Summary and recommendation
PagerDuty supports SCIM provisioning, but only on Business ($41/user/month) or Enterprise plans. While the technical implementation works well with major identity providers, PagerDuty's SCIM has critical limitations: deactivating users completely deletes them (reactivation creates a new user), attribute updates after initial provisioning don't sync automatically, and some roles can't be created through SCIM at all.
For incident management teams, these limitations create operational risks. When engineers leave and rejoin teams, their incident history and on-call schedule configurations are lost. Manual attribute updates become necessary whenever someone changes roles or contact information—exactly the kind of administrative overhead SCIM should eliminate. For organizations where incident response is business-critical, these gaps in automation can impact team effectiveness during high-stress situations.
The strategic alternative
PagerDuty gates SCIM behind Business or Enterprise. That can unlock provisioning, but it still does not complete the offboarding, access review, or license workflow across the rest of your stack. Stitchflow builds and maintains the IT workflows your team still runs manually, across every app, including the ones without APIs.
Quick SCIM facts
| SCIM available? | Yes |
| SCIM tier required | Business |
| SSO required first? | Yes |
| SSO available? | Yes |
| SSO protocol | SAML 2.0 |
| Documentation | Official docs |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ✓ | OIN app with full provisioning |
| Microsoft Entra ID | ✓ | ✓ | Gallery app with SCIM |
| Google Workspace | ✓ | JIT only | SAML SSO with just-in-time provisioning |
| OneLogin | ✓ | ✓ | Supported |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages PagerDuty accounts manually. Here's what that costs:
The PagerDuty pricing problem
PagerDuty gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Tier comparison
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Professional | $21/user/mo | ||
| Business | $41/user/mo | ||
| Enterprise | Custom ($60-90/user/mo) |
Plan Structure
| Plan | Price | SCIM |
|---|---|---|
| Professional | $21/user/mo | ❌ |
| Business | $41/user/mo | ✓ |
| Enterprise | Custom ($60-90/user/mo) | ✓ |
What this means in practice
Using current list prices (Professional → Business for SCIM access):
| Team Size | Annual Upgrade Cost |
|---|---|
| 25 users | +$6,000/year |
| 50 users | +$12,000/year |
| 100 users | +$24,000/year |
Calculation: ($41 - $21) × users × 12 months
For incident response teams, this pricing jump is particularly painful since PagerDuty usage often spans the entire engineering organization, not just a core DevOps team.
Additional constraints
Summary of challenges
- PagerDuty supports SCIM but only at Business tier (custom pricing)
- Google Workspace users get JIT provisioning only, not full SCIM
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What the upgrade actually includes
PagerDuty doesn't sell SCIM standalone—it's bundled with Business ($41/user/month) or Enterprise tier features:
The core pain point: you're forced into Business tier pricing that doubles your per-user cost versus Professional ($21/user/month). For a 50-person engineering team, that's an extra $12,000 annually just to get basic user provisioning.
Stitchflow Insight
We estimate ~60% of Business tier features are irrelevant for teams that simply need automated user management. Most organizations just want engineers provisioned into PagerDuty immediately so they can respond to incidents—they don't need advanced analytics or custom automation workflows.
What IT admins are saying
Community sentiment on PagerDuty's SCIM implementation reveals frustration with attribute sync limitations and costly tier requirements. Common complaints:
- Requiring Business tier ($41/user/month) just for basic provisioning automation
- User attributes stop syncing after initial provisioning - manual updates required
- Deactivation deletes users entirely, losing incident history and on-call context
- Azure MFA requiring workaround configurations that break standard setups
SAML provisioned attributes like email, name, and role won't sync updates after the user is created - you have to manually update them in PagerDuty.
For MFA with Entra you have to disable AuthnContext which breaks our standard authentication flow.
The recurring theme
PagerDuty forces expensive tier upgrades for basic SCIM, then delivers a half-broken implementation that stops syncing user data after initial creation.
The decision
| Your Situation | Recommendation |
|---|---|
| On Professional, need SCIM | Use Stitchflow: avoid the $20/user/month tier jump to Business |
| On Business/Enterprise but hitting attribute sync issues | Use Stitchflow: bypass SAML attribute limitations and deactivation quirks |
| Already on Business/Enterprise, native SCIM working | Stick with native: you're paying $41-90/user/month already |
| Small on-call team, infrequent role changes | Manual may work: but monitor for incident response delays |
| Need reliable user lifecycle for critical incident response | Use Stitchflow: eliminate provisioning gaps that could impact on-call coverage |
The bottom line
PagerDuty gates SCIM behind Business or Enterprise. The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Close the PagerDuty workflow gap
PagerDuty gates SCIM behind Business or Enterprise, but the bigger issue is the workflow around it. Stitchflow builds and maintains the offboarding, access review, or license workflow underneath.
Technical specifications
SCIM Version
2.0
Supported Operations
Create, Update, Deactivate, Groups
Supported Attributes
Not specifiedPlan requirement
Business
Prerequisites
SSO must be configured first
Key limitations
- Some roles cannot be created through SCIM or REST API
- SAML provisioned attributes (email, name, role) won't sync updates - manual update required
- MFA/Passwordless with Entra requires AuthnContext disabled
- Deactivation deletes users, reactivation creates new user
Configuration for Okta
Integration type
Okta Integration Network (OIN) app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
SCIM endpoint URL and bearer token (generated in app admin console).
Configuration steps
Enable Create Users, Update User Attributes, and Deactivate Users.
Provisioning trigger
Okta provisions based on app assignments (users or groups).
Full SCIM in OIN with Group Linking, Schema Discovery, Attribute Writeback. Create REST API key in PagerDuty. Account Owner required. Enabling Create Users will create billable users. Deactivation deletes users.
PagerDuty gates SCIM behind Business or Enterprise. The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Configuration for Entra ID
Integration type
Microsoft Entra Gallery app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
Tenant URL (SCIM endpoint) and Secret token (bearer token from app admin console).
Configuration steps
Set Provisioning Mode = Automatic, configure SCIM connection.
Provisioning trigger
Entra provisions based on user/group assignments to the enterprise app.
Sync behavior
Entra provisioning runs on a scheduled cycle (typically every 40 minutes).
Full SSO and provisioning tutorial. MFA/Passwordless requires AuthnContext disabled. SAML attributes (email, name, role) don't sync updates after initial provisioning.
PagerDuty gates SCIM behind Business or Enterprise. The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Close the workflow gap in
PagerDuty
PagerDuty gates SCIM behind Business or Enterprise plan. That can unlock provisioning, but it still does not complete the offboarding, access review, or license workflow across your stack, and it can add a 95% markup just to get there.
Start with the free gap diagnostic
