Summary and recommendation
dbt Cloud supports SCIM (the protocol that lets your identity provider automatically create, update, and remove user accounts). But dbt Cloud gates SCIM functionality behind its Enterprise plan, which starts at $300-333/user/month—a 200-300% price increase from Team ($100/user/month). Enterprise also requires negotiating custom contracts and typically has higher seat minimums.
For data teams managing sensitive transformation code and business logic, this creates a significant security gap. Without SCIM, departing analytics engineers retain access to dbt environments containing valuable IP, while new hires face manual provisioning delays that slow project delivery. SSO alone doesn't solve this—it only handles authentication, not the critical account lifecycle management that ensures people get proper licenses when they join and lose access when they leave.
The strategic alternative
dbt Cloud gates SCIM behind Enterprise or Enterprise+. Skip the Enterprise or Enterprise+ plan upgrade and automate complete outcomes across your stack. We maintain the integration layer underneath. You focus on judgment, not plumbing.
Quick SCIM facts
| SCIM available? | Yes |
| SCIM tier required | Enterprise |
| SSO required first? | Yes |
| SSO available? | Yes |
| SSO protocol | SAML 2.0 |
| Documentation | Official docs |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ✓ | OIN app with full provisioning |
| Microsoft Entra ID | ✓ | ✓ | Gallery app with SCIM |
| Google Workspace | ✓ | JIT only | SAML SSO with just-in-time provisioning |
| OneLogin | ✓ | ✓ | Supported |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages dbt Cloud accounts manually. Here's what that costs:
The dbt Cloud pricing problem
dbt Cloud gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Plan Structure
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Team | $100/user/mo + $0.01/model over 15k | ||
| Enterprise | $175-$333/user/mo (negotiable) |
Note: Enterprise pricing is negotiable but typically starts around $300/user/month. Both tiers include usage-based model charges beyond included limits.
What this means in practice
Using conservative Enterprise pricing at $250/user/month (Team → Enterprise for SCIM):
| Team Size | Annual Upgrade Cost |
|---|---|
| 25 data engineers | +$45,000/year |
| 50 data engineers | +$90,000/year |
| 100 data engineers | +$180,000/year |
Calculation: ($250 - $100) × users × 12 months
For many data teams, this represents a 150% price increase just to enable automated provisioning.
Additional constraints
Summary of challenges
- dbt Cloud supports SCIM but only at Enterprise tier ($175-$333/user/month (negotiable))
- Google Workspace users get JIT provisioning only, not full SCIM
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What the upgrade actually includes
dbt Cloud doesn't sell SCIM à la carte. It's bundled with Enterprise features at $175-$333/user/month:
The bigger issue: dbt Cloud's SCIM only works with Okta and Entra ID. Teams using Google Workspace, OneLogin, or other IdPs are stuck with manual provisioning or complex API workarounds—even at Enterprise pricing.
Stitchflow Insight
If your data team needs these enterprise controls anyway, the upgrade may justify the cost. But if you just want automated user provisioning, you're paying $3,600-$4,000 per user annually for a bundle you won't fully use. We estimate ~60% of Enterprise features are irrelevant for teams that only need SCIM provisioning.
What IT admins are saying
Community sentiment on dbt Cloud's SCIM pricing is overwhelmingly negative. Common complaints:
- $300/seat/month Enterprise requirement just for basic provisioning automation
- Limited SCIM support to only Okta and Entra ID (other IdPs need custom API work)
- Security features like IP restrictions locked behind even higher Enterprise+ pricing
- No middle-ground option between $100/month Team and $300/month Enterprise
The Enterprise pricing is absolutely brutal - we're paying 3x more per seat just to get SCIM working with our identity provider.
Why does basic user provisioning require their most expensive tier? Other tools include SCIM at much lower price points.
The recurring theme
dbt Cloud uses SCIM as Enterprise tier leverage, forcing data teams into $300+/seat pricing for what should be standard identity automation functionality.
The decision
| Your Situation | Recommendation |
|---|---|
| On Team plan, need SCIM | Use Stitchflow: avoid the $200-233/user jump to Enterprise |
| On Developer/Free, small data team | Use Stitchflow: get SCIM without Enterprise costs |
| Already on Enterprise plan | Use native SCIM: you're paying $300+/seat for it |
| Need Enterprise security features | Evaluate Enterprise: SCIM comes with the territory |
| Using Google Workspace or OneLogin | Use Stitchflow: dbt only supports Okta and Entra natively |
The bottom line
dbt Cloud gates SCIM behind Enterprise or Enterprise+. Stitchflow automates complete workflows without that SCIM Tax upgrade.
Make dbt Cloud workflows AI-native
dbt Cloud gates SCIM behind Enterprise or Enterprise+. We build complete offboarding, user access reviews, and license workflows without that SCIM Tax upgrade.
Technical specifications
SCIM Version
2.0
Supported Operations
Create, Update, Deactivate, Groups
Supported Attributes
Not specifiedPlan requirement
Enterprise
Prerequisites
SSO must be configured first
Key limitations
- Enterprise or Enterprise+ plan required
- Only Okta and Entra ID officially supported for SCIM
- Other IdPs require dbt APIs
- PrivateLink/IP restrictions only on Enterprise+
Configuration for Entra ID
Integration type
Microsoft Entra Gallery app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
Tenant URL (SCIM endpoint) and Secret token (bearer token from app admin console).
Configuration steps
Set Provisioning Mode = Automatic, configure SCIM connection.
Provisioning trigger
Entra provisions based on user/group assignments to the enterprise app.
Sync behavior
Entra provisioning runs on a scheduled cycle (typically every 40 minutes).
Full SCIM support with Entra ID. Syncs every 20-40 minutes. SSO setup required before SCIM. Limitation: Azure caps group emissions at 150 groups via SSO token.
dbt Cloud gates SCIM behind Enterprise or Enterprise+. Stitchflow automates complete workflows without that SCIM Tax upgrade.
Unlock SCIM for
dbt Cloud
dbt Cloud gates SCIM behind Enterprise or Enterprise+ plan. We automate complete offboarding and access reviews across your stack without that SCIM Tax upgrade, avoiding a 233% markup.
See how it works
