Already a NinjaOne customer? Log in to view more guides and the latest updates.

NinjaOne Identity Access Management (IAM): Configure Security Assertion Markup Language for Microsoft Entra ID

  • Last Updated December 17, 2025

Topic

This guide explains how to use Microsoft Entra ID to set up Security Assertion Markup Language (SAML) with NinjaOne.

Environment

  • NinjaOne IAM
  • Microsoft Entra ID

Description

Single sign-on (SSO) allows technicians to access the NinjaOne application using a single set of login credentials from their preferred identity provider (IDP). NinjaOne uses SAML as the authentication standard. You can use SSO with both the standard and branded NinjaOne web applications.

You can use any IDP that supports SAML 2.0. This guide provides instructions on setting up SSO with Entra ID as the example IDP.

NinjaOne supports both Service Provider-initiated (SP) and IDP-initiated workflows. 

  • Service Provider (SP) initiated workflow: You navigate to NinjaOne to log in and are forwarded to the identity provider to authenticate the session.
  • Identity Provider (IDP) initiated workflow: You navigate to your identity provider to log in, click the NinjaOne app tile, and NinjaOne is launched.

Index

Select a category to learn more: 

Configuring NinjaOne SAML in Microsoft Entra

Before you can set up SSO for your users, you must configure SAML for the IDP. To do so, perform the following steps: 

  1. Navigate to your Microsoft Entra admin center. Click the Entra ID drop-down menu in the sidebar and then click Enterprise apps
  2. From the Enterprise applications screen, click New application.
IDP_entra_new app.png
Figure 1: Create a new application in the Microsoft Entra admin center
  1. Click Create your own application.
  2. You will be prompted to enter a name for the application. We recommend using the name "NinjaOne."
  3. Select the option to Integrate any other application you don't find in the gallery. Then, click Create.
IDP_entra_create and integrate app.png
Figure 2: Integrate your new application (click to enlarge)
  1. On the next screen, select Assign users and groups.
IDP_entra_assign users and groups.png
Figure 3: Assign users and groups to your enterprise application

  1. Click Add user/group. Select the target users or groups and then click Assign

    We recommend assigning groups if you intend to provision users in NinjaOne via System for Cross-domain Identity Management (SCIM). You can map Entra groups to NinjaOne roles. 
  2. Return to the overview page for the next step.

Setting up SSO in Entra ID

Ensure that the account you use to sign into NinjaOne is assigned access to the enterprise app in Entra ID. The test connection requires a successful SAML reply. 

To set up SSO for your Entra IDP, perform the following steps: 

  1. On the Overview page of the new NinjaOne enterprise app that you created in the previous section of this article, click Set up single sign on.
IDP_entra_set up sso.png
Figure 4: Set up single sign-on in Microsoft Entra
  1. Select SAML as the single sign-on method. You will be redirected to the Single sign-on properties.
  2. Click Edit in the Basic SAML Configuration section.
  3. In a separate browser tab, log in to NinjaOne as a system administrator. Navigate to Administration → Accounts → Identity providers and click Add provider.
IdP_Add provider.png
Figure 5: Add a new identity provider in NinjaOne
  1. Provide a display name and set the email domains as needed.
  2. Copy the SP Identifier (entity ID) and all Reply URLs
IDP_configure SSO_copy reply url and sp id.png
Figure 6: Copy the IDP reply URL and SP identifier from NinjaOne
  1. Return to the Microsoft Entra admin center. Click Add identifier for the Identifier (Entity ID) field and paste the SP identifier (entity ID) from NinjaOne. 
  2. Click Add reply URL for the Reply URL (Assertion Consumer Service URL) field and paste the Reply URL from NinjaOne. 
    1. Optionally, you can configure SSO with your branded NinjaOne site. Click Add reply URL again and add the branded Reply URL
    2. Select one of the Reply URLs as the Default. The default URL will be the landing page for IdP-initiated logins. 
IDP_entra_paste SP id and reply url.png
Figure 7: Paste the IDP reply URL and SP identifier from NinjaOne
  1. Scroll down to the SAML Certificates section of the Single sign-on tab and click the copy button for App Federation Metadata Url. This will be needed for the configuration in NinjaOne.
IDP_entra_copy app federation metadata.png
Figure 8: Copy the metadata in Microsoft Entra (click to enlarge)
  1. Return to the IDP page in NinjaOne. Paste the App Federation Metadata URL data into the Import metadata from field as a URL
IDP_N1_import metadata from.png
Figure 9: Paste the metadata in NinjaOne (click to enlarge)
  1. Configure conditional MFA bypass, IdP-initiated login, and strict SAML as needed. 
  2. Test the connection and then click Save when the connection is successful. 

Assigning Users to Authenticate via SSO

User accounts can have their authentication type manually set via the All users page in bulk, in a user’s security settings (during user update and user creation), or automatically via SCIM provisioning. Below are the steps to modify the authentication type via the All users page.

  1. In NinjaOne, navigate to Administration Accounts All users and select the checkbox for one or more technicians or end users.
  2. Click Actions Change authentication
all users_action_change authentication.png
Figure 10: Change authentication method for a NinjaOne account
  1. Select Single Sign-On (SSO) from the Change authentication type modal. 
  2. Click Update to save changes.

Common Configuration Issues

By default, NinjaOne uses the user.userprincipalname attribute to match a NinjaOne user to their account in Entra ID. If this attribute value does not match the NinjaOne username (email address), consider updating the Unique User Identifier (Name ID) to user.mail, user.othermail, or any attribute that will match an account’s NinjaOne username.

To adjust the unique user identifier in Entra ID:

  1. Navigate to the enterprise application in Entra Single sign-onAttribute & Claims and click Edit.
  2. Click Unique User Identifier (Name ID).
  3. Set the Source attribute to an attribute that will match each user’s NinjaOne username (email address). 
  4. Click Save
IDP_entra_unique user identifier.png
Figure 11: Change unique user identifier in Entra ID

When using IdP-initiated login, users can access the NinjaOne enterprise app via app tile in their My Apps dashboard and the O365 App Launcher. If the app tile is missing, you may need to enable app visibility; to do so, perform the following steps. 

  1. Navigate to the enterprise application in the Entra admin center on the Properties page.
  2. Set Visible to users to Yes.
  3. Click Save
entra ID_properties_visible to users.png
Figure 12: Make a property visible to users

Additional Resources

Use the following resource to learn more about configuring SAML for NinjaOne: Security Assertion Markup Language (SAML) – NinjaOne Dojo.

FAQ

Next Steps