Skip to content

NinjaOne SCIM Setup — Per-Client Onboarding Runbook

Overview

This runbook documents the process for setting up NinjaOne SCIM provisioning for a new client tenant. SCIM automatically provisions end user accounts in NinjaOne from Microsoft Entra ID, so users already exist when tickets are created on their behalf.

What this achieves: - Users with M365 Business licenses are automatically provisioned as end users in NinjaOne under the correct client organization - No manual user creation needed when opening tickets - Foundation for future end user portal / self-service ticketing

What this does NOT cover (yet): - End user portal activation (users are provisioned but portal is not enabled) - CIPP-based automation of this process (future)

Prerequisites

Before starting, collect the following:

Item Where to find it Notes
Client email domain Client info e.g. brennwald-heilig.ch
NinjaOne Organization ID NinjaOne → Administration → Organizations → Get OrgId In the context menu for an org
Client Entra ID tenant ID Entra admin center → Overview
Global Admin access to client tenant Via GDAP / Lighthouse Needed for Enterprise App setup
NinjaOne system admin access NinjaOne admin For IDP and SCIM configuration

License requirement: Dynamic groups require Entra ID P1 or higher on the client tenant. Verify before starting — M365 Business Basic/Standard do not include P1 unless separately licensed.

Step 1 — Create Dynamic Entra ID Group in Client Tenant

In the client's Entra admin center, create a new dynamic user group.

Group settings: - Name: NinjaOne-EndUsers (or similar) - Membership type: Dynamic User

Dynamic membership rule:

(user.assignedPlans -any (assignedPlan.servicePlanId -eq "9aaf7827-d63c-4b61-89c3-182f06f82e5c" -and assignedPlan.capabilityStatus -eq "Enabled")) -and (user.accountEnabled -eq true) -and (user.userType -eq "Member") -and -not (user.mail -match "backup|monitor|noreply|service|info")

This targets Exchange Online (Plan 1) as a proxy for M365 Business licenses (Basic, Standard, Premium all include it). Filters out disabled accounts and guests.

Known limitation: Service accounts with Exchange Online (Plan 1) for email sending (e.g. backup systems) may be included if they are enabled Members. A handful of extra end user accounts in NinjaOne is acceptable — remove manually if needed or exclude by UPN pattern if naming is consistent:

... -and -not (user.userPrincipalName -match "backup|monitor|svc-")

Verify group membership looks correct before proceeding.

Step 2 — Create Enterprise App in Client Tenant

In the client's Entra admin center:

  1. Navigate to Applications → Enterprise applications → New application
  2. Create your own application
  3. Integrate any other application you don't find in the gallery (Non-gallery)

This single Enterprise App handles both SSO and SCIM provisioning.

Detailed steps are found in the YouTube walkthrough or the NinjaOne IAM documentation.

Step 4 — Enable SCIM in NinjaOne

  1. On the same Identity Provider page in NinjaOne, find the SCIM section
  2. Click Enable
  3. Activate the Enable SCIM provisioning toggle
  4. Copy and securely store:
  5. SCIM endpoint URL
  6. Bearer token

!!! warning "Token handling" The bearer token is only shown once. Store it in the MSP Key Vault or password manager immediately.

The token expires 6 months after generation. Set a calendar reminder to rotate it before expiry — provisioning stops silently when it expires.

Step 5 — Configure App Roles in Client Tenant

In the client's Entra admin center:

  1. Navigate to Applications → App registrations
  2. Find and open the NinjaOne app registration
  3. Go to App roles → Create app role
  4. Create the following role:
Field Value
Display name EndUser
Allowed member types Both (Users/Groups + Applications)
Value endUser
Description End users that need to access the application
Enabled Yes

Note: NinjaOne creates end user accounts by default if Display Name is not set to "Technician". Case insensitive.

Step 6 — Configure SCIM Provisioning in Enterprise App

In the client's Entra Enterprise App:

  1. Go to Provisioning → Get started
  2. Set Provisioning Mode to Automatic
  3. Enter the SCIM endpoint URL and bearer token from Step 4
  4. Test connection — should succeed
  5. Save

Configure attribute mappings:

Navigate to Provisioning → Attribute mapping → Provision Microsoft Entra ID Users, then click Show advanced options → Edit attribute list for customappsso.

Add a new attribute: - Name: urn:ietf:params:scim:schemas:extension:ninjaone:2.0:User:userType - Type: String - Required: No

Add a new attribute: - Name: urn:ietf:params:scim:schemas:extension:ninjaone:2.0:User:organizationId - Type: String - Required: No

Then add two new mappings:

Mapping 1 — User type: - Mapping type: Expression - Expression: SingleAppRoleAssignment([appRoleAssignments]) - Target attribute: urn:ietf:params:scim:schemas:extension:ninjaone:2.0:User:userType - Match objects: No - Apply this mapping: Always

Mapping 2 — Organization ID: - Mapping type: Expression - Expression:

Switch([companyName], "All", "Brennwald + Heilig AG", "<NinjaOneOrgID>")

Replace <NinjaOneOrgID> with the numeric org ID from NinjaOne. Replace "All" with a fallback — use "All" to assign unmatched users as global end users, or "" to skip them. - Target attribute: urn:ietf:params:scim:schemas:extension:ninjaone:2.0:User:organizationId - Match objects: No - Apply this mapping: Always

!!! warning The companyName value must exactly match what's set in Entra ID user profiles. Verify a few users have the correct companyName attribute set before enabling provisioning.

Step 7 — Assign Group to Enterprise App

In the client's Entra Enterprise App:

  1. Go to Users and groups → Add user/group
  2. Select the dynamic group created in Step 1
  3. Select role: EndUser
  4. Click Assign

Step 8 — Enable Provisioning and Initial Sync

  1. In the Enterprise App → Provisioning, set status to On
  2. Click Provision on demand to test with a single user first
  3. Verify the user appears in NinjaOne under the correct organization
  4. If correct, let the full provisioning cycle run (or click Restart provisioning to trigger immediately)

Monitor progress: - Entra: Enterprise App → Provisioning → Provisioning logs - NinjaOne: Administration → Accounts → Identity Providers → your IDP → # Users count

Verify in NinjaOne: - Users appear under the correct organization (not as global end users) - Account type shows as End User - Count matches expected number of licensed users (minus any filtered service accounts)

If the client has Intune-managed devices:

  1. In NinjaOne: Administration → Apps → Installed → Add app → Microsoft Intune
  2. Click Enable
  3. Navigate to Administration → Devices → Discovery → Intune device discovery
  4. Create a new discovery job:
  5. Sign in with Microsoft (use admin account with Intune access)
  6. Select target NinjaOne organization and location
  7. Select relevant Entra device groups
  8. Run discovery
  9. Once complete, user-to-device assignments are available in NinjaOne

Operational Notes

Token Rotation (every 6 months)

  1. In NinjaOne → Identity Provider → SCIM → regenerate token
  2. Update the token in Entra Enterprise App → Provisioning → Admin credentials
  3. Test connection
  4. Update stored token in Key Vault / password manager
  5. Set new 6-month reminder

Troubleshooting

Symptom Likely cause
Users not appearing Check Entra provisioning logs. Most common: companyName mismatch in Switch expression.
Users appear as global (not org-specific) organizationId mapping not matching — verify companyName attribute on Entra users.
Provisioning stopped Check token expiry date in NinjaOne SCIM settings.
Service accounts included Add UPN exclusion pattern to dynamic group rule or remove manually from NinjaOne.

Client Registry

Client NinjaOne Org ID Email Domain SCIM Token Expiry Entra Tenant ID
Brennwald + Heilig AG brennwald-heilig.ch

Fill in values after setup. Store sensitive values in Key Vault only.