Summary and recommendation
NinjaRMM supports full SCIM provisioning and includes it at no additional cost across all plans, starting from $1.50/device/month. However, the implementation has several operational hurdles: SCIM tokens expire every 6 months requiring manual renewal, you cannot assign system administrator roles via SCIM, and provisioning technicians requires setting a custom "userType" attribute that many IT teams overlook during initial setup.
These limitations create ongoing administrative overhead, particularly the token expiration cycle that can break automated provisioning without warning. For MSPs managing multiple client environments or IT teams running large technician workforces, the inability to provision system administrators via SCIM means maintaining hybrid manual/automated workflows that defeat the purpose of automation.
The strategic alternative
NinjaRMM gates SCIM behind Included. That can unlock provisioning, but it still does not complete the offboarding, access review, or license workflow across the rest of your stack. Stitchflow builds and maintains the IT workflows your team still runs manually, across every app, including the ones without APIs.
Quick SCIM facts
| SCIM available? | Yes |
| SCIM tier required | Free |
| SSO required first? | Yes |
| SSO available? | Yes |
| SSO protocol | SAML 2.0 |
| Documentation | Official docs |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ✓ | OIN app with full provisioning |
| Microsoft Entra ID | ✓ | ✓ | Gallery app with SCIM |
| Google Workspace | ✓ | JIT only | SAML SSO with just-in-time provisioning |
| OneLogin | ✓ | ✓ | Supported |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages NinjaRMM accounts manually. Here's what that costs:
The NinjaRMM pricing problem
NinjaRMM gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Tier comparison
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Standard | $1.50-$8/device/mo |
Plan Structure
| Plan | Price | SCIM |
|---|---|---|
| Standard | $1.50-$8/device/mo | ✓ |
Pricing varies by deployment size: ~$1.50/device/mo at 10,000+ endpoints, scaling up to $8/device/mo for smaller deployments
What this means in practice
While SCIM access itself is included, NinjaOne's implementation requires careful attribute mapping to distinguish between technicians and end users:
The per-device pricing model means provisioning costs scale with your endpoint count, not user count. For MSPs managing multiple client environments, this creates predictable scaling but requires regional SCIM endpoint configuration.
Additional constraints
Summary of challenges
- NinjaRMM supports SCIM but only at Free tier (custom pricing)
- Google Workspace users get JIT provisioning only, not full SCIM
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What NinjaRMM actually offers for identity
NinjaOne includes SCIM provisioning at no additional cost across all plans, which is refreshingly straightforward for an RMM platform. The identity management bundle includes:
The implementation has some operational quirks typical of specialized RMM platforms. SCIM tokens expire every 6 months requiring manual renewal, you cannot provision system administrators via SCIM (manual setup required), and technician provisioning requires a custom userType attribute. MFA is still enforced for high-risk operations even with SSO enabled.
For MSPs and IT teams already using NinjaOne, the identity features work well within the RMM context. The challenge is that you're locked into their per-device pricing model ($1.50-$8/device/month) regardless of how many actual users need access to manage those devices.
What IT admins are saying
Community sentiment on NinjaOne's SCIM implementation is generally positive, though some specific pain points emerge around setup complexity and ongoing maintenance.
Common feedback from IT administrators:
- SCIM token expiration every 6 months creates unnecessary maintenance overhead
- The custom userType attribute requirement complicates initial setup for MSPs
- Regional SCIM endpoints can cause confusion during configuration
- Cannot provision system administrators via SCIM, requiring manual role assignments
The fact that SCIM is included at all pricing tiers is refreshing compared to other RMM platforms. Most competitors gate this behind enterprise plans.
Token expiration every 6 months is annoying but manageable. At least we're not paying extra for basic provisioning features.
The recurring theme
While NinjaOne includes SCIM without premium pricing, the implementation requires ongoing maintenance and careful attribute configuration that can trip up initial deployments.
The decision
| Your Situation | Recommendation |
|---|---|
| Want SCIM but don't want to manage tokens | Use Stitchflow: avoid the 6-month token renewal hassle |
| Need to provision system administrators via SCIM | Use Stitchflow: NinjaOne's native SCIM can't assign admin roles |
| Using JumpCloud, PingOne, or other non-major IdPs | Use Stitchflow: NinjaOne only supports Okta, Azure AD, OneLogin, Duo |
| Already have NinjaOne + supported IdP setup | Use native SCIM: it's included and well-documented |
| Small MSP with low technician turnover | Manual may work: but monitor for provisioning gaps as you scale |
The bottom line
NinjaRMM gates SCIM behind Included. The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Close the NinjaRMM workflow gap
NinjaRMM gates SCIM behind Included, but the bigger issue is the workflow around it. Stitchflow builds and maintains the offboarding, access review, or license workflow underneath.
Technical specifications
SCIM Version
2.0
Supported Operations
Create, Update, Deactivate, Groups
Supported Attributes
Not specifiedPlan requirement
Free
Prerequisites
SSO must be configured first
Key limitations
- SP-initiated SSO only
- Extra attribute needed for technician provisioning
- Regional SCIM endpoints
- MFA still required for high-risk operations
- SCIM token expires every 6 months
- Cannot assign system administrators via SCIM
Configuration for Okta
Integration type
Okta Integration Network (OIN) app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
SCIM endpoint URL and bearer token (generated in app admin console).
Configuration steps
Enable Create Users, Update User Attributes, and Deactivate Users.
Provisioning trigger
Okta provisions based on app assignments (users or groups).
NinjaOne OIN app recommended for setup. Full SCIM provisioning with group mapping. Custom SAML 2.0 app also supported. SCIM token expires every 6 months. Use urn:ietf:params:scim:schemas:extension:ninjaone:2.0:User:userType attribute to distinguish technicians vs end users.
NinjaRMM gates SCIM behind Included. The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Configuration for Entra ID
Integration type
Microsoft Entra Gallery app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
Tenant URL (SCIM endpoint) and Secret token (bearer token from app admin console).
Configuration steps
Set Provisioning Mode = Automatic, configure SCIM connection.
Provisioning trigger
Entra provisions based on user/group assignments to the enterprise app.
Sync behavior
Entra provisioning runs on a scheduled cycle (typically every 40 minutes).
Full SCIM provisioning with Microsoft Entra ID. Azure sync cycles run every 20-40 minutes. Custom attributes required: organizationId and userType (endUser or technician). Cannot edit/delete SCIM-managed users in NinjaOne console.
NinjaRMM gates SCIM behind Included. The upgrade may unlock provisioning, but the workflow still has to complete across the rest of your stack.
Close the workflow gap in
NinjaRMM
NinjaRMM gates SCIM behind Included plan. That can unlock provisioning, but it still does not complete the offboarding, access review, or license workflow across your stack.
Start with the free gap diagnostic
