How to Set Up Zoom SCIM Provisioning with Okta

SCIM provisioning automates the Zoom user lifecycle through Okta — new hires get Zoom accounts automatically, departing employees get deactivated, and group-based licensing assigns the right Zoom products to the right people.

This guide covers SCIM setup, group push for license management, and full lifecycle automation. SSO should be configured first — see How to set up Zoom SSO with Okta. For the complete integration picture, see the Complete Guide to Zoom and Okta.

Prerequisites

• Okta account (any edition that supports provisioning)
• Zoom Business or Enterprise plan
• Zoom admin account with owner or admin privileges
• SSO configured (recommended) — see SSO setup guide
• Zoom app already added from the OIN catalog

Step 1: Generate a SCIM Token in Zoom

1. Sign in to the Zoom admin portal.
2. Go to Advanced > Single Sign-On.
3. Scroll to the SCIM section.
4. Click Enable SCIM Provisioning if not already enabled.
5. Click Generate Token. Copy this token immediately — it’s only shown once.
6. Note the SCIM Base URL: https://api.zoom.us/scim2

Store the token securely — you’ll enter it in Okta next.

Step 2: Enable API Integration in Okta

1. In the Okta Admin Console, go to the Zoom app > Provisioning tab.
2. Click Configure API Integration.
3. Check Enable API integration.
4. Enter:
   • SCIM connector base URL: https://api.zoom.us/scim2
   • API Token: Paste the SCIM token from Step 1
5. Click Test API Credentials — should show success.
6. Click Save.

Step 3: Configure Provisioning Actions

On the Provisioning tab, go to To App:

1. Create Users — Enable. Okta creates Zoom accounts when users are assigned to the app.
2. Update User Attributes — Enable. Okta syncs profile changes (name, email, department).
3. Deactivate Users — Enable. Okta deactivates Zoom accounts when users are unassigned or deactivated.
4. Click Save.

Step 4: Configure Attribute Mapping

Go to Provisioning > To App > Attribute Mappings:

Important: Do NOT hardcode a userType value (e.g., “Basic”) in the attribute mappings. Zoom deprecated the Basic license tier in 2025, and hardcoded values cause provisioning failures. Let the Zoom account default license type handle this.

Step 5: Set Default License Type in Zoom

SCIM creates user accounts, but Okta’s SCIM connector doesn’t control which license type is assigned. Set a default:

1. In the Zoom admin portal, go to Account Management > Account Settings.
2. Under New User Default Settings, set the default user type to Licensed.
3. All SCIM-provisioned users receive this license automatically.

For more granular control, use group push (Step 6).

Step 6: Configure Group Push

Group push maps Okta groups to Zoom groups, enabling group-based license management and policy assignment.

Create Zoom Groups

First, create groups in Zoom with the right license types:

1. In the Zoom admin portal, go to User Management > Groups.
2. Create groups like:
   • “Zoom Standard” → Licensed (Meetings + Team Chat)
   • “Zoom Phone Users” → Licensed + Zoom Phone
   • “Zoom CC Agents” → Licensed + Contact Center
3. In each group’s settings, set the license type and product add-ons.

Set Up Group Push in Okta

1. In the Okta Admin Console, go to the Zoom app > Push Groups tab.
2. Click Push Groups > Find groups by name.
3. Search for the Okta group (e.g., “zoom-phone-users”).
4. Choose:
   • Create Group — creates a new group in Zoom with the same name
   • Link Group — link to an existing Zoom group (recommended if you created groups in Step 6.1)
5. Click Save.
6. Repeat for each group mapping.

Example Group Structure

How It Works

• User added to Okta group → pushed to matching Zoom group → receives that group’s license and policies
• User removed from Okta group → removed from Zoom group → reverts to default license

Lifecycle Automation

With SSO + SCIM + Group Push configured, the full user lifecycle is automated:

Onboarding (New Hire)

1. HR creates the user in your HR system (Workday, BambooHR, etc.)
2. Okta’s HR integration creates the Okta account
3. Okta group rules assign the user to the appropriate Zoom group
4. SCIM creates the Zoom account → group push assigns the right license
5. User signs into Zoom via Okta SSO — no separate password needed

Role Change (Transfer)

1. User is moved to a new Okta group (e.g., from Sales to Support)
2. Group push updates their Zoom group membership
3. Zoom license and policies adjust automatically

Offboarding (Departure)

1. HR deactivates the user in the HR system
2. Okta deactivates the Okta account
3. SCIM deactivates the Zoom account:
   • Scheduled meetings are canceled
   • Phone number is unassigned
   • Contact Center agent is removed from queues
   • Cloud recordings are preserved (accessible by admin)
   • License is freed for reassignment

Important: SCIM deactivates but does not delete Zoom accounts. Deactivated accounts retain data. To permanently delete, an admin must do so manually in Zoom.

Step 7: Test the Full Lifecycle

Test User Creation

1. Assign a test user to the Zoom app in Okta (via group or direct assignment).
2. Wait 1-2 minutes (or click “Provision User” for immediate push).
3. Check the Zoom admin portal — the user should appear with the correct license.

Test Attribute Sync

1. Update the test user’s name in Okta.
2. Wait for the next sync cycle (~40 minutes) or trigger a manual push.
3. Verify the name change appears in Zoom.

Test Group Push

1. Add the test user to a Zoom Phone Okta group.
2. Check that the user appears in the corresponding Zoom group and gets Phone features.

Test Deprovisioning

1. Unassign the test user from the Zoom app in Okta.
2. Verify the user is deactivated in Zoom (not deleted — their account should show as “Inactive”).
3. Verify their Zoom license is freed.

Common Issues

• “401 Unauthorized” in Okta provisioning logs — The SCIM token expired or was regenerated. Generate a new token in Zoom’s SSO settings and update it in Okta’s provisioning configuration.
• Users provisioned with wrong license — Check your Zoom account’s default user type setting. Verify group push is working — check the Zoom admin portal to confirm users are in the correct group. If group-based licensing isn’t working, verify the Zoom group has the correct license type assigned.
• Provisioning fails with “user already exists” — A Zoom account with that email already exists (created via self-signup or another method). Options: (1) delete the existing account and re-provision, or (2) unassign/reassign the user in Okta to link to the existing account. Prevent future duplicates by disabling self-signup in Zoom.
• Provisioning breaks after Zoom license tier changes — Zoom deprecated the Basic license in 2025. If your Okta mappings hardcode a userType value of “Basic,” provisioning fails. Remove the hardcoded value and let Zoom’s default license type handle it.
• Group push not syncing members — Verify the Okta group has members and the push status shows “Active.” Check if the Zoom group exists and is correctly linked. Re-push the group if it shows errors.
• SCIM provisioning is slow — Okta’s default interval is ~40 minutes. For immediate testing, use the “Provision User” button on individual users. In production, the 40-minute delay is normal and expected.
• Deprovisioned user still has active sessions — SCIM deactivation may take a few minutes to propagate. Active Zoom sessions continue until they expire. For immediate access removal, manually deactivate the user in Zoom’s admin portal.
• Phone numbers not assigned after provisioning — SCIM creates user accounts but doesn’t configure Zoom Phone settings. Phone number assignment, call handling, and voicemail must be configured separately in Zoom admin or via the Zoom API.