Stitchflow
Back to directory
Intercom logo

Intercom SCIM guide

Native SCIM

How to automate Intercom user provisioning, and what it actually costs

Native SCIM requires Enterprise plan

Summary and recommendation

Intercom supports SCIM (the protocol that lets your identity provider automatically create, update, and remove user accounts). But SCIM is locked behind the Expert/Enterprise tier at $132/seat/month, plus there's a critical limitation: deprovisioned users are permanently deleted, not deactivated. This means no user recovery and potential compliance issues.

For customer support teams with frequent turnover, this creates real operational risk. When you deprovision a support agent who handled customer conversations, their entire account history vanishes permanently. There's no way to reactivate them later or preserve their interaction data for compliance audits. SSO alone doesn't solve this since it only handles authentication, not the safe removal of user accounts with data retention.

The strategic alternative

Stitchflow provides SCIM-level provisioning through resilient browser automation for Intercom without requiring the Enterprise tier upgrade. We implement soft-delete workflows that preserve user data while removing access, ensuring compliance and recoverability. Flat pricing under $5K/year, regardless of team size.

Quick SCIM facts

SCIM available?Yes
SCIM tier requiredEnterprise
SSO required first?Yes
SSO available?Yes
SSO protocolSAML 2.0
DocumentationOfficial docs

Supported identity providers

IdPSSOSCIMNotes
OktaOIN app with full provisioning
Microsoft Entra IDGallery app with SCIM
Google WorkspaceJIT onlySAML SSO with just-in-time provisioning
OneLoginSupported

The cost of not automating

Without SCIM (or an alternative like Stitchflow), your IT team manages Intercom accounts manually. Here's what that costs:

Source: Stitchflow aggregate data across apps with 2+ instances, normalized to 500 employees
Orphaned accounts (ex-employees with access)7
Unused licenses12
IT hours spent on manual management/year101 hours
Unused license cost/year$3,925
IT labor cost/year$6,088
Cost of compliance misses/year$1,741
Total annual financial impact$11,754

The Intercom pricing problem

Intercom gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.

Plan Structure (Billed Annually)

PlanPriceSSOSCIM
Essential$29/seat/month
Advanced$85/seat/month
Expert/Enterprise$132/seat/month

Note: SAML SSO must be configured before SCIM can be enabled. Volume discounts available: 12-15% off for 25-30 seats, 15-34% off for 75+ seats.

What this means in practice

Using current list prices (Essential → Enterprise for SCIM access):

Team SizeAnnual Upgrade CostTotal Enterprise Cost
25 users+$30,900/year$39,600/year
50 users+$61,800/year$79,200/year
100 users+$123,600/year$158,400/year

Calculation: ($132 - $29) × users × 12 months

Additional constraints

SAML prerequisite
SSO must be fully configured and working before SCIM can be enabled.
Hard delete on deprovisioning
Users are permanently deleted (not deactivated) when deprovisioned via SCIM—no recovery option.
Domain verification required
DNS verification needed for SAML setup, adding deployment complexity.
Annual commitment
Enterprise tier typically requires annual contracts, limiting flexibility.

Summary of challenges

  • Intercom supports SCIM but only at Enterprise tier (custom pricing)
  • Google Workspace users get JIT provisioning only, not full SCIM
  • Our research shows teams manually provisioning this app spend significant hidden costs annually

What the upgrade actually includes

Intercom doesn't sell SCIM separately. It's bundled with Expert/Enterprise tier features at $132/seat/month:

SCIM 2.0 automated provisioning
SAML single sign-on (required prerequisite)
HIPAA compliance controls
Service level agreements (SLAs)
Multibrand messenger customization
Advanced workflow automation
Priority support escalation
Enhanced reporting and analytics

The bigger issue: Intercom permanently deletes deprovisioned users with no recovery option, which can be problematic for support teams with seasonal staff or temporary access needs.

Stitchflow Insight

The bundle makes sense if you need HIPAA compliance or enterprise SLAs for customer support operations. But if you just want automated user provisioning, you're paying for enterprise features most support teams don't use. We estimate ~60% of Expert tier features are irrelevant for teams that only need SCIM provisioning.

What IT admins are saying

Community sentiment on Intercom's SCIM implementation centers around the permanent deletion of deprovisioned users and Enterprise tier requirements. Common complaints:

  • Deprovisioned users are permanently deleted with no recovery option
  • Enterprise tier required for SCIM access creates significant cost barrier
  • SAML SSO must be configured before SCIM can be enabled
  • Domain verification requirements add deployment complexity

The fact that deprovisioned teammates are completely deleted rather than deactivated is a major concern for compliance and data recovery scenarios.

IT Admin, SaaS Forum

We need SCIM for our support team but the jump to Enterprise pricing is brutal - wish they had SCIM on the Expert plan at minimum.

Reddit r/sysadmin

The recurring theme

Intercom's hard-delete approach to deprovisioning creates compliance risks, while Enterprise-only SCIM pricing forces significant budget increases for basic identity automation needs.

The decision

Your SituationRecommendation
On Essential/Advanced, need SCIMUse Stitchflow: avoid the $132/seat Enterprise jump
Already on Expert/EnterpriseUse native SCIM: you're already paying for it
Can tolerate hard-delete deprovisioningEvaluate native: if permanent user deletion works for you
Need user recovery after deprovisioningUse Stitchflow: we preserve user data with soft-delete
Small support team, low turnoverManual may suffice: but watch for access creep

The bottom line

Intercom's Enterprise requirement means SCIM costs $132/seat/month minimum—a significant jump from Advanced's $85/seat pricing. For support teams that need provisioning automation without the hard-delete risk and Enterprise costs, Stitchflow delivers managed SCIM at flat-rate pricing.

Automate Intercom without the tier upgrade

Stitchflow delivers SCIM-level provisioning through resilient browser automation, backed by 24/7 human in the loop for Intercom at <$5K/year, flat, regardless of team size.

Works alongside or instead of native SCIM
Syncs with your existing IdP (Okta, Entra ID, Google Workspace)
Automates onboarding and offboarding
SOC 2 Type II certified
24/7 human-in-the-loop monitoring
Book a Demo

Technical specifications

SCIM Version

2.0

Supported Operations

Create, Update, Deactivate, Groups

Supported Attributes

Not specified

Plan requirement

Enterprise

Prerequisites

SSO must be configured first

Key limitations

  • SAML SSO must be configured before SCIM
  • Deprovisioned teammates are deleted (not deactivated) - no soft-delete
  • Domain verification required for SAML
  • Okta password policy must require at least 10 characters
View Official Documentation

Configuration for Okta

Integration type

Okta Integration Network (OIN) app with SCIM provisioning

Prerequisite

SSO must be configured before enabling SCIM.

Where to enable

Okta Admin Console → Applications → Intercom → Provisioning

Required credentials

SCIM endpoint URL and bearer token (generated in app admin console).

Configuration steps

Enable Create Users, Update User Attributes, and Deactivate Users.

Provisioning trigger

Okta provisions based on app assignments (users or groups).

Docs

Okta integrationIntercom SCIM setup

Full SCIM 2.0 provisioning: import teammates, sync passwords, push new users, push profile updates, deactivate users (deletion). Push groups supported for role mapping.

Native SCIM is available on Enterprise. Use Stitchflow if you need provisioning without the tier upgrade.

Unlock SCIM for
Intercom

Intercom gates automation behind Enterprise plan. Stitchflow delivers the same SCIM outcomes for a flat fee, saving you 355%.

See how it works
Admin Console
Directory
Applications
Intercom logo
Intercom
via Stitchflow

Last updated: 2026-01-11

* Pricing and features sourced from public documentation.

Keep exploring

Related apps

Amplitude logo

Amplitude

SCIM Tax

Product Analytics

SCIM StatusIncluded
Manual Cost$11,754/yr

Amplitude supports SCIM provisioning, but only on Growth plans (starting around $36K/year) or Enterprise plans with custom pricing. While Amplitude's SCIM implementation covers the core functionality—creating, updating, and deactivating users—it requires SCIM to be specifically enabled for your organization, and regenerating the SCIM key immediately invalidates existing integrations without warning. For product teams on Plus plans ($49/month), upgrading to Growth just to unlock SCIM means jumping from under $600/year to $36,000+/year—a 60x increase. That's often more than the entire analytics budget for smaller product teams. The gap becomes particularly problematic for cross-functional product teams where analysts, PMs, and engineers need varying levels of access to user behavior data, but manual provisioning creates security risks around sensitive analytics permissions.

View full guide
Bill.com logo

Bill.com

SCIM Tax

Accounts Payable / Receivable Automation

SCIM StatusIncluded
Manual Cost$11,754/yr

Bill.com offers inconsistent SCIM provisioning support that varies dramatically by identity provider. While Okta users can access SCIM provisioning through the OIN integration, Bill.com doesn't publish native SCIM documentation, and other IdPs like Entra ID are limited to SAML SSO only. This fragmented approach means your provisioning capabilities depend entirely on your IdP choice rather than Bill.com's platform features. For finance teams managing sensitive AP/AR workflows where user access directly impacts invoice approvals and payment processing, this inconsistency creates operational gaps—especially when onboarding new controllers, AP clerks, or accountants requires manual role assignment tied to spending limits and approval hierarchies. The real problem is that Bill.com gates all SSO functionality behind Enterprise plans with custom pricing (typically 2-3x their Corporate plan at $79/user/month), yet still provides no clear path to automated provisioning for most customers. Since financial systems require precise role-based access controls for SOX compliance and segregation of duties, manual user management creates both security risks and administrative overhead. When employees change departments or leave the company, orphaned accounts in payment systems pose significant financial and compliance risks that manual processes often miss.

View full guide
Bitwarden logo

Bitwarden

SCIM Tax

Password Manager / Secrets Management

SCIM StatusIncluded
Manual Cost$11,754/yr

Bitwarden supports SCIM 2.0 provisioning, but only on Teams ($4/user/month) and Enterprise ($6/user/month) plans. While this pricing is reasonable compared to other password managers, the real challenge lies in Bitwarden's zero-knowledge architecture: SCIM can provision user accounts, but users still need to manually accept vault invitations and set up their encryption keys before gaining access to shared passwords. This creates a critical security gap. Your identity provider shows users as "provisioned," but they can't actually access company passwords until they complete manual setup steps. When employees leave, SCIM deprovisioning removes their account, but any locally cached vault data remains accessible until they next sync. For security teams managing hundreds of shared credentials, this manual friction undermines the entire purpose of automated provisioning.

View full guide