Summary and recommendation
LastPass supports SCIM provisioning starting at the Business tier ($7/user/month), with integration support for all major identity providers including Okta, Entra ID, Google Workspace, and OneLogin. However, LastPass SCIM has critical limitations around deprovisioning: when users are removed, their vault access isn't immediately revoked, and shared folder permissions become complex to manage at scale.
This creates a significant security gap for IT teams. Password vaults contain the most sensitive credentials in your organization—API keys, service accounts, privileged access passwords. When employees leave or change roles, their access to these credentials must be revoked immediately, not left accessible while IT manually cleans up vault permissions. SSO alone doesn't solve this because it only controls login authentication, not ongoing vault access or shared resource permissions.
The strategic alternative
LastPass gates SCIM behind Business. That can unlock provisioning, but it still does not complete the offboarding, access review, or license workflow across the rest of your stack. Stitchflow builds and maintains the IT workflows your team still runs manually, across every app, including the ones without APIs.
Quick SCIM facts
| SCIM available? | Yes |
| SCIM tier required | Business |
| SSO required first? | Yes |
| SSO available? | Yes |
| SSO protocol | SAML 2.0 |
| Documentation | Official docs |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ✓ | OIN app with full provisioning |
| Microsoft Entra ID | ✓ | ✓ | Gallery app with SCIM |
| Google Workspace | ✓ | JIT only | SAML SSO with just-in-time provisioning |
| OneLogin | ✓ | ✓ | Supported |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages LastPass accounts manually. Here's what that costs:
The LastPass pricing problem
LastPass gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Plan Structure (Billed Monthly)
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Teams | $4/user/mo | ||
| Business | $7/user/mo | ||
| Enterprise | Custom pricing |
What this means in practice
Using current list prices (Teams → Business for SCIM access):
| Team Size | Annual Upgrade Cost |
|---|---|
| 25 users | +$900/year |
| 50 users | +$1,800/year |
| 100 users | +$3,600/year |
| 250 users | +$9,000/year |
Calculation: ($7 - $4) × users × 12 months
Additional constraints
Summary of challenges
- LastPass supports SCIM but only at Business tier (custom pricing)
- Google Workspace users get JIT provisioning only, not full SCIM
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What the upgrade actually includes
LastPass doesn't sell SCIM separately. It's bundled with Business plan features at $7/user/month:
The Business plan makes sense if you need enterprise password management with SSO. But if you just want automated user provisioning for a smaller team already using LastPass Teams ($4/user/month), you're paying 75% more for features like unlimited shared folders and advanced MFA that many teams don't need.
Stitchflow Insight
We estimate ~60% of Business plan features are overkill for organizations that simply want to automate LastPass user lifecycle management without the full enterprise security suite.
What IT admins are saying
Community sentiment on LastPass's SCIM implementation focuses heavily on security concerns and deprovisioning gaps. Common complaints:
- Deprovisioning doesn't immediately revoke access to existing vault data
- Complex shared folder permission management creates security gaps
- Post-breach trust concerns affecting enterprise adoption
- Master password reset policies clash with automated provisioning workflows
The biggest issue is that when you deprovision someone, they can still access their vault data until their session expires. For a security tool, that's pretty concerning.
Shared folder permissions are a nightmare to manage at scale. SCIM helps with user lifecycle but doesn't solve the vault access complexity.
The recurring theme
While LastPass offers SCIM on reasonable pricing tiers, the fundamental challenge is ensuring truly secure offboarding when password vaults contain critical credentials that need immediate access revocation.
The decision
| Your Situation | Recommendation |
|---|---|
| On Teams ($4/user/month), need SCIM | Use Stitchflow: avoid the 75% price jump to Business |
| On Business/Enterprise with native SCIM | Use native SCIM: you're already paying for it |
| Security-first organization with strict offboarding | Use Stitchflow: better deprovisioning controls than native |
| Complex shared folder permissions requirements | Use Stitchflow: managed configuration avoids permission gaps |
| Small team with low turnover | Manual may work: but password vaults make offboarding errors costly |
The bottom line
LastPass gates SCIM behind Business. The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Close the LastPass workflow gap
LastPass gates SCIM behind Business, but the bigger issue is the workflow around it. Stitchflow builds and maintains the offboarding, access review, or license workflow underneath.
Technical specifications
SCIM Version
2.0
Supported Operations
Create, Update, Deactivate, Groups
Supported Attributes
Not specifiedPlan requirement
Business
Prerequisites
SSO must be configured first
Key limitations
- Vault data handling during deprovisioning
- Shared folder permissions need configuration
- Master password reset considerations
Configuration for Okta
Integration type
Okta Integration Network (OIN) app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
SCIM endpoint URL and bearer token (generated in app admin console).
Configuration steps
Enable Create Users, Update User Attributes, and Deactivate Users.
Provisioning trigger
Okta provisions based on app assignments (users or groups).
Full SCIM with real-time provisioning/deprovisioning. Federated login available (no master password). SCIM endpoint requires no software installation.
LastPass gates SCIM behind Business. The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Configuration for Entra ID
Integration type
Microsoft Entra Gallery app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
Tenant URL (SCIM endpoint) and Secret token (bearer token from app admin console).
Configuration steps
Set Provisioning Mode = Automatic, configure SCIM connection.
Provisioning trigger
Entra provisions based on user/group assignments to the enterprise app.
Sync behavior
Entra provisioning runs on a scheduled cycle (typically every 40 minutes).
Full SCIM via Azure AD/Entra. Federated login supported. Deprovisioning removes account access while keeping data available for reactivation.
LastPass gates SCIM behind Business. The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Close the workflow gap in
LastPass
LastPass gates SCIM behind Business plan. That can unlock provisioning, but it still does not complete the offboarding, access review, or license workflow across your stack, and it can add a 75% markup just to get there.
Start with the free gap diagnostic
