Is the connection read-only by default?

Yes. Inventory and risk scoring run on read-only IdP scopes. Action capabilities (revoke, SCIM cascade) require explicit additional scopes which are granted per-action or per-customer scope-of-work.

What SCIM providers are supported?

Okta SCIM, Azure AD SCIM, and Google Workspace native deprovisioning APIs on day one. JumpCloud and OneLogin are in design-partner conversations. Custom SCIM endpoints supported via the partner-config flow.

Does this replace our IGA tool?

No. ScopeMantle covers the third-party SaaS surface that IGA tools historically miss — the OAuth-grant layer. The two complement each other; ScopeMantle's event stream is designed to feed alongside Sailpoint, Saviynt, or Okta IGA telemetry.

How does the team get started?

Connect the IdP, wait 10-15 minutes for the first inventory pass, review the dashboard. No agents to deploy, no network changes, no help-desk tickets to file.

Built for IT admins and SecOps

Discover, deprovision, and close the loop on every connected SaaS.

ScopeMantle gives IT and SecOps a continuous inventory of every third-party OAuth grant in the tenant, plus the SCIM-cascade machinery to actually revoke them. Deprovisioning finishes; shadow SaaS gets surfaced; the tenant gets quieter.

When IT inherits the security audit, they need tooling that doesn't add operational drag. ScopeMantle is read-only by default, action-on-demand, and integrates with the IdP your team already runs.

Book a demo See how it works

What gets in the way today

The shape of the problem.

Deprovisioning doesn't actually finish

Identity-side offboarding is solved. SaaS-side offboarding isn't. Departed employees retain access to docs, calendars, and shared drives through third-party app sessions that the IdP didn't touch.

Shadow SaaS is detected but not actionable

Existing tools surface a list of unsanctioned SaaS. IT can't do anything with the list without OAuth-grant-level revocation. ScopeMantle gives IT both halves.

Audit findings turn into endless tickets

Every security audit closes with 'review and revoke OAuth grants' as an open finding. IT inherits the work, with no automation. ScopeMantle automates the revocation loop end-to-end.

What ScopeMantle does

Capabilities that map to the work.

Shadow-SaaS discovery

Every OAuth grant in the tenant, regardless of whether IT sanctioned it. Cross-referenced against the SaaS catalog so 'sanctioned-but-mis-scoped' is distinguished from 'shadow-and-risky'.

SCIM cascade revoke

One-click revoke pushes through to every connected SaaS. Departed-employee tokens cleaned up in seconds, not days. Re-appearing grants flagged for review.

Audit-finding cleanup workflow

Bulk revoke filtered by scope, vendor, or risk score. Evidence collected per action. The 'review and revoke OAuth grants' finding closes with a one-line audit trail instead of a 3-week ticket queue.

What you can do this week

A concrete starting point, not a roadmap.

Connect your IdP (Google Workspace, Microsoft 365, or Okta) in read-only inventory mode.
Pick a recently departed employee and run a 'show me everything they still have access to' query.
Test SCIM cascade revoke on a single low-risk vendor.
Schedule a weekly review of new high-risk OAuth grants for your SecOps team.
Wire ScopeMantle's event stream into your existing SIEM or ticketing system.

Frequently asked

Common questions.

Audit the drift. Govern the grants. Close the loop.

First inventory in 15 minutes. SSO and SCIM out of the box. SOC 2 Type II in progress.

Book a demo Platform deep-dive — Deprovisioning Workflows

About ScopeMantle

ScopeMantle is an OAuth-grant audit and DSAR-automation platform for mid-market SaaS companies, sold primarily through an open MSSP partner program (70/30 wholesale split, deal registration, no direct-sale conflict in partner territories) and secondarily direct. Built in 2026.

Explore the partner program →

70 / 30 wholesale · deal registration honoured · no direct-sale conflict