Identify existing users that were provisioned by SCIM

Release notes

Problem to solve

When we first started supporting SCIM, we didn't have a way to identify users that had been provisioned by SCIM. Now we do with the provisioned_by_group_id. This attribute will be critical to allowing enterprises to have more control over users as part of the Enterprise Users (&4786) epic.

This issue is related to, but not a duplicate of #322039 (closed). Users who were provisioned by SCIM before the attribute was available could go through the enterprise claim process. However, those accounts would not have a local password and would need to go through the password reset process to complete the transition to an enterprise/provisioned account. Additionally, they would likely also receive an email notifying them of the transition, which might be confusing for the user.

Instead, we should create a database migration that marks a user as provisioned by a group if the user creation timestamp, SAML identity timestamp, and SCIM identity timestamp all match. This is an indicator that the user was provisioned by SCIM since all of those records are created in a transaction.