Summary and recommendation
Pulumi offers comprehensive SCIM 2.0 support with full user and group provisioning capabilities. However, SCIM is gated behind the Enterprise plan, which starts at $32,850/year via AWS Marketplace or usage-based pricing at $0.0005/resource/hour. This creates a significant barrier for smaller teams who need automated provisioning but can't justify enterprise-level infrastructure spending. Additionally, Pulumi requires SAML SSO to be configured before SCIM can be enabled, and enforces strict limitations like immutable usernames and a 40-character limit on team names.
For teams currently on Team plans (usage-based at $0.00025/resource/hour), upgrading to Enterprise solely for SCIM doubles your resource costs. A mid-sized team managing infrastructure could easily face $20,000+ in additional annual costs just to unlock automated user provisioning - costs that compound as your infrastructure scales.
The strategic alternative
Pulumi gates SCIM behind Enterprise. Skip the Enterprise plan upgrade and automate complete outcomes across your stack. We maintain the integration layer underneath. You focus on judgment, not plumbing.
Quick SCIM facts
| SCIM available? | Yes |
| SCIM tier required | Enterprise |
| SSO required first? | Yes |
| SSO available? | Yes |
| SSO protocol | SAML 2.0 |
| Documentation | Official docs |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ✓ | OIN app with full provisioning |
| Microsoft Entra ID | ✓ | ✓ | Gallery app with SCIM |
| Google Workspace | ✓ | JIT only | SAML SSO with just-in-time provisioning |
| OneLogin | ✓ | ✓ | Supported |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages Pulumi accounts manually. Here's what that costs:
The Pulumi pricing problem
Pulumi gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Plan Structure
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Individual | $0 (500 deploy minutes) | ||
| Team | $0.00025/resource/hour | ||
| Enterprise | $0.0005/resource/hour or $32,850/year | ||
| Business Critical | $50,000+/year |
What this means in practice
Pulumi's usage-based pricing makes cost projections challenging, but the Enterprise tier doubles your resource costs compared to Team pricing. For organizations running substantial infrastructure:
Resource-based pricing impact
AWS Marketplace option: Fixed $32,850/year eliminates usage surprises but represents significant upfront commitment.
Additional constraints
Summary of challenges
- Pulumi supports SCIM but only at Enterprise tier ($0.0005/resource/hour (~$0.365/resource/month) or $32,850/year via AWS Marketplace)
- Google Workspace users get JIT provisioning only, not full SCIM
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What the upgrade actually includes
Pulumi doesn't sell SCIM à la carte. It's bundled with Enterprise features:
The usage-based pricing model ($0.0005/resource/hour) also means costs scale unpredictably with your infrastructure footprint, making budgeting difficult for growing teams.
Stitchflow Insight
The Enterprise tier targets large-scale infrastructure teams with complex compliance requirements. If you just need automated user provisioning for your DevOps team, you're paying for enterprise governance features you likely won't use. We estimate ~60% of Enterprise features are irrelevant for teams that only need SCIM automation.
What IT admins are saying
Community sentiment on Pulumi's SCIM implementation is generally positive, but cost concerns dominate the conversation. Common complaints:
- Enterprise plan requirement creates a significant pricing barrier for smaller teams
- Usage-based pricing model makes SCIM costs unpredictable and potentially expensive
- The $32,850/year marketplace minimum feels excessive for basic identity automation
- Having to estimate resource hours to budget for what should be standard security features
We wanted SCIM but the Enterprise pricing model is just not feasible for our team size. The resource-based billing makes it impossible to predict what we'll actually pay.
Why is user provisioning locked behind a $30K+ paywall? Every other tool we use includes this in their standard plans.
The recurring theme
Pulumi's usage-based Enterprise pricing creates both cost barriers and budgeting uncertainty, making basic identity automation inaccessible to many teams despite solid technical implementation.
The decision
| Your Situation | Recommendation |
|---|---|
| On Team plan, need SCIM | Use Stitchflow: avoid the Enterprise upgrade and usage-based costs |
| Small resource footprint, worried about Enterprise pricing | Use Stitchflow: flat $5K/year vs. unpredictable resource-based billing |
| Already on Enterprise plan | Use native SCIM: you're paying for it and it's well-implemented |
| Need Enterprise features beyond SCIM | Evaluate Enterprise: SCIM comes bundled with advanced security |
| Low user churn, simple team structure | Manual may work: but monitor for security gaps in a DevOps context |
The bottom line
Pulumi's Enterprise requirement means SCIM comes with usage-based pricing that can quickly escalate beyond $32K/year for active infrastructure teams. For organizations on Team plans that need provisioning automation without the Enterprise commitment, Stitchflow delivers the same user lifecycle management at predictable flat-rate pricing.
Make Pulumi workflows AI-native
Pulumi gates SCIM behind Enterprise. We build complete offboarding, user access reviews, and license workflows without that SCIM Tax upgrade.
Technical specifications
SCIM Version
2.0
Supported Operations
Create, Update, Deactivate, Groups
Supported Attributes
Not specifiedPlan requirement
Enterprise
Prerequisites
SSO must be configured first
Key limitations
- Enterprise plan required for SCIM
- One SCIM app per Pulumi org
- Team name 40 char limit for SCIM
- SAML required before SCIM
- Usernames are immutable
Configuration for Entra ID
Integration type
Microsoft Entra Gallery app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
Tenant URL (SCIM endpoint) and Secret token (bearer token from app admin console).
Configuration steps
Set Provisioning Mode = Automatic, configure SCIM connection.
Provisioning trigger
Entra provisions based on user/group assignments to the enterprise app.
Sync behavior
Entra provisioning runs on a scheduled cycle (typically every 40 minutes).
Full SCIM 2.0 support. Configure userName for creation only. Scope to assigned users/groups only.
Pulumi gates SCIM behind Enterprise. Stitchflow automates complete workflows without that SCIM Tax upgrade.
Unlock SCIM for
Pulumi
Pulumi gates SCIM behind Enterprise plan. We automate complete offboarding and access reviews across your stack without that SCIM Tax upgrade.
See how it works
