Summary and recommendation
Dynatrace supports SCIM 2.0 for automated user provisioning, but only on its Enterprise plan with consumption-based pricing starting around $69/user/month and typical minimum commitments of $2,000+/month. While the SCIM implementation is robust (supporting user lifecycle management, group sync, and proper deactivation), it requires DNS domain verification before setup and has some quirks like 40-minute sync delays with Azure AD and separate SCIM/SAML group handling.
For platform teams managing observability access across development environments, the Enterprise pricing barrier is significant. A 50-person team faces $41,400/year minimum just for the licensing, often to access SCIM features they need for compliance but may not require the full Enterprise feature set. The domain verification requirement also adds deployment friction that delays rollouts.
The strategic alternative
Dynatrace gates SCIM behind Enterprise. That can unlock provisioning, but it still does not complete the offboarding, access review, or license workflow across the rest of your stack. Stitchflow builds and maintains the IT workflows your team still runs manually, across every app, including the ones without APIs.
Quick SCIM facts
| SCIM available? | Yes |
| SCIM tier required | Enterprise |
| SSO required first? | Yes |
| SSO available? | Yes |
| SSO protocol | SAML 2.0 |
| Documentation | Official docs |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ✓ | OIN app with full provisioning |
| Microsoft Entra ID | ✓ | ✓ | Gallery app with SCIM |
| Google Workspace | ✓ | JIT only | SAML SSO with just-in-time provisioning |
| OneLogin | ✓ | ✓ | Supported |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages Dynatrace accounts manually. Here's what that costs:
The Dynatrace pricing problem
Dynatrace gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Plan Structure
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Free Trial | 15 days | ||
| SaaS Standard | DPS consumption-based | ||
| SaaS Enterprise | Custom (typically $2,000+/month minimum) |
Note: Dynatrace uses consumption-based pricing starting at ~$0.08/hour per 8 GiB host for Full-Stack Monitoring, with additional charges for infrastructure monitoring and log management.
What this means in practice
Unlike per-user pricing, Dynatrace's consumption model makes it difficult to predict the true cost of Enterprise access:
Typical scenarios
The pricing model creates a significant barrier since organizations pay for monitoring capacity regardless of how many users need provisioning access.
Additional constraints
Summary of challenges
- Dynatrace supports SCIM but only at Enterprise tier (Custom (DPS consumption-based, ~$69/user/month starting, $2000+/month minimum commitment typical))
- Google Workspace users get JIT provisioning only, not full SCIM
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What the upgrade actually includes
Dynatrace doesn't sell SCIM à la carte. It's bundled with SaaS Enterprise features on their consumption-based DPS (Dynatrace Platform Subscription) model:
The challenge with Dynatrace's Enterprise requirement is the consumption-based pricing model. You're not just paying for identity features—you're committing to their full observability platform at enterprise scale (~$69/user/month with typical $2000+/month minimums). If your primary need is automated provisioning for your existing Dynatrace deployment, you're paying for platform capabilities you may already have sized appropriately.
Stitchflow Insight
We estimate ~80% of Enterprise DPS features are observability-focused rather than identity-focused, making this an expensive path for teams that simply want to automate user management on their current Dynatrace instance.
What IT admins are saying
Community sentiment on Dynatrace's SCIM implementation is mixed, with administrators appreciating the functionality but frustrated by access barriers and complexity. Common complaints:
- Enterprise plan requirement creates a high barrier to entry for SCIM automation
- DNS domain verification requirement adds unnecessary setup complexity
- Azure sync delays (~40 minutes) create provisioning lag that impacts onboarding
- Separate SCIM and SAML group management creates administrative overhead
The domain verification step via DNS TXT records is an extra hurdle that most other platforms don't require - adds time to what should be a straightforward SCIM setup.
We're paying enterprise prices just to get basic user provisioning automated. The consumption model already makes this expensive enough.
The recurring theme
While Dynatrace offers robust SCIM functionality, the enterprise pricing gate and complex setup requirements create friction for teams who just want automated user management.
The decision
| Your Situation | Recommendation |
|---|---|
| Need SCIM but not on Enterprise tier | Use Stitchflow: avoid the $2K+/month minimum commitment |
| On Enterprise, domain verification is blocking you | Use Stitchflow: bypass DNS requirements and 40-minute sync delays |
| Want SCIM + SAML without complexity | Use native: Enterprise includes both with full integration |
| Already paying Enterprise minimum commitment | Use native SCIM: you're already paying for it |
| Small DevOps team, low turnover | Manual may work: but monitor for environment access gaps |
The bottom line
Dynatrace gates SCIM behind Enterprise. The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Close the Dynatrace workflow gap
Dynatrace gates SCIM behind Enterprise, but the bigger issue is the workflow around it. Stitchflow builds and maintains the offboarding, access review, or license workflow underneath.
Technical specifications
SCIM Version
2.0
Supported Operations
Create, Update, Deactivate, Groups
Supported Attributes
Not specifiedPlan requirement
Enterprise
Prerequisites
SSO must be configured first
Key limitations
- Domain verification via DNS TXT record required
- Azure sync every ~40 minutes
- SCIM groups are separate from SAML groups
Configuration for Okta
Integration type
Okta Integration Network (OIN) app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
SCIM endpoint URL and bearer token (generated in app admin console).
Configuration steps
Enable Create Users, Update User Attributes, and Deactivate Users.
Provisioning trigger
Okta provisions based on app assignments (users or groups).
Full SCIM 2.0 support. Can use SCIM 2.0 Test App (Header Auth) or OAuth Bearer Token. Supports create, update, deactivate users and groups.
Dynatrace gates SCIM behind Enterprise. The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Configuration for Entra ID
Integration type
Microsoft Entra Gallery app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
Tenant URL (SCIM endpoint) and Secret token (bearer token from app admin console).
Configuration steps
Set Provisioning Mode = Automatic, configure SCIM connection.
Provisioning trigger
Entra provisions based on user/group assignments to the enterprise app.
Sync behavior
Entra provisioning runs on a scheduled cycle (typically every 40 minutes).
Azure sync every ~40 minutes. Supports user and group provisioning. JIT provisioning enabled by default.
Dynatrace gates SCIM behind Enterprise. The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Close the workflow gap in
Dynatrace
Dynatrace gates SCIM behind Enterprise plan. That can unlock provisioning, but it still does not complete the offboarding, access review, or license workflow across your stack.
Start with the free gap diagnostic
