Summary and recommendation
Navan offers native SCIM 2.0 provisioning, but with significant limitations that create operational gaps for IT teams. SCIM is only available through Okta integration on Enterprise plans (~$179/user/year), leaving Microsoft Entra users with SSO-only and JIT provisioning. For organizations using Entra as their primary IdP, this means manual user lifecycle management despite having enterprise-grade identity infrastructure.
The Okta-only restriction creates a particularly problematic scenario: teams already invested in Microsoft's ecosystem must either maintain dual identity providers or accept manual provisioning workflows. Even organizations with Okta face the Enterprise plan requirement, which can represent substantial cost increases from the free Business plan (limited to 300 employees). This fragmented approach undermines centralized identity governance and creates compliance blind spots.
The strategic alternative
Navan gates SCIM behind Enterprise. Skip the Enterprise plan upgrade and automate complete outcomes across your stack. We maintain the integration layer underneath. You focus on judgment, not plumbing.
Quick SCIM facts
| SCIM available? | Yes |
| SCIM tier required | Enterprise |
| SSO required first? | No |
| SSO available? | Yes |
| SSO protocol | SAML 2.0 |
| Documentation | Not available |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ✓ | OIN app with full provisioning |
| Microsoft Entra ID | ✓ | ❌ | SSO only |
| Google Workspace | ✓ | JIT only | SAML SSO with just-in-time provisioning |
| OneLogin | ✓ | ✓ | Supported |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages Navan accounts manually. Here's what that costs:
The Navan pricing problem
Navan gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Tier comparison
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Pro | N/A | ||
| Business | $0 (up to 300 employees) | ||
| Enterprise | Custom (~$179/user/year) |
Plan Structure
| Plan | Price | SCIM |
|---|---|---|
| Pro | N/A | ❌ |
| Business | $0 (up to 300 employees) | ❌ |
| Enterprise | Custom (~$179/user/year) | ✓ |
What this means in practice
Using Navan's approximate Enterprise pricing (~$179/user/year):
| Team Size | Annual Cost for SCIM |
|---|---|
| 50 users | ~$8,950/year |
| 100 users | ~$17,900/year |
| 200 users | ~$35,800/year |
Organizations currently on the free Business plan face the steepest jump—going from $0 to nearly $18,000 annually for a 100-person team just to enable automated provisioning.
Additional constraints
Summary of challenges
- Navan supports SCIM but only at Enterprise tier (Custom (~$179/user/year list))
- Google Workspace users get JIT provisioning only, not full SCIM
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What the upgrade actually includes
Navan doesn't sell SCIM à la carte. It's bundled with Enterprise features:
The catch: SCIM only works with Okta. If you use Entra ID, Google Workspace, or OneLogin, you're limited to SSO with just-in-time (JIT) provisioning - meaning users still need manual setup for travel profiles and permissions.
If you need enterprise travel controls anyway, the upgrade may make sense. If you just want automated user provisioning across all your identity providers, you're paying ~$179/user/year for a bundle where roughly 60% of features are irrelevant for teams that only need SCIM. Plus you're locked into Okta as your IdP.
What IT admins are saying
Community sentiment on Navan's SCIM limitations reveals widespread frustration with inconsistent IdP support and pricing barriers. Common complaints:
- SCIM provisioning locked behind Enterprise pricing (~$179/user/year)
- Okta-only SCIM support leaves Entra and Google Workspace admins behind
- JIT provisioning through Entra creates account sprawl and security gaps
- Business plan's 300-employee limit forces unnecessary Enterprise upgrades
Why does Navan only support SCIM through Okta? We're an Entra shop and stuck with JIT provisioning that creates compliance headaches.
The jump from free Business to Enterprise pricing just for automated provisioning is brutal. We're paying $179 per user annually when we only need basic SCIM functionality.
The recurring theme
Navan's fragmented provisioning approach forces organizations into expensive Enterprise plans or leaves them with subpar JIT workarounds, creating both budget strain and security risks.
The decision
| Your Situation | Recommendation |
|---|---|
| On Business plan, need SCIM | Use Stitchflow: avoid the Enterprise upgrade to ~$179/user/year |
| Using Entra ID and need provisioning | Use Stitchflow: Navan's Entra integration is SSO-only |
| On Enterprise but using non-Okta IdP | Use Stitchflow: SCIM only works with Okta |
| Already on Enterprise with Okta | Use native SCIM: you're paying for it |
| Small team under 300 employees, low churn | Manual may work: but Business plan lacks SCIM growth path |
The bottom line
Navan's SCIM requires both Enterprise pricing (~$179/user/year) and Okta as your IdP, creating a double lock-in that excludes most organizations. For teams on Business plans or using Entra/Google Workspace, Stitchflow delivers the same provisioning automation without the platform restrictions.
Make Navan workflows AI-native
Navan gates SCIM behind Enterprise. We build complete offboarding, user access reviews, and license workflows without that SCIM Tax upgrade.
Technical specifications
SCIM Version
2.0
Supported Operations
Create, Update, Deactivate, Groups
Supported Attributes
Not specifiedPlan requirement
Enterprise
Prerequisites
None
Key limitations
- SCIM provisioning only available via Okta integration
- Enterprise plan required for full SCIM capabilities
- Free Business plan limited to 300 employees
- Entra integration is SSO-only with JIT provisioning
Documentation not available.
Configuration for Okta
Integration type
Okta Integration Network (OIN) app with SCIM provisioning
Where to enable
Required credentials
SCIM endpoint URL and bearer token (generated in app admin console).
Configuration steps
Enable Create Users, Update User Attributes, and Deactivate Users.
Provisioning trigger
Okta provisions based on app assignments (users or groups).
Docs
Supports Create, Update, Deactivate Users, Group Push, Schema Discovery, Attribute Writeback
Navan gates SCIM behind Enterprise. Stitchflow automates complete workflows without that SCIM Tax upgrade.
Configuration for Entra ID
Integration type
Microsoft Entra Gallery app
Where to enable
SSO with JIT provisioning only. No SCIM provisioning via Entra.
Use Stitchflow for automated provisioning.
Unlock SCIM for
Navan
Navan gates SCIM behind Enterprise plan. We automate complete offboarding and access reviews across your stack without that SCIM Tax upgrade.
See how it works
