SCIM Provisioning and Identity Lifecycle Automation

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
The provisioning gap is one of the most expensive identity failures in modern enterprises. HR terminates an employee. The identity provider disables the account. The SAML applications stop accepting logins. But the 200 SaaS apps without SCIM keep the user active. Three months later that ex-employee logs into Notion, downloads customer data, and joins a competitor. Or worse, an attacker compromises the personal email tied to that orphaned SaaS account and uses it as a foothold.
SCIM 2.0 is the protocol that closes this gap when applications support it, and Okta Workflows or Entra Lifecycle Workflows close it for apps that do not. This guide walks the SCIM mechanics, the configuration that makes provisioning actually work in production, and the verification workflows that catch silent failures before they become incidents.
The Provisioning Gap and Why SAML Is Not Enough
Many security teams assume SAML SSO solves the identity lifecycle problem. It does not. SAML only handles authentication; when the IdP disables an account, SAML logins fail, but any session already established remains active until the application enforces session timeout. More importantly, the local account record in the application persists. The user's data, API keys, OAuth grants, and group memberships remain. If the application offers any non-SAML login path (local password fallback, OAuth via Google, magic link, API key), the ex-employee can still get in. The provisioning gap measures the time between HR termination and full removal of the user record from every connected application. Industry surveys consistently show this gap measured in weeks, not minutes. SCIM 2.0 closes the gap by giving the IdP a programmatic way to create, update, and delete user records in downstream applications. When provisioning is configured correctly, IdP termination triggers a DELETE or PATCH to every SCIM-enabled application within minutes.
SCIM 2.0 Protocol Fundamentals
SCIM 2.0 is a REST API standard defined in RFC 7644 with five core operations the IdP sends to the application. POST /Users creates a user record; the payload includes externalId (the IdP's user identifier, used to correlate records), userName, name, emails, and any extended attributes the application defines. GET /Users/{id} reads a user, used for sync verification. PUT /Users/{id} replaces the user record; most IdPs use PATCH instead because it preserves application-controlled attributes. PATCH /Users/{id} applies partial updates with a JSON Patch-style operation list. DELETE /Users/{id} or PATCH with active: false deprovisions, depending on the application; deactivation is more common than hard delete to preserve audit history. Groups are managed via parallel /Groups endpoints with members manipulated through PATCH operations. The application implements these endpoints and authenticates the IdP using a bearer token or OAuth client credentials. SCIM's value is standardization; without it, every application requires a custom integration. Its limitation is implementation quality varies widely; some applications implement only partial SCIM or have buggy PATCH support that requires workarounds.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Configuring SCIM in Okta
In Okta, SCIM provisioning is configured per application in the Provisioning tab. For SCIM 2.0 apps, you provide the SCIM connector base URL, authentication mode (header, basic auth, or OAuth), and supported provisioning actions. The Provisioning tab has two enforcement points: To App (push from Okta to the application) and To Okta (import from the application back into Okta, used for reconciliation). Enable Create Users, Update User Attributes, and Deactivate Users in To App; this is the standard configuration that pushes lifecycle events. Attribute mapping is where most configuration time goes; map Okta profile attributes to the application's SCIM schema, and use Okta Expression Language for transformations like building a custom userName from email components. Push Groups separately controls whether group membership changes flow through SCIM; configure this thoughtfully because pushing every Okta group to every application creates noise and potential conflicts. Monitor the Provisioning Errors dashboard daily; failed SCIM calls show up here with retryable and permanent errors. Permanent errors (duplicate username, schema violation) need manual remediation; ignored, they leave provisioning state inconsistent indefinitely.
Configuring SCIM in Entra ID
Entra ID handles SCIM through the Provisioning blade on each Enterprise Application. Provisioning Mode set to Automatic enables SCIM; Admin Credentials section accepts the tenant URL (the application's SCIM base) and secret token. Test Connection validates the credentials and confirms the application's SCIM endpoint is reachable. Mappings section configures the attribute flows; the default mappings cover standard SCIM attributes but extended schemas require manual mapping. Scope filter is the critical control; set it to assigned users and groups only to prevent unintended provisioning of the entire directory. Provisioning logs in the Monitoring section show every SCIM call with payload, response, and outcome; this is where you diagnose provisioning failures. Entra runs the provisioning cycle every 40 minutes by default, which means lifecycle changes take up to that long to propagate; use on-demand provisioning for terminations that need immediate effect. Quarantine is a state Entra enters when an application returns persistent errors; the provisioning job pauses entirely until you investigate. Configure alerts on quarantine state because a quarantined app stops processing all lifecycle events until manually resumed.
Deprovisioning Verification: Trust But Verify
Configuring SCIM is not the same as proving deprovisioning works. SCIM calls fail silently when the application's API has issues, when rate limits hit, when network paths break. The provisioning logs show the attempt; the actual state of the account in the downstream application is what matters. Build a verification workflow that runs after every termination. The workflow queries each provisioned application via API (not via SCIM, but the application's native API) and confirms the user record is in the expected deactivated or deleted state. If a discrepancy is found, ticket it for manual remediation. Okta Workflows and Entra Lifecycle Workflows both support this pattern; you can also build it externally with a script driven by HR feeds. The harder problem is apps without SCIM. Inventory every SaaS application; for each one without SCIM support, determine the manual deprovisioning runbook owner and document the process in a way that survives owner turnover. For high-risk apps (developer tools, data warehouses, customer support), prioritize either pushing the vendor for SCIM support or building custom API-based provisioning via Okta Workflows or Entra Lifecycle Workflows. JIT provisioning sounds attractive but leaves a gap: accounts get created on first login, but there is no corresponding deprovisioning event because JIT alone does not propagate disable signals.
Handling SCIM Gaps with Workflow Automation
About 40 percent of SaaS applications in a typical enterprise lack SCIM support. For these, IdP-driven workflow automation closes the gap. Okta Workflows is a no-code automation platform that triggers on identity events (user deactivated, group changed) and calls arbitrary APIs. Build a flow that listens for user deactivation and, for each non-SCIM application the user had access to, calls the application's user management API to disable the account. Entra Lifecycle Workflows offers equivalent capability with custom task extensions calling Logic Apps or Functions. The implementation requires inventorying API capabilities per app (some have full user management APIs, some have only invitation APIs that cannot deprovision), storing per-app credentials securely, and handling failure paths (retry with exponential backoff, ticket creation on persistent failure). The maintenance burden is real but bounded; once built, these flows run automatically and produce audit logs that satisfy SOC 2 and ISO 27001 evidence requirements. For applications with neither SCIM nor a programmatic API, your only option is manual deprovisioning with strict SLA tracking; track time-to-deprovision per app and pressure vendors to add SCIM or sunset the application.
The bottom line
The provisioning gap is a solved problem for SAML, configured problem for SCIM, and an automation problem for everything else. Production identity programs need SCIM enabled on every supported application, verification workflows that confirm deprovisioning actually completed, and Okta Workflows or Entra Lifecycle Workflows handling the long tail of apps without SCIM.
Measure success by time-to-deprovision across the full SaaS portfolio, not just SAML apps. A program that closes accounts in supported apps within minutes but leaves Notion and Figma active for weeks is not actually managing identity lifecycle. Inventory every SaaS app, classify by deprovisioning capability, and build the automation that brings the long tail under control.
Frequently asked questions
Does SAML SSO solve the provisioning gap?
No. SAML only handles authentication. The user record persists in the application after SAML logins fail, including any local passwords, API keys, and OAuth grants. SCIM is required to actually remove the account record on termination.
What is the difference between SCIM provisioning and JIT provisioning?
SCIM proactively syncs lifecycle events from the IdP to the application, including creation, updates, and deletion. JIT creates accounts on first SAML login but does not propagate other lifecycle events, particularly deactivation, so JIT alone leaves the deprovisioning gap open.
How do we handle apps that do not support SCIM?
Use Okta Workflows or Entra Lifecycle Workflows to call the application's native user management API on identity events. For apps with no API, document a manual deprovisioning runbook with strict SLA tracking and prioritize either vendor pressure for SCIM or sunsetting the app.
How long should full deprovisioning take after HR termination?
For SCIM-enabled applications, minutes; Entra's default 40-minute cycle is the upper bound and can be triggered on-demand. For workflow-automated apps, within an hour. For manual deprovisioning apps, the SLA depends on risk classification but 24 hours is a reasonable maximum for sensitive apps.
How do we verify SCIM provisioning is actually working?
Build a verification workflow that queries each application via its native API after a termination event and confirms the account is in the expected state. SCIM call success in provisioning logs does not guarantee the downstream account is actually disabled; verify state directly.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
