrade actually includes
dbt Cloud doesn't sell SCIM à la carte. It's bundled with Enterprise features at $175-$333/user/month:
The bigger issue: dbt Cloud's SCIM only works with Okta and Entra ID. Teams using Google Workspace, OneLogin, or other IdPs are stuck with manual provisioning or complex API workarounds—even at Enterprise pricing.
Stitchflow Insight
If your data team needs these enterprise controls anyway, the upgrade may justify the cost. But if you just want automated user provisioning, you're paying $3,600-$4,000 per user annually for a bundle you won't fully use. We estimate ~60% of Enterprise features are irrelevant for teams that only need SCIM provisioning.
What IT admins are saying
Community sentiment on dbt Cloud's SCIM pricing is overwhelmingly negative. Common complaints:
- $300/seat/month Enterprise requirement just for basic provisioning automation
- Limited SCIM support to only Okta and Entra ID (other IdPs need custom API work)
- Security features like IP restrictions locked behind even higher Enterprise+ pricing
- No middle-ground option between $100/month Team and $300/month Enterprise
The Enterprise pricing is absolutely brutal - we're paying 3x more per seat just to get SCIM working with our identity provider.
Why does basic user provisioning require their most expensive tier? Other tools include SCIM at much lower price points.
The recurring theme
dbt Cloud uses SCIM as Enterprise tier leverage, forcing data teams into $300+/seat pricing for what should be standard identity automation functionality.
The decision
| Your Situation | Recommendation |
|---|---|
| On Team plan, need SCIM | Use Stitchflow: avoid the $200-233/user jump to Enterprise |
| On Developer/Free, small data team | Use Stitchflow: get SCIM without Enterprise costs |
| Already on Enterprise plan | Use native SCIM: you're paying $300+/seat for it |
| Need Enterprise security features | Evaluate Enterprise: SCIM comes with the territory |
| Using Google Workspace or OneLogin | Use Stitchflow: dbt only supports Okta and Entra natively |
The bottom line
dbt Cloud gates SCIM behind Enterprise or Enterprise+. The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Close the dbt Cloud workflow gap
dbt Cloud gates SCIM behind Enterprise or Enterprise+, but the bigger issue is the workflow around it. Stitchflow builds and maintains the offboarding, access review, or license workflow underneath.
Technical specifications
SCIM Version
2.0
Supported Operations
Create, Update, Deactivate, Groups
Supported Attributes
Not specifiedPlan requirement
Enterprise
Prerequisites
SSO must be configured first
Key limitations
- Enterprise or Enterprise+ plan required
- Only Okta and Entra ID officially supported for SCIM
- Other IdPs require dbt APIs
- PrivateLink/IP restrictions only on Enterprise+
Configuration for Entra ID
Integration type
Microsoft Entra Gallery app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
Tenant URL (SCIM endpoint) and Secret token (bearer token from app admin console).
Configuration steps
Set Provisioning Mode = Automatic, configure SCIM connection.
Provisioning trigger
Entra provisions based on user/group assignments to the enterprise app.
Sync behavior
Entra provisioning runs on a scheduled cycle (typically every 40 minutes).
Full SCIM support with Entra ID. Syncs every 20-40 minutes. SSO setup required before SCIM. Limitation: Azure caps group emissions at 150 groups via SSO token.
dbt Cloud gates SCIM behind Enterprise or Enterprise+. The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Close the workflow gap in
dbt Cloud
dbt Cloud gates SCIM behind Enterprise or Enterprise+ plan. That can unlock provisioning, but it still does not complete the offboarding, access review, or license workflow across your stack, and it can add a 233% markup just to get there.
Start with the free gap diagnostic
