The Huntress Management Console supports SAML SSO but doesn't support SCIM provisioning, and the gap between those two things is causing a lot of unnecessary pain for anyone running Entra ID as their IdP.

Even with SAML enabled, every new user has to be created manually in the Huntress portal and then accept an email invitation before they can log in. SAML authenticates the account, but it doesn't create it, and there's no JIT provisioning path. That means there's also no real lifecycle integration — when someone leaves and gets disabled in Entra, nothing happens on the Huntress side until an admin remembers to clean it up. For a security product, "we'll get around to it" deprovisioning isn't a great default.

It's also worth pointing out that the SAT module already supports SCIM, with a documented Entra setup. So the capability clearly exists inside Huntress; it just hasn't been extended to the Management Console, which is the part most partners spend the most time in.

The mandatory invite-email step is also a problem in any environment that follows Microsoft's own guidance to keep privileged identities mailbox-free. If privileged accounts don't have mailboxes — which is a recommended hardening pattern — there's no way to receive or accept a Huntress invite with those accounts. The only workaround is to assign a mailbox to an account that shouldn't have one, which chips away at the very posture Huntress is supposed to help defend, just to get a user onboarded.

What we'd like to see is native SCIM 2.0 support for the Management Console, with Entra ID configuration documented to the same standard as SAT. Concretely:

First-class SCIM integration with the IdP partners are paying Huntress to help secure should be a baseline expectation at this point, not a feature gap people have to engineer around.