Summary and recommendation
Mimecast supports SCIM 2.0 for automated user provisioning, but only on Enterprise plans with custom pricing. While SCIM functionality is comprehensive (create, update, deactivate users, plus group sync), Mimecast requires separate configuration for SCIM and SSO - meaning IT teams must manage two different integration setups instead of one unified process.
For email security platforms like Mimecast that protect your entire organization, manual user management creates significant security gaps. Without automated provisioning, new employees may lack email protection on day one, while departed employees retain access longer than necessary. SSO alone only handles authentication - it doesn't automatically provision accounts or assign appropriate security policies based on group membership.
The strategic alternative
Mimecast gates SCIM behind Enterprise. Skip the Enterprise plan upgrade and automate complete outcomes across your stack. We maintain the integration layer underneath. You focus on judgment, not plumbing.
Quick SCIM facts
| SCIM available? | Yes |
| SCIM tier required | Enterprise |
| SSO required first? | Yes |
| SSO available? | Yes |
| SSO protocol | SAML 2.0 |
| Documentation | Official docs |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ✓ | OIN app with full provisioning |
| Microsoft Entra ID | ✓ | ✓ | Gallery app with SCIM |
| Google Workspace | ✓ | JIT only | SAML SSO with just-in-time provisioning |
| OneLogin | ✓ | ✓ | Supported |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages Mimecast accounts manually. Here's what that costs:
The Mimecast pricing problem
Mimecast gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Tier comparison
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Perimeter Defence | Custom (contact sales) | ||
| Comprehensive Defence | Custom (contact sales) | ||
| Enterprise | Custom (contact sales) |
Plan Structure
| Plan | Price | SCIM |
|---|---|---|
| Perimeter Defence | Custom (contact sales) | ✓ |
| Comprehensive Defence | Custom (contact sales) | ✓ |
| Enterprise | Custom (contact sales) | ✓ |
All enterprise tiers include SCIM 2.0 provisioning with full lifecycle management (create, update, deactivate users, group sync).
What this means in practice
Since Mimecast uses custom enterprise pricing:
Industry reports suggest Mimecast enterprise pricing often starts at $3-5 per user per month, but can scale significantly higher with advanced threat protection and data loss prevention features.
Additional constraints
Summary of challenges
- Mimecast supports SCIM but only at Enterprise tier (custom pricing)
- Google Workspace users get JIT provisioning only, not full SCIM
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What the upgrade actually includes
Mimecast doesn't sell SCIM separately. It's bundled with their Enterprise tier, which includes comprehensive email security features:
The challenge: SCIM and SSO require separate configurations in Mimecast, adding setup complexity. While Enterprise pricing is custom (contact sales required), you're paying for extensive email security capabilities when you may only need user lifecycle automation.
For organizations already using Mimecast for email security, the Enterprise upgrade makes sense. But if you're evaluating Mimecast primarily for its identity management capabilities, you're paying for a comprehensive security platform when simpler provisioning solutions exist.
What IT admins are saying
Community sentiment on Mimecast's SCIM implementation is mixed, with concerns focused on the separate configuration complexity and enterprise pricing requirements.
- Having to configure SCIM and SSO separately adds unnecessary setup complexity
- Enterprise-only SCIM availability excludes smaller organizations from automated provisioning
- Custom pricing model makes it difficult to budget for identity automation needs
- Role mapping configuration requires additional administrative overhead
The recurring theme
While Mimecast offers full SCIM functionality, the enterprise pricing gate and split SSO/SCIM configuration create barriers for teams wanting straightforward identity automation.
The decision
| Your Situation | Recommendation |
|---|---|
| Need SCIM but don't have Enterprise pricing | Use Stitchflow: avoid custom Enterprise sales process |
| Already on Enterprise with SCIM included | Use native SCIM: you're paying for it |
| Want to avoid separate SCIM/SSO configurations | Use Stitchflow: unified setup across all your apps |
| Small team with infrequent user changes | Manual may work: but watch for security gaps |
| Need SCIM with non-Okta/Entra IdPs | Use Stitchflow: guaranteed compatibility with any IdP |
The bottom line
Mimecast's Enterprise requirement and separate SCIM/SSO configuration creates complexity that many IT teams don't need. For organizations wanting streamlined provisioning without enterprise sales cycles, Stitchflow delivers the same automation at predictable flat-rate pricing.
Make Mimecast workflows AI-native
Mimecast gates SCIM behind Enterprise. We build complete offboarding, user access reviews, and license workflows without that SCIM Tax upgrade.
Technical specifications
SCIM Version
2.0
Supported Operations
Create, Update, Deactivate, Groups
Supported Attributes
Not specifiedPlan requirement
Enterprise
Prerequisites
SSO must be configured first
Key limitations
- SCIM and SSO are separate configurations
- SSO provides auth only, not user management
- Custom SCIM role mapping available
- Mimecast app in IdP catalogs may vary
Configuration for Okta
Integration type
Okta Integration Network (OIN) app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
SCIM endpoint URL and bearer token (generated in app admin console).
Configuration steps
Enable Create Users, Update User Attributes, and Deactivate Users.
Provisioning trigger
Okta provisions based on app assignments (users or groups).
Mimecast Admin integration with SSO, SCIM, entitlements, workflows. Group linking, schema discovery, attribute writeback supported.
Mimecast gates SCIM behind Enterprise. Stitchflow automates complete workflows without that SCIM Tax upgrade.
Configuration for Entra ID
Integration type
Microsoft Entra Gallery app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
Tenant URL (SCIM endpoint) and Secret token (bearer token from app admin console).
Configuration steps
Set Provisioning Mode = Automatic, configure SCIM connection.
Provisioning trigger
Entra provisions based on user/group assignments to the enterprise app.
Sync behavior
Entra provisioning runs on a scheduled cycle (typically every 40 minutes).
Entra ID SCIM provisioning for Incydr. Create users, deactivate, update attributes. OAuth token auth required. Configure via Identity Management admin.
Mimecast gates SCIM behind Enterprise. Stitchflow automates complete workflows without that SCIM Tax upgrade.
Unlock SCIM for
Mimecast
Mimecast gates SCIM behind Enterprise plan. We automate complete offboarding and access reviews across your stack without that SCIM Tax upgrade.
See how it works
