Summary and recommendation
Microsoft 365 presents a unique provisioning challenge because it functions as the identity provider (through Entra ID) rather than a target application. While Microsoft 365 includes comprehensive SCIM provisioning capabilities to push users TO other applications, it cannot receive SCIM provisioning FROM external identity providers like Okta or Google Workspace. Organizations using non-Microsoft IdPs must manually create and manage Microsoft 365 user accounts, even though they can configure SAML SSO for authentication. This creates a significant operational burden for IT teams managing hybrid identity environments.
The gap becomes particularly problematic for organizations standardized on Okta, Google Workspace, or OneLogin as their primary IdP. They can authenticate users into Microsoft 365 seamlessly, but cannot automate the creation, updates, or deprovisioning of Microsoft 365 accounts when employees join, change roles, or leave. This manual overhead defeats the purpose of centralized identity management and creates compliance risks around orphaned accounts and delayed access provisioning.
The strategic alternative
Stitchflow provides SCIM-level provisioning through resilient browser automation for Microsoft 365 that works with any identity provider—Okta, Entra, Google Workspace, or OneLogin. We handle the complex API integrations to ensure your Microsoft 365 accounts stay synchronized with your primary IdP. Flat pricing under $5K/year, regardless of team size.
Quick SCIM facts
| SCIM available? | Yes |
| SCIM tier required | Business |
| SSO required first? | Yes |
| SSO available? | Yes |
| SSO protocol | SAML 2.0, OIDC, OAuth2, WS-Fed |
| Documentation | Official docs |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ✓ | OIN app with full provisioning |
| Microsoft Entra ID | ✓ | ✓ | Gallery app with SCIM |
| Google Workspace | ✓ | JIT only | SAML SSO with just-in-time provisioning |
| OneLogin | ✓ | ✓ | Supported |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages Microsoft 365 accounts manually. Here's what that costs:
The Microsoft 365 pricing problem
Microsoft 365 gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Tier comparison
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Business Basic | $6/user/mo (→$7 July 2026) | ||
| Business Standard | $12.50/user/mo (→$14 July 2026) | ||
| Business Premium | $22/user/mo | ||
| + Entra ID P1 | +$6/user/mo | ||
| + Entra ID P2 | +$9/user/mo |
Pricing structure
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Business Basic | $6/user/mo (→$7 July 2026) | ||
| Business Standard | $12.50/user/mo (→$14 July 2026) | ||
| Business Premium | $22/user/mo | ||
| + Entra ID P1 | +$6/user/mo | ||
| + Entra ID P2 | +$9/user/mo |
Real-world cost impact
What this means in practice
Most organizations start with Office 365 for productivity apps but discover they need Entra ID P1/P2 licenses to enable proper SCIM provisioning to other SaaS applications. This creates a painful budget conversation:
Cost escalation example (500 users)
Additional constraints
Summary of challenges
- Microsoft 365 supports SCIM but only at Business tier (custom pricing)
- Google Workspace users get JIT provisioning only, not full SCIM
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What Microsoft 365 actually offers for identity
Microsoft 365 presents a unique situation: it's typically the identity provider (IdP), not the target for SCIM provisioning. However, understanding the full picture helps clarify your options.
Entra ID (Built-in Identity Platform)
Microsoft 365 includes Entra ID (formerly Azure AD) as its identity backbone:
| Feature | Business Basic | Business Standard | Business Premium |
|---|---|---|---|
| Basic SSO | ✓ Yes | ✓ Yes | ✓ Yes |
| JIT Provisioning | ✓ Yes | ✓ Yes | ✓ Yes |
| SCIM Provisioning (outbound) | Requires P1/P2 | Requires P1/P2 | Requires P1/P2 |
| Advanced security features | Limited | Limited | ✓ Yes |
The licensing trap: While Microsoft 365 Business plans include basic SSO, full SCIM provisioning capabilities require Entra ID P1 ($6/user/month) or P2 ($9/user/month) licenses on top of your base Microsoft 365 subscription.
What's Actually Included
Microsoft 365 Business plans provide:
The Real Cost for SCIM
To provision users TO other applications from Microsoft 365, you need:
For a 100-user organization, that's $14,400/year minimum—with price increases hitting July 2026.
The irony: Most organizations using Microsoft 365 need to provision users FROM Entra ID TO other applications, not the reverse. If you're looking to provision users INTO Microsoft 365 from another IdP, you're working against the Microsoft ecosystem's design.
What IT admins are saying
Community sentiment on Microsoft 365's provisioning reveals frustration with licensing complexity and hidden costs:
- P1/P2 licensing requirements add $6-22/user/month just for full SCIM provisioning features
- Pricing tier confusion - basic Business plans include SSO but not automated provisioning
- Enterprise Mobility Suite (EMS) bundling creates unnecessary complexity for simple provisioning needs
- July 2026 price increases (Business Basic $6→$7, Standard $12.50→$14) compound the cost concerns
The pricing complexity with modular features makes it difficult to budget accurately for our identity management needs.
We're paying for Business Standard but still need P1 licenses for proper user provisioning - the cost add-up is significant when you factor in the upcoming price increases.
The recurring theme
While Microsoft 365 is the identity backbone for most organizations, IT teams face sticker shock when they discover that comprehensive provisioning features require premium licensing tiers on top of their existing Business plans.
The decision
| Your Situation | Recommendation |
|---|---|
| Small organization (<25 users) with Microsoft as primary IdP | Manual management is acceptable |
| Microsoft shop with Entra ID P1/P2 already licensed | Use native SCIM provisioning - you're already paying for it |
| Mixed IdP environment (Okta, Google Workspace) needing M365 access | Use Stitchflow: cross-platform automation essential |
| Enterprise requiring detailed provisioning audit trails | Use Stitchflow: superior monitoring and compliance reporting |
| Organizations on Business Basic/Standard without P1/P2 | Use Stitchflow: cheaper than upgrading to P1 ($6+/user/month) |
The bottom line
Microsoft 365 has robust SCIM capabilities, but only if you're already paying for Entra ID P1/P2 licensing—otherwise you're looking at significant cost increases starting at $6 per user monthly. For organizations using non-Microsoft IdPs or those wanting advanced provisioning oversight without the P1/P2 premium, Stitchflow delivers enterprise-grade automation at flat pricing.
Automate Microsoft 365 without the tier upgrade
Stitchflow delivers SCIM-level provisioning through resilient browser automation, backed by 24/7 human in the loop for Microsoft 365 at <$5K/year, flat, regardless of team size.
Technical specifications
SCIM Version
2.0
Supported Operations
Create, Update, Deactivate, Groups
Supported Attributes
Not specifiedPlan requirement
Business
Prerequisites
SSO must be configured first
Key limitations
- SCIM provisioning features require P1 or P2 license tier
- Full functionality costs more than base SSO
- On-premises SCIM requires additional connector setup
Configuration for Okta
Integration type
Okta Integration Network (OIN) app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
SCIM endpoint URL and bearer token (generated in app admin console).
Configuration steps
Enable Create Users, Update User Attributes, and Deactivate Users.
Provisioning trigger
Okta provisions based on app assignments (users or groups).
Microsoft 365 in OIN. Provisioning via Office365 SCIM integration. Bidirectional sync supported.
Native SCIM is available on Business. Use Stitchflow if you need provisioning without the tier upgrade.
Configuration for Entra ID
Integration type
Microsoft Entra Gallery app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
Tenant URL (SCIM endpoint) and Secret token (bearer token from app admin console).
Configuration steps
Set Provisioning Mode = Automatic, configure SCIM connection.
Provisioning trigger
Entra provisions based on user/group assignments to the enterprise app.
Sync behavior
Entra provisioning runs on a scheduled cycle (typically every 40 minutes).
Microsoft Entra ID IS the provisioning source - provisions TO other apps via SCIM, not provisioned FROM external sources.
Native SCIM is available on Business. Use Stitchflow if you need provisioning without the tier upgrade.
Unlock SCIM for
Microsoft 365
Stop paying the SCIM Tax for Microsoft 365. Get enterprise-grade SCIM at a fraction of the enterprise plan cost.
See how it works
