---
title: User Provisioning with SCIM
description: >-
  Automate user provisioning and deprovisioning in Datadog using SCIM
  integration with Microsoft Entra ID and Okta identity providers.
breadcrumbs: Docs > Account Management > User Provisioning with SCIM
---

# User Provisioning with SCIM

{% alert level="info" %}
SCIM is available with the Infrastructure Pro, Infrastructure Enterprise, and Startup plans.
{% /alert %}

## Overview{% #overview %}

The System for Cross-domain Identity Management, or [SCIM](https://scim.cloud/), is an open standard that allows for the automation of user provisioning. Using SCIM, you can automatically provision and deprovision users in your Datadog organization in-sync with your organization's identity provider (IdP).

### Supported capabilities{% #supported-capabilities %}

- Create users in Datadog
- Remove users in Datadog when they no longer require access
- Single sign-on to Datadog (recommended)
- Managed Teams: Create Datadog Teams from identity provider groups and keep membership of the Datadog Teams synchronized with group membership in the identity provider.
- Role provisioning: Provision a user's Datadog role (built-in or custom) from an identity provider attribute, and keep it synchronized. When the attribute changes in your identity provider, the user's Datadog role updates in real time.

Datadog implements the SCIM server protocol. Datadog supports using SCIM with the Microsoft Entra ID and Okta identity providers. Other identity providers may work, but are not explicitly supported.

To configure SCIM for supported identity providers, see the documentation for your IdP:

- [Microsoft Entra ID](https://docs.datadoghq.com/account_management/scim/azure.md)
- [Okta](https://docs.datadoghq.com/account_management/scim/okta.md)

### Prerequisites{% #prerequisites %}

SCIM in Datadog is an advanced feature included in the Infrastructure Pro and Infrastructure Enterprise plans.

This documentation assumes your organization manages user identities using an identity provider.

Datadog strongly recommends that you use a service account application key when configuring SCIM to avoid any disruption in access. For further details, see [using a service account with SCIM](https://docs.datadoghq.com/account_management/scim.md#using-a-service-account-with-scim).

When using SAML and SCIM together, Datadog strongly recommends disabling SAML just-in-time (JIT) provisioning to avoid discrepancies in access. Manage user provisioning through SCIM only.

### Role provisioning behavior{% #role-provisioning-behavior %}

When a SCIM request includes one or more roles, Datadog provisions only the roles that match a role in your organization. If none of the roles match, the user falls back to your organization's default role (Standard). Unmatched roles are logged to [Audit Trail](https://docs.datadoghq.com/account_management/audit_trail.md).

SCIM is the source of truth for role assignment and takes precedence over [SAML role mappings](https://docs.datadoghq.com/account_management/saml/mapping.md#map-saml-attributes-to-datadog-roles). SCIM role provisioning events are recorded in Audit Trail and as StatsD metrics.

Roles follow the SCIM multi-valued attribute convention defined in [RFC 7643](https://www.rfc-editor.org/rfc/rfc7643.html#section-4.1.2). Both Okta and Microsoft Entra ID support this mapping natively, with no custom scripting required. For setup instructions, see the documentation for your identity provider.

## Using a service account with SCIM{% #using-a-service-account-with-scim %}

To enable SCIM, you must use an [application key](https://docs.datadoghq.com/account_management/api-app-keys.md) to secure the connection between your identity provider and your Datadog account. A specific user or service account controls each application key.

If you use an application key tied to a user to enable SCIM and that user leaves your organization, their Datadog account becomes deprovisioned. That user-specific application key gets revoked, and you permanently break your SCIM integration, preventing users in your organization from accessing Datadog.

To avoid losing access to your data, Datadog strongly recommends that you create a [service account](https://docs.datadoghq.com/account_management/org_settings/service_accounts.md) dedicated to SCIM. Within that service account, create an application key to use in the SCIM integration.

The service account requires at minimum the `user_access_invite` and `user_access_manage` permissions. For the full list of required permissions, see the [SCIM API documentation](https://docs.datadoghq.com/api/latest/scim.md).

## Further Reading{% #further-reading %}

- [Configure SCIM with Azure Active Directory](https://docs.datadoghq.com/account_management/scim/azure.md)
- [Configure SCIM with Okta](https://docs.datadoghq.com/account_management/scim/okta.md)