With SCIM (System for Cross-domain Identity Management) groups, you can allow your Identity Provider (IdP) to create and sync groups directly in Intercom. You can then map these synced groups to Intercom roles, which automatically assigns the correct permissions to your teammates.
Syncing group membership ensures that teammate access stays up to date as your teams change, all managed from your IdP. This reduces manual role administration and keeps access current as teams change.
Before you start
Important: There are several prerequisites for setting up SCIM groups:
Before setting up SCIM, SAML SSO should be set up in your workspace.
You will require admin access in your IdP (Okta, Azure AD, OneLogin, Ping, etc.)
Check our plans and pricing to add this to your subscription.
Step 1: Enable SCIM in Intercom
Make sure SAML SSO is enabled.
Open the Provisioning settings, toggle Enable SCIM Provisioning on.
Under "Exclude from deprovisioning and role provisioning", click Add teammates and exclude your own account.
Click Save.
Copy the Base URL and API token to your IdP’s SCIM app.
Important: You must exclude your own account under "Exclude from deprovisioning and role provisioning" to prevent your access from being changed by SCIM.
Step 2: Push Groups from Your IdP
Your IdP can now create and sync groups directly into Intercom.
Push your IdP groups (for example, "Intercom Admins", "Intercom Support", or "Intercom Viewers") to create them in Intercom. Adding or removing teammates from a pushed group in your IdP will update their membership in Intercom.
Note:
Groups are created in an inactive state by default.
Inactive groups are not included in role processing until you activate the group by mapping it to a role. This prevents unintended permission changes during initial setup.
Step 3: Map groups to Intercom roles
Once groups are syncing from your IdP, you can map them to Intercom roles.
In Intercom, go to Settings > Workspace > Teammates > SCIM Provisioning.
Select a synced group from the list.
Assign an Intercom role (for example, "Admin", "Support", "Viewer")
Click Apply changes.
Testing role mapping for SCIM groups
Add a test teammate to a synced group in your IdP and confirm they’ve been assigned the correct role in Intercom.
Move the teammate to a different group in your IdP and confirm their role has been updated automatically in Intercom.
Note: Role changes may take a few minutes to apply and will appear in teammate activity logs.
View audit and activity logs for SCIM‑related events
SCIM‑related events (for example, group and role changes) are recorded in Teammate activity logs, providing an audit trail of who changed what and when.
Best practices for SCIM groups
Use dedicated IdP groups for Intercom roles not general HR groups.
Use group rules to map user membership between HR groups and Sync groups 1:1.
Treat your IdP as the source of truth. Avoid manual role changes in Intercom.
Periodically review group-to-role mappings against your org’s access policies.
Automate group membership in your IdP using rules (e.g.
department = Support→ Intercom Support group).
Need more help? Get support from our Community Forum
Find answers and get help from Intercom Support and Community Experts