Summary and recommendation
NinjaRMM supports full SCIM provisioning and includes it at no additional cost across all plans, starting from $1.50/device/month. However, the implementation has several operational hurdles: SCIM tokens expire every 6 months requiring manual renewal, you cannot assign system administrator roles via SCIM, and provisioning technicians requires setting a custom "userType" attribute that many IT teams overlook during initial setup.
These limitations create ongoing administrative overhead, particularly the token expiration cycle that can break automated provisioning without warning. For MSPs managing multiple client environments or IT teams running large technician workforces, the inability to provision system administrators via SCIM means maintaining hybrid manual/automated workflows that defeat the purpose of automation.
The strategic alternative
NinjaRMM gates SCIM behind Included. Skip the Included plan upgrade and automate complete outcomes across your stack. We maintain the integration layer underneath. You focus on judgment, not plumbing.
Quick SCIM facts
| SCIM available? | Yes |
| SCIM tier required | Free |
| SSO required first? | Yes |
| SSO available? | Yes |
| SSO protocol | SAML 2.0 |
| Documentation | Official docs |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ✓ | OIN app with full provisioning |
| Microsoft Entra ID | ✓ | ✓ | Gallery app with SCIM |
| Google Workspace | ✓ | JIT only | SAML SSO with just-in-time provisioning |
| OneLogin | ✓ | ✓ | Supported |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages NinjaRMM accounts manually. Here's what that costs:
The NinjaRMM pricing problem
NinjaRMM gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Tier comparison
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Standard | $1.50-$8/device/mo |
Plan Structure
| Plan | Price | SCIM |
|---|---|---|
| Standard | $1.50-$8/device/mo | ✓ |
Pricing varies by deployment size: ~$1.50/device/mo at 10,000+ endpoints, scaling up to $8/device/mo for smaller deployments
What this means in practice
While SCIM access itself is included, NinjaOne's implementation requires careful attribute mapping to distinguish between technicians and end users:
The per-device pricing model means provisioning costs scale with your endpoint count, not user count. For MSPs managing multiple client environments, this creates predictable scaling but requires regional SCIM endpoint configuration.
Additional constraints
Summary of challenges
- NinjaRMM supports SCIM but only at Free tier (custom pricing)
- Google Workspace users get JIT provisioning only, not full SCIM
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What NinjaRMM actually offers for identity
NinjaOne includes SCIM provisioning at no additional cost across all plans, which is refreshingly straightforward for an RMM platform. The identity management bundle includes:
The implementation has some operational quirks typical of specialized RMM platforms. SCIM tokens expire every 6 months requiring manual renewal, you cannot provision system administrators via SCIM (manual setup required), and technician provisioning requires a custom userType attribute. MFA is still enforced for high-risk operations even with SSO enabled.
For MSPs and IT teams already using NinjaOne, the identity features work well within the RMM context. The challenge is that you're locked into their per-device pricing model ($1.50-$8/device/month) regardless of how many actual users need access to manage those devices.
What IT admins are saying
Community sentiment on NinjaOne's SCIM implementation is generally positive, though some specific pain points emerge around setup complexity and ongoing maintenance.
Common feedback from IT administrators:
- SCIM token expiration every 6 months creates unnecessary maintenance overhead
- The custom userType attribute requirement complicates initial setup for MSPs
- Regional SCIM endpoints can cause confusion during configuration
- Cannot provision system administrators via SCIM, requiring manual role assignments
The fact that SCIM is included at all pricing tiers is refreshing compared to other RMM platforms. Most competitors gate this behind enterprise plans.
Token expiration every 6 months is annoying but manageable. At least we're not paying extra for basic provisioning features.
The recurring theme
While NinjaOne includes SCIM without premium pricing, the implementation requires ongoing maintenance and careful attribute configuration that can trip up initial deployments.
The decision
| Your Situation | Recommendation |
|---|---|
| Want SCIM but don't want to manage tokens | Use Stitchflow: avoid the 6-month token renewal hassle |
| Need to provision system administrators via SCIM | Use Stitchflow: NinjaOne's native SCIM can't assign admin roles |
| Using JumpCloud, PingOne, or other non-major IdPs | Use Stitchflow: NinjaOne only supports Okta, Azure AD, OneLogin, Duo |
| Already have NinjaOne + supported IdP setup | Use native SCIM: it's included and well-documented |
| Small MSP with low technician turnover | Manual may work: but monitor for provisioning gaps as you scale |
The bottom line
NinjaOne includes SCIM at every tier, but the 6-month token expiration and inability to provision system administrators create operational overhead. For MSPs that want set-and-forget provisioning automation without token management, Stitchflow eliminates these friction points.
Make NinjaRMM workflows AI-native
NinjaRMM gates SCIM behind Included. We build complete offboarding, user access reviews, and license workflows without that SCIM Tax upgrade.
Technical specifications
SCIM Version
2.0
Supported Operations
Create, Update, Deactivate, Groups
Supported Attributes
Not specifiedPlan requirement
Free
Prerequisites
SSO must be configured first
Key limitations
- SP-initiated SSO only
- Extra attribute needed for technician provisioning
- Regional SCIM endpoints
- MFA still required for high-risk operations
- SCIM token expires every 6 months
- Cannot assign system administrators via SCIM
Configuration for Okta
Integration type
Okta Integration Network (OIN) app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
SCIM endpoint URL and bearer token (generated in app admin console).
Configuration steps
Enable Create Users, Update User Attributes, and Deactivate Users.
Provisioning trigger
Okta provisions based on app assignments (users or groups).
NinjaOne OIN app recommended for setup. Full SCIM provisioning with group mapping. Custom SAML 2.0 app also supported. SCIM token expires every 6 months. Use urn:ietf:params:scim:schemas:extension:ninjaone:2.0:User:userType attribute to distinguish technicians vs end users.
NinjaRMM gates SCIM behind Included. Stitchflow automates complete workflows without that SCIM Tax upgrade.
Configuration for Entra ID
Integration type
Microsoft Entra Gallery app with SCIM provisioning
Prerequisite
SSO must be configured before enabling SCIM.
Where to enable
Required credentials
Tenant URL (SCIM endpoint) and Secret token (bearer token from app admin console).
Configuration steps
Set Provisioning Mode = Automatic, configure SCIM connection.
Provisioning trigger
Entra provisions based on user/group assignments to the enterprise app.
Sync behavior
Entra provisioning runs on a scheduled cycle (typically every 40 minutes).
Full SCIM provisioning with Microsoft Entra ID. Azure sync cycles run every 20-40 minutes. Custom attributes required: organizationId and userType (endUser or technician). Cannot edit/delete SCIM-managed users in NinjaOne console.
NinjaRMM gates SCIM behind Included. Stitchflow automates complete workflows without that SCIM Tax upgrade.
Unlock SCIM for
NinjaRMM
NinjaRMM gates SCIM behind Included plan. We automate complete offboarding and access reviews across your stack without that SCIM Tax upgrade.
See how it works
