Summary and recommendation
Expensify offers SCIM provisioning, but only through their Okta integration on the Control plan ($9/user/month with Expensify Card, $18/user/month without). The catch: SCIM must be manually activated by emailing concierge@expensify.com, and deactivation only expires user access rather than closing accounts entirely. This creates an operational bottleneck where IT teams can't immediately provision expense management access for new employees without waiting for Expensify's manual intervention.
The manual activation requirement defeats the purpose of automated provisioning. When finance teams need immediate expense access for new hires or contractors, waiting for email support responses creates delays in critical business workflows. Additionally, the incomplete deactivation means former employees retain dormant accounts that could pose compliance risks during audits.
The strategic alternative
Expensify gates SCIM behind Control Plan. Skip the Control Plan plan upgrade and automate complete outcomes across your stack. We maintain the integration layer underneath. You focus on judgment, not plumbing.
Quick SCIM facts
| SCIM available? | Yes |
| SCIM tier required | Custom |
| SSO required first? | Yes |
| SSO available? | Yes |
| SSO protocol | SAML 2.0 |
| Documentation | Official docs |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ✓ | OIN app with full provisioning |
| Microsoft Entra ID | ✓ | ❌ | SSO only |
| Google Workspace | ✓ | JIT only | SAML SSO with just-in-time provisioning |
| OneLogin | ✓ | ✓ | Supported |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages Expensify accounts manually. Here's what that costs:
The Expensify pricing problem
Expensify gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Tier comparison
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Starter | $4.99/month (individual) | ||
| Pro | $5/member/month (with card) or $10/member/month | ||
| Business | $9/member/month (with card) or $18/member/month | ||
| Control | Contact sales (enterprise pricing) |
Pricing and provisioning options
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Starter | $4.99/month (individual) | ||
| Pro | $5/member/month (with card) or $10/member/month | ||
| Business | $9/member/month (with card) or $18/member/month | ||
| Control | Contact sales (enterprise pricing) |
What this means in practice
Okta-only SCIM limitation: Even on the Control plan, SCIM provisioning only works through Okta. Organizations using Azure AD, Google Workspace, or OneLogin must handle user provisioning manually, despite paying enterprise-level pricing.
Manual activation process: SCIM isn't automatically enabled on Control plans. IT teams must email concierge@expensify.com to request SCIM API activation, adding delays to deployment timelines.
Incomplete deactivation: When SCIM deactivates users, it only expires their access rather than properly closing accounts, leaving potential security gaps and license waste.
Additional constraints
Summary of challenges
- Expensify supports SCIM but only at Custom tier (Control plan - contact sales for volume pricing)
- Google Workspace users get JIT provisioning only, not full SCIM
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What the upgrade actually includes
Expensify doesn't sell SCIM separately. It's bundled with Control plan enterprise features:
The Control plan costs $9/user/month with the Expensify Card bundle, or $18/user/month without it. You're essentially paying for a comprehensive expense management platform when you might only need user provisioning.
The friction factor: Even after upgrading, SCIM isn't automatically enabled. You must email concierge@expensify.com to request API activation, and it only works with Okta. For organizations using Azure AD or Google Workspace, you're paying Control plan pricing but still managing users manually.
Stitchflow Insight
We estimate ~60% of Control plan features are expense management tools irrelevant for teams that primarily need automated user provisioning across multiple identity providers.
What IT admins are saying
Community sentiment on Expensify's SCIM implementation is frustrated, particularly around the manual activation requirement and Okta-only limitation. Common complaints:
- Having to email support to activate SCIM despite paying for Control plan
- SCIM only working with Okta, forcing manual provisioning for other IdPs
- Deactivated users keeping dormant accounts instead of proper closure
- Control plan pricing jumps significantly without bundled Expensify Card
SCIM API activation must be requested via concierge@expensify.com
SCIM deactivation doesn't close account, just expires access
The recurring theme
Even after upgrading to enterprise pricing, IT teams can't simply enable SCIM through normal admin settings - they're stuck emailing support for basic provisioning features that should be self-service.
The decision
| Your Situation | Recommendation |
|---|---|
| Small teams with Okta and time for activation delays | Use native SCIM after emailing concierge@expensify.com for activation |
| Need immediate deployment for new hires | Use Stitchflow: no waiting for manual activation or support tickets |
| Using Entra ID, Google Workspace, or OneLogin | Use Stitchflow: Expensify's SCIM only works with Okta |
| Security teams requiring complete account closure | Use Stitchflow: native SCIM only expires access, doesn't close accounts |
| Want to avoid Control plan pricing ($9-18/user/month) | Use Stitchflow: build complete workflows across every app in less than a week (~2 hours of your time). |
The bottom line
Expensify offers SCIM but gates it behind Control plan pricing and manual activation requests that defeat the purpose of automation. For organizations that need reliable provisioning without email gatekeeping or Okta dependency, Stitchflow delivers immediate deployment across all identity providers.
Make Expensify workflows AI-native
Expensify gates SCIM behind Control Plan. We build complete offboarding, user access reviews, and license workflows without that SCIM Tax upgrade.
Technical specifications
SCIM Version
2.0
Supported Operations
Create, Update, Deactivate, Groups
Supported Attributes
Not specifiedPlan requirement
Custom
Prerequisites
SSO must be configured first
Key limitations
- SCIM API activation must be requested via concierge@expensify.com
- SCIM deactivation doesn't close account, just expires access
- Only one active SAML certificate supported at a time
- Control plan required for ADFS SSO
Configuration for Okta
Integration type
Okta Integration Network (OIN) app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
SCIM endpoint URL and bearer token (generated in app admin console).
Configuration steps
Enable Create Users, Update User Attributes, and Deactivate Users.
Provisioning trigger
Okta provisions based on app assignments (users or groups).
SCIM API must be activated via concierge@expensify.com. Supports deactivate users (expires access, doesn't close account). Also Aquera connector available.
Expensify gates SCIM behind Control Plan. Stitchflow automates complete workflows without that SCIM Tax upgrade.
Configuration for Entra ID
Integration type
Microsoft Entra Gallery app
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
SAML SSO supported (SP initiated). User provisioning is manual. Only one active SAML certificate supported at a time. Uses HTTP_POST binding.
Use Stitchflow for automated provisioning.
Unlock SCIM for
Expensify
Expensify gates SCIM behind Control Plan. We automate complete offboarding and access reviews across your stack without that SCIM Tax upgrade.
See how it works
