SCIM provisioning automates the Zoom user lifecycle — when someone joins your organization and is added to the right Google group or OU, they automatically get a Zoom account. When they leave, their Zoom account is deactivated. No manual account creation, no orphan accounts consuming licenses.
This guide covers SCIM 2.0 setup between Google Workspace and Zoom. For SSO setup (recommended to configure first), see How to set up Zoom SSO with Google Workspace. For the full integration picture, see the Complete Guide to Zoom and Google Workspace.
Prerequisites
- Google Workspace Business Standard, Business Plus, Enterprise, or Education (SCIM is not available on Business Starter)
- Google super admin access
- Zoom Business or Enterprise plan
- Zoom admin account with owner or admin privileges
- SSO configured (recommended but not required) — see SSO setup guide
Step 1: Generate a SCIM Token in Zoom
- Sign in to the Zoom admin portal.
- Go to Advanced > Single Sign-On.
- Scroll to the SCIM section.
- Click Enable SCIM Provisioning if not already enabled.
- Click Generate Token. Copy and save this token — you’ll need it for the Google side.
The token is a bearer token that Google uses to authenticate SCIM API calls to Zoom. Store it securely.
Step 2: Configure Auto-Provisioning in Google Admin
- Sign in to the Google Admin console.
- Go to Apps > Web and mobile apps.
- Find Zoom in your app list (you should have added it during SSO setup). If not, add it first.
- Click on the Zoom app > Auto-provisioning.
- Click Set up auto-provisioning.
- Enter the SCIM credentials:
- API endpoint:
https://api.zoom.us/scim2 - Authorization type: Bearer Token
- Bearer token: Paste the token from Step 1
- API endpoint:
- Click Test connection to verify connectivity.
Step 3: Configure Attribute Mapping
Map Google Workspace attributes to Zoom SCIM attributes:
| Google Workspace Attribute | Zoom SCIM Attribute | Required? |
|---|---|---|
Primary email | userName | Yes |
Primary email | emails[type eq "work"].value | Yes |
First name | name.givenName | Yes |
Last name | name.familyName | Yes |
Department | urn:ietf:params:scim:schemas:extension:enterprise:2.0:User.department | No |
Note: Google Workspace’s SCIM provisioning for Zoom is more limited in attribute mapping than Entra ID. The core attributes (email, name) are what matter most — they determine the user’s Zoom profile.
Step 4: Set the Provisioning Scope
Choose which users get provisioned into Zoom:
Option A: By Organizational Unit
- In the Zoom app settings in Google Admin, go to User access.
- Turn on the app for specific organizational units.
- Only users in enabled OUs will be provisioned.
Option B: By Google Group
- In auto-provisioning settings, set the scope to a specific Google group.
- Add users to the group to provision them into Zoom.
- Remove users from the group to deprovision.
Recommendation: Use a dedicated Google group (e.g., zoom-users@yourcompany.com). This gives you fine-grained control independent of your OU structure. You can nest groups — add department groups to the Zoom group to provision entire teams.
Step 5: Enable Provisioning
- Toggle auto-provisioning to On.
- Google begins the initial sync — all users currently in scope will be provisioned into Zoom.
- Monitor the provisioning logs in Google Admin under Reporting > Audit and investigation > Admin log events.
The initial sync may take several minutes to hours depending on the number of users. Subsequent changes (new users, removals) are processed within minutes.
Step 6: Set Default License Type in Zoom
SCIM creates user accounts, but Google’s SCIM connector doesn’t control which Zoom license type is assigned. Configure this on the Zoom side:
Option 1: Default License Type
- In Zoom admin portal, go to Account Management > Account Settings.
- Set Default License Type to your preferred type (e.g., Licensed, Basic).
- All SCIM-provisioned users receive this license automatically.
Option 2: Group-Based Licensing
For different license types by department or role:
- Create Zoom groups (e.g., “Sales — Zoom Phone”, “Engineering — Basic”).
- In each group’s settings, set the license type.
- Use Zoom’s group assignment rules or a manual process to place SCIM-provisioned users into the right group.
Note: There’s no automatic way to map Google group membership to Zoom group membership via SCIM. If you need role-based licensing, you’ll either manage it manually in Zoom or build a custom integration using the Zoom API.
What SCIM Syncs
| Action | What Happens in Zoom |
|---|---|
| User added to scope | New Zoom account created with mapped attributes. User receives welcome email (if configured). |
| User removed from scope | Zoom account deactivated (not deleted). License freed. Meetings preserved. Recordings preserved. |
| User’s name changes in Google | Name updated in Zoom profile on next sync. |
| User’s email changes in Google | Email updated in Zoom (if it’s the primary email attribute). |
| User suspended in Google | User deactivated in Zoom. |
| User deleted in Google | User deactivated in Zoom. |
Deprovisioning Behavior
When a user is removed from the provisioning scope:
- Account status: Deactivated (user cannot sign in)
- Scheduled meetings: Remain in the system but cannot start
- Cloud recordings: Preserved and accessible by admins
- Zoom Phone number: Released back to the pool (if applicable)
- License: Freed for reassignment
- Full deletion: Must be done manually by a Zoom admin if you want to permanently remove the account and data
Common Issues
- “Connection failed” when testing SCIM — The bearer token may have expired or been regenerated. Generate a new token in Zoom’s SSO settings and update it in Google Admin. Also verify the API endpoint is exactly
https://api.zoom.us/scim2(not/scimwithout the2). - Users provisioned but can’t sign in — If SSO isn’t configured, provisioned users need to set a Zoom password via the welcome email. If SSO is configured, verify the user’s email matches in both Google and Zoom. See SSO setup guide.
- Duplicate accounts — If users already had Zoom accounts (e.g., signed up with personal email), SCIM may create a second account. Merge or delete the old account first. SCIM matches on email — ensure the Google primary email matches the existing Zoom account email.
- Deprovisioned user still has access — SCIM deactivation may take a few minutes to propagate. If the user has an active session, it continues until it expires. For immediate access removal, manually deactivate the user in Zoom’s admin portal.
- Wrong license type assigned — SCIM doesn’t control license type. Change the default license type in Zoom’s account settings or manually reassign after provisioning.
- Provisioning logs show errors — Check Google Admin > Reporting > Audit logs. Common errors: token expired (401), user already exists (409), attribute mapping error (400). Fix the specific error and re-trigger by removing/re-adding the user from scope.