Path: From N-able Login to N-able Login with Entra ID

Active Directory authentication in N-central allows users to securely log in using their organization’s existing directory credentials and streamlines access management.

Steps to move N-able Login to N-able Login with Entra IDN-able Login

N-able Login with Entra ID acts as an Identity Provider (IdP), enabling users to securely access multiple applications through a single authentication process. This streamlined approach enhances security, simplifies user experience, and improves efficiency by eliminating the need to log in separately to each application.

Before you begin:

  • Ensure your N-ableN-central instance allows outbound TCP traffic on port 8088 to enable communication with N-able cloud services. Learn More.

  • Note: Switching to N-able Login with Entra ID will change the sign-in experience across all N-able products that use N-able Login.

Set up Entra ID for N-able Login

  1. Log into N-central using N-able Login.

  2. From the top bar Account menu, select Identity providers setup.

  3. In the "Microsoft Entra ID user provisioning" tile, select Setup.

  4. Select Start configuration.

  5. Follow the instructions to set up user provisioning and then click Copy instructions to clipboard.

    This information is displayed once. We recommend that you copy and save it locally. You will need it later if you want to set up Entra ID for auto user provisioning. If lost, you will need to create a support case to retrieve it.

NEXT: Create the N-able user provisioning application

The purpose of the N-able User Provisioning application in Microsoft Entra ID is to connect Entra with N-able systems to enable automated identity synchronization. It simplifies access management by linking user identities between platforms, helping ensure consistency and reducing manual configuration.

This is a beta application in Entra and must be accessed using a special URL. Please use one of the following:

https://entra.microsoft.com/?feature.userProvisioningV2Authentication=true
https://portal.azure.com/?feature.userProvisioningV2Authentication=true

  1. Log into Entra ID using one of the above URLs.

  2. Choose Enterprise applications in the left menu.

  3. Select +New Application in "Enterprise applications | All applications".

  4. Enter N-able in the search bar.

  5. Select N-able User Provisioning from the results.

  6. Enter a descriptive name for the configuration and click Create.

  7. You can now view your application, and it's properties in Enterprise applications.

NEXT: Provision Entra ID users in N-central

After configuring Entra ID, you must assign roles and access groups to the new users in N-central.

After provisioning is complete, N-central will automatically log you out.

There are two types of users in N-central Provisioned Users:

  • Pending users: Assign roles and access groups to complete provisioning.

  • Recently Migrated Users (read only): Users who already had an N-central account with assigned roles and access groups were migrated to Entra ID for authentication when they were added to the Entra enterprise application.

  1. Go to Administration > User Management > Provisioned Users.

  2. From the Pending Users tab, select the users to onboard and click Configure Selected Users.

  3. In the Customer drop-down list, select the customer, and then click NEXT.

  4. Select the User Roles and then choose the users to apply these to in Onboarding Users.

  5. Click APPLY and then click NEXT.

  6. Select the access group and then select the users to apply these to in Onboarding Users.

  7. Click APPLY and then click NEXT.

  8. Review the summary and then click FINISH.

Once complete,N-central will automatically log you out.

NEXT: Test N-able Login with Entra ID

Before fully enabling N-able Login with Microsoft Entra ID in your production environment, it's essential to thoroughly test the integration to ensure authentication, access, and role mapping work as expected.

Testing helps you to:

  • Confirm users can authenticate via Entra ID using N-able Login

  • Validate Single Sign-On (SSO) behavior and Multi-Factor Authentication (MFA)

  • Ensure Entra ID group claims are correctly mapped to N-central roles

  • Identify and resolve potential access issues before a wider roll-out

Category Microsoft Best Practice Alignment in N-central Context
OIDC Configuration Correctly register app, use secure redirect URIs, verify issuer & claims In “Verify OIDC Configuration”
Role & Group Management Use Entra ID security groups for access control In “Validate Role Mapping”
SSO Testing Test SSO flows, ensure seamless redirection, verify token issuance In “Confirm SSO Behavior”
MFA Enforcement Apply MFA policies via Conditional Access In “Confirm MFA Enforcement”
Audit Logging Monitor sign-ins via Entra ID logs In “Monitor Logs and Audit Trails”
Rollback Planning Always retain a break-glass admin account In “Plan for Rollback”
Controlled Deployment Pilot test with limited users before full rollout In “Test in a Controlled Environment”

Testing gives you the confidence that your new identity setup is secure, stable, and ready to support your operational needs. Use the following best practices to guide your testing process and avoid common misconfigurations or service interruptions.

Test in a controlled environment

Before making any changes to live authentication settings, it’s critical to start in a controlled environment. This reduces the risk of locking out users or disrupting workflows. A pilot group allows you to validate your configuration with minimal impact and gather early feedback before rolling it out more broadly.

  • Use a pilot group (e.g., IT team or a small set of technicians) before enabling org-wide.

  • Avoid enabling N-able Login for all users at once.

  • If possible, test in a staging or isolated N-central environment.

Verify OIDC configuration

The connection between N-central and Microsoft Entra ID relies on a properly configured OpenID Connect (OIDC) integration. Ensuring the correct values—such as Client ID, Issuer URL, and Redirect URI—are entered on both ends is essential for a successful authentication handshake.

Confirm the following settings in Microsoft Entra Admin Center:

  • Client ID

    • Redirect URI (must match what's configured in N-central)

  • Issuer URL

    • Claim mappings (especially group claims, if using role mapping)

  • In N-central, double-check that OIDC parameters are:

    • Correctly entered

    • Saved

    • Applied to the correct authentication setting

Test multiple account types

Not all users are the same. Test across a variety of account types to ensure that role assignments, group claims, and login outcomes behave consistently—especially for users in different teams, domains, or MFA configurations. This helps you avoid unexpected access issues after rollout.

Test login with accounts that:

  • Belong to different Entra ID groups

  • Are not in any mapped group (should fail or have no access)

  • Are configured for Multi-Factor Authentication (MFA)

  • Use different domain suffixes (e.g., alias@ vs. primary@)

Validate role mapping

Role-based access in N-central is tied to Entra ID group claims when using N-able Login with federation. Validating that these claims translate into the correct roles within N-central ensures users get the right level of access—and nothing more. Misconfigured role mapping can lead to service gaps or unintended admin access.

  • Ensure each Entra ID group maps to the correct N-central user role.

  • Log in as different users and confirm:

  • Role-based permissions

  • Site access (if restricted)

  • Ability to perform actions like editing rules, running scripts, etc.

Confirm SSO behavior

Single Sign-On (SSO) is designed to simplify the login experience, but only if it's working smoothly. Testing SSO behavior confirms that users are redirected correctly, tokens are processed securely, and login sessions behave as expected across devices and browsers.

  • Test login from different locations (e.g., browser, mobile, different networks).

  • Ensure redirects work properly and authentication returns users to N-central.

  • Validate that SSO session caching behaves as expected (auto-login vs. re-auth).

Confirm MFA enforcement

Multi-Factor Authentication (MFA) adds a layer of security, and Entra ID may enforce it as part of your conditional access policies. Ensuring MFA works properly during login helps you avoid friction during rollout and ensures compliance with security standards.

If MFA is required by Entra ID policy, test:

  • First-time login prompts

  • Token push, SMS, or app-based MFA

  • Recovery scenarios (lost device, backup code)

Monitor logs and audit trails

Monitoring logs is essential during testing and early adoption of N-able Login with Entra ID. Reviewing both N-central logs and Microsoft Entra sign-in logs provides visibility into authentication flows, user activity, and potential misconfigurations. These logs help you

  • Identify and resolve authentication issues such as failed logins, MFA challenges, and token revocations.

  • Track user behavior and access patterns to ensure compliance and detect anomalies.

  • Validate configuration changes during rollout and confirm successful integration with Entra ID.

Use

  • N-central event logs

  • Microsoft Entra Sign-in logs

Look for

  • Login success/failure

  • Claims issues

  • Token expiration problems

Plan for rollback

Even with careful planning, issues can arise. Preparing a rollback plan ensures you can quickly revert to a known-good state, maintain access to N-central, and prevent administrative lockout. A fallback strategy is critical for business continuity during changes to your authentication stack.

  • Keep at least one local N-central admin account active in case SSO fails.

  • Document how to disable N-able Login from the N-central UI or config files (if needed).

  • Do not delete LDAP or local users until new login is proven stable.

Auto-provisioning of N-able Login with Entra ID users streamlines user management by automatically creating and managing user accounts in your N-able environment based on your Entra ID directory.

When enabled, auto-provisioning eliminates the need to manually create users in N-central. Instead, users are provisioned dynamically based on predefined rules and group memberships in Entra ID. This ensures that access is secure, consistent, and aligned with your organization’s identity governance policies.

How It Works

  • Integration with Entra ID: You register N-able Login as an enterprise application in Microsoft Entra ID.

  • Rule-Based Assignment: You assign users or groups to the N-able application in Entra ID. Once assigned, users are automatically created in N-able and can authenticate using their Entra ID credentials.

  • Lifecycle Management: When a user is removed from the assigned group or their account is disabled in Entra ID, their access to N-able is revoked automatically, helping maintain compliance and reduce orphaned accounts.

Benefits

  • Simplified Onboarding: Users gain access without manual setup by IT administrators.

  • Centralized Identity Management: Manage users and access policies directly from Entra ID.

  • Improved Security: Enforce conditional access, MFA, and account lifecycle policies centrally.

  • Scalable: Easily scale access across large, distributed teams with minimal administrative effort.

This integration supports modern identity practices and aligns N-able environments with enterprise cloud security standards.

To streamline user management, you can integrate N-able Login with Entra ID and Set up auto user provisioning (optional).