Microsoft Entra ID (Azure AD) SSO Setup
Complete step-by-step guide to configure SAML-based Single Sign-On between Microsoft Entra ID and NetSuite.
Overview
ENTRA ID SSO ARCHITECTURE
═══════════════════════════════════════════════════════════════════════════════
┌─────────────────────┐ ┌─────────────────────┐ ┌─────────────────────┐
│ │ │ │ │ │
│ USER │ │ MICROSOFT │ │ NETSUITE │
│ │ │ ENTRA ID │ │ │
│ 1. Access NetSuite │ ──────▶ │ │ │ │
│ │ │ 2. Authenticate │ │ │
│ 3. Enter M365 │ ──────▶ │ with MFA │ │ │
│ credentials │ │ │ │ │
│ │ ◀────── │ 4. SAML Assertion │ ──────▶ │ 5. Validate & │
│ │ │ │ │ Grant Access │
│ │ │ │ │ │
└─────────────────────┘ └─────────────────────┘ └─────────────────────┘
Prerequisites
Before You Begin
| Requirement | Details |
|---|---|
| Entra ID License | Any license (Free, P1, P2) |
| Entra Admin Role | Application Administrator or Global Administrator |
| NetSuite Role | Administrator |
| NetSuite Account ID | Found in Setup > Company > Company Information |
| Matching Emails | User emails must match between Entra ID and NetSuite |
Part 1: NetSuite Configuration
Step 1: Enable SAML SSO Feature
- Log in to NetSuite as Administrator
- Navigate to Setup > Company > Enable Features
- Click SuiteCloud subtab
- Check SAML Single Sign-on
- Click Save
Step 2: Get NetSuite SAML Information
- Navigate to Setup > Integration > SAML Single Sign-on
- Note down the following values:
NETSUITE SAML ENDPOINTS
═══════════════════════════════════════════════════════════════════════════════
Entity ID (Audience):
https://system.netsuite.com/saml2/sp/{YOUR_ACCOUNT_ID}/acs
ACS URL (Reply URL):
https://system.netsuite.com/saml2/sp/{YOUR_ACCOUNT_ID}/acs
Metadata URL:
https://system.netsuite.com/saml2/sp/{YOUR_ACCOUNT_ID}/metadata
Example (if Account ID is 1234567):
Entity ID: https://system.netsuite.com/saml2/sp/1234567/acs
ACS URL: https://system.netsuite.com/saml2/sp/1234567/acs
Part 2: Entra ID Configuration
Step 3: Create Enterprise Application
- Sign in to Microsoft Entra admin center
- Navigate to Identity > Applications > Enterprise applications
- Click + New application
- Click + Create your own application
- Enter name:
NetSuite SSO - Select: Integrate any other application you don't find in the gallery (Non-gallery)
- Click Create
Step 4: Configure SAML SSO
- In the NetSuite SSO application, click Single sign-on in left menu
- Select SAML as the single sign-on method
Basic SAML Configuration
Click Edit on the Basic SAML Configuration section:
| Field | Value |
|---|---|
| Identifier (Entity ID) | https://system.netsuite.com/saml2/sp/{ACCOUNT_ID}/acs |
| Reply URL (ACS URL) | https://system.netsuite.com/saml2/sp/{ACCOUNT_ID}/acs |
| Sign on URL | https://system.netsuite.com |
| Relay State | (leave blank) |
| Logout URL | (leave blank) |
Click Save
Step 5: Configure Attributes & Claims
- Click Edit on the Attributes & Claims section
- Configure the following claims:
Required Claim: NameID
| Setting | Value |
|---|---|
| Name identifier format | Email address |
| Source | Attribute |
| Source attribute | user.mail |
Click Save
Additional Claims (Optional but Recommended)
| Claim Name | Source Attribute |
|---|---|
| emailaddress | user.mail |
| givenname | user.givenname |
| surname | user.surname |
Step 6: Download Certificate and Metadata
-
Scroll to SAML Certificates section
-
Download:
- Certificate (Base64) - Click Download
- Federation Metadata XML - Click Download (optional, for reference)
-
Note down from Set up NetSuite SSO section:
- Login URL (IdP SSO URL)
- Azure AD Identifier (IdP Entity ID)
- Logout URL (IdP SLO URL)
ENTRA ID SAML ENDPOINTS (Example)
═══════════════════════════════════════════════════════════════════════════════
Login URL:
https://login.microsoftonline.com/{tenant-id}/saml2
Azure AD Identifier:
https://sts.windows.net/{tenant-id}/
Logout URL:
https://login.microsoftonline.com/{tenant-id}/saml2
Part 3: Complete NetSuite Configuration
Step 7: Configure IdP in NetSuite
- Return to NetSuite: Setup > Integration > SAML Single Sign-on
- Enter the following:
| Field | Value |
|---|---|
| Identity Provider Name | Microsoft Entra ID |
| Identity Provider Issuer | Azure AD Identifier from Step 6 |
| Identity Provider Sign-in URL | Login URL from Step 6 |
| Identity Provider Sign-out URL | Logout URL from Step 6 (optional) |
Step 8: Upload IdP Certificate
- Still on SAML configuration page
- Scroll to Identity Provider Certificate section
- Click Upload Certificate
- Select the Certificate (Base64) file downloaded in Step 6
- Click Upload
Step 9: Configure SAML Settings
| Setting | Recommended Value |
|---|---|
| SAML Single Sign-on | Enabled |
| Require SAML SSO for all logins | Start with "No", enable after testing |
| Name ID Format | Email Address |
| Signature Algorithm | RSA-SHA256 |
Step 10: Save Configuration
- Review all settings
- Click Save
Part 4: User Assignment
Step 11: Assign Users in Entra ID
- Return to Entra admin center
- Go to your NetSuite SSO application
- Click Users and groups in left menu
- Click + Add user/group
- Select users or groups to grant access
- Click Assign
USER ASSIGNMENT OPTIONS
═══════════════════════════════════════════════════════════════════════════════
Option 1: Assign Individual Users
┌─────────────────────────────────────────────────────────────────────────────┐
│ Good for: Small deployments, testing │
│ Assign: john.doe@company.com, jane.smith@company.com │
└─────────────────────────────────────────────────────────────────────────────┘
Option 2: Assign Groups
┌─────────────────────────────────────────────────────────────────────────────┐
│ Good for: Large deployments, easier management │
│ Create Entra group: "NetSuite Users" │
│ Assign group to application │
│ Add/remove users from group to control access │
└─────────────────────────────────────────────────────────────────────────────┘
Option 3: All Users (if licensed)
┌─────────────────────────────────────────────────────────────────────────────┐
│ Requires: Entra ID P1/P2 │
│ Configure: Assignment required = No │
│ Result: All authenticated users can access │
└─────────────────────────────────────────────────────────────────────────────┘
Step 12: Verify User Exists in NetSuite
Ensure each assigned user has a matching NetSuite user:
- In NetSuite, go to Lists > Employees > Employees (or Contacts)
- Verify user exists with matching email address
- Verify user has Login Access enabled
- Verify user has appropriate Role(s) assigned
Part 5: Testing
Step 13: Test SSO Login
Method 1: IdP-Initiated (from Entra)
- Go to myapplications.microsoft.com
- Find and click NetSuite SSO
- Should redirect and log into NetSuite
Method 2: SP-Initiated (from NetSuite)
- Go to NetSuite login page
- Click Log in with SAML Single Sign-on (if available)
- Or access NetSuite URL directly
- Should redirect to Microsoft login
Step 14: Verify Login
After successful login, verify:
| Check | How to Verify |
|---|---|
| User identity | Check logged-in user name |
| Roles | Verify correct roles appear |
| Permissions | Test access to expected features |
| Audit trail | Check Setup > Users/Roles > Login Audit Trail |
Part 6: Production Rollout
Step 15: Enable Mandatory SSO (Optional)
Once testing is complete:
- Go to Setup > Integration > SAML Single Sign-on
- Set Require SAML SSO for all logins to Yes
- Click Save
Warning: Only enable after thorough testing. Ensure you have a backup admin account or break-glass procedure.
Step 16: Communicate to Users
Notify users of the change:
SSO ROLLOUT COMMUNICATION TEMPLATE
═══════════════════════════════════════════════════════════════════════════════
Subject: NetSuite Login Change - Single Sign-On Enabled
Starting [DATE], NetSuite login will use your Microsoft 365 credentials.
What's changing:
- You'll log in using your company email and password
- Multi-factor authentication (if enabled) will apply
- No separate NetSuite password needed
How to log in:
1. Go to NetSuite or click NetSuite in your Microsoft apps
2. If prompted, sign in with your Microsoft 365 credentials
3. Complete MFA if prompted
Questions? Contact [HELPDESK]
Troubleshooting
Common Errors and Solutions
Error: "User not found"
DIAGNOSIS AND FIX
═══════════════════════════════════════════════════════════════════════════════
Symptom: "SAML user not found in NetSuite"
Cause: Email in SAML assertion doesn't match any NetSuite user
Steps to Fix:
1. Check Entra user's email: Azure Portal > Users > [User] > Email
2. Check NetSuite user's email: Lists > Employees > [Employee] > Email
3. Ensure they match exactly (case-insensitive)
4. Verify NetSuite user has Login Access enabled
Error: "Invalid signature"
DIAGNOSIS AND FIX
═══════════════════════════════════════════════════════════════════════════════
Symptom: "SAML signature validation failed"
Cause: Certificate mismatch or expired certificate
Steps to Fix:
1. Download fresh certificate from Entra ID
2. Re-upload to NetSuite SAML configuration
3. Verify certificate hasn't expired
4. Ensure correct certificate (Base64 format)
Error: "Clock skew"
DIAGNOSIS AND FIX
═══════════════════════════════════════════════════════════════════════════════
Symptom: "SAML assertion time validation failed"
Cause: Time difference between Entra ID and NetSuite servers
Steps to Fix:
1. Usually resolves automatically (NetSuite servers are synced)
2. Wait a few minutes and retry
3. Check if issue persists across multiple users
Error: "ACS URL mismatch"
DIAGNOSIS AND FIX
═══════════════════════════════════════════════════════════════════════════════
Symptom: "Reply URL does not match"
Cause: ACS URL in Entra doesn't match NetSuite expectation
Steps to Fix:
1. Verify account ID in ACS URL
2. Ensure URL format: https://system.netsuite.com/saml2/sp/{ACCOUNT_ID}/acs
3. Check for typos or extra characters
4. Update in Entra ID > Enterprise App > SAML Configuration
Debug Tools
| Tool | Purpose |
|---|---|
| SAML-tracer (browser extension) | View SAML request/response |
| Entra Sign-in Logs | Check authentication events |
| NetSuite Login Audit | Check NetSuite login attempts |
Advanced Configuration
Conditional Access (Entra ID P1/P2)
Add additional security policies:
CONDITIONAL ACCESS EXAMPLES
═══════════════════════════════════════════════════════════════════════════════
Policy: Require MFA for NetSuite
┌─────────────────────────────────────────────────────────────────────────────┐
│ Assignments: │
│ - Users: All users │
│ - Cloud apps: NetSuite SSO │
│ │
│ Conditions: │
│ - Any location │
│ │
│ Grant: │
│ - Require multi-factor authentication │
└─────────────────────────────────────────────────────────────────────────────┘
Policy: Block access from untrusted locations
┌─────────────────────────────────────────────────────────────────────────────┐
│ Assignments: │
│ - Users: All users │
│ - Cloud apps: NetSuite SSO │
│ │
│ Conditions: │
│ - Locations: All locations except trusted │
│ │
│ Grant: │
│ - Block access │
└─────────────────────────────────────────────────────────────────────────────┘
Session Management
Configure session lifetime in NetSuite:
- Go to Setup > Company > General Preferences
- Set Session Timeout
- SSO sessions respect NetSuite session settings
Maintenance
Certificate Renewal
Entra ID certificates expire annually. Set a reminder to renew:
- Check expiry: Entra admin center > Enterprise Apps > NetSuite SSO > SAML Certificates
- Before expiry:
- Generate new certificate in Entra ID
- Download new certificate
- Upload to NetSuite
- Test SSO
- Activate new certificate
User Lifecycle
| Event | Action Required |
|---|---|
| New hire | Create NetSuite user, add to Entra group |
| Termination | Remove from Entra group (immediate access revocation) |
| Email change | Update both Entra and NetSuite |
| Role change | Update NetSuite roles (Entra doesn't control roles) |
Next Steps
- Google Workspace SSO - Alternative IdP setup
- SSO Overview - Return to SSO overview
- OAuth 2.0 - API authentication