Applies to:
ExtendInsights (NetSuite Edition)
ExtendSync (NetSuite Edition) for Gmail and Outlook
Overview
This guide covers everything you need to successfully log in to NetSuite from any CloudExtend App.
CloudExtend supports all major NetSuite authentication flows, including Two-Factor Authentication (2FA), SAML Single Sign-On (SSO), Token-Based Authentication (TBA), and Basic Credentials.
CloudExtend NetSuite Login Flow Overview
Logging in to CloudExtend
At the login screen, choose Google or Microsoft.
The Google or Microsoft email you use must match the email address assigned to your license by your CloudExtend admin.
Once signed in to CloudExtend, you’ll be prompted to create connections to one or more NetSuite accounts and roles.
You can connect to unlimited NetSuite accounts and switch roles easily without logging out.
Even if your NetSuite login email differs from your Google/Microsoft email, the connection will work once established.
NetSuite Account Prerequisites
The connection flow supports all NetSuite login flows out of the box without the administrative overhead of managing tokens.
Two-Factor Authentication
SAML Single Sign-On
Token Based Authentication
Basic User Credentials
NetSuite Account Number
In order to use the login flow you will need your NetSuite Account Number. This can be located in the URL while you are logged in to NetSuite in a browser.
End-User Permissions
Step 1: Enable the user preference Rich Text Editing (For Outlook and Gmail)
In NetSuite, go to Home> Set Preferences> Appearance
Enable Rich Text Editing.
While not required we have found that certain emails with HTML may transfer as blank or with all the HTML coding if this setting is not enabled at the user level. This may result in a NetSuite error such as the field message containing more than the maximum number (1000000) of characters allowed.
Step 2: Verify the Role Is Not “Web Services Only”
Go to Setup > Users/Roles > Manage Roles.
Validate if the Web Service Only Role is OFF.
Step 3: General Permissions to be set per Role
Your NetSuite Admin must configure the following permissions for the roles you plan to use when logging in through CloudExtend.
In NetSuite, go to Setup → Users/Roles → Manage Roles, then select the role to update.
Required Permissions
Permission | Details / Purpose |
SOAP Web Services | Required for API communication between CloudExtend and NetSuite. |
User Access Tokens | Required to generate tokens automatically during login. |
SAML Single Sign-On | Enable only if your company uses SSO (Okta, OneLogin, Microsoft Entra ID, etc.). |
Allow JS/HTML Uploads | Required for users uploading |
Log in using Access Tokens | Adds additional token authentication capability. |
Documents and Files | Recommended for ExtendDocs users: Full Minimum: Create |
Track Messages | Recommended for ExtendDocs users: Full |
Celigo Send from Outlook Email Config | Needed to enable Send from Outlook functionality. |
Permissions by Tab
Setup Tab
SOAP Web Services
User Access Tokens
SAML Single Sign-On
Allow JS/HTML Uploads
Log in using Access Tokens
Lists Tab
Document and Files
Track Messages
Custom Record Tab
Celigo Send from Outlook Email Config
Does your organization use Custom fields?
If your organization uses custom fields, ensure permissions are added for them:
Outlook and Gmail Apps: Add Custom Field Permissions per role.
Excel Apps: Add Custom Field Permissions per role.
🚨 Important Note About NetSuite’s Basic Credential Deprecation
NetSuite has deprecated support for logins using basic credentials (username and password).
Users should only click “Connect to NetSuite” in CloudExtend, which initiates NetSuite’s secure three-step authorization flow.
If you encounter login issues, ask your admin to ensure that your role has User Access Tokens permission enabled.
Confused?
If you're not sure what any of this means don't worry about it, your Admin will understand and can help set this up. Click here to send them an email request or share this article with them.
How to Log In to NetSuite from CloudExtend
Step 1: Go to Menu and select Connection.
Step 2: Click Add then enter your NetSuite account ID and click Connect to NetSuite.
➡️ Learn how to find your NetSuite account ID here.
Step 3: Enter your NetSuite credentials. Select the role you want to log in with and hit Allow.
Step 4: Click Yes. Now, you have a new connection in CloudExtend.
🚨 IMPORTANT
You will be logged out of your current NetSuite session the first time you log in. Don't worry though, once logged in you'll be able to have both sessions active at the same time. As long as you don't log out of CloudExtend you won't need to enter your credentials again, even if your password expires.
Authorization Flow Error
If you see the error message:
“Cannot continue this authorization flow. Your current role has insufficient permission.”
Your NetSuite role likely does not have User Access Tokens permission.
Ask your admin to enable it, then try logging in again.
➡️ Troubleshooting Guide: How to Enable User Access Tokens
Additional Troubleshooting
If your user is receiving an unexpected two-factor authentication prompt and you have not explicitly required two-factor authentication for their role, please note that NetSuite enforces two-factor authentication when certain permissions are enabled for the role.
➡️ See this NetSuite article for the full list of permissions that trigger 2FA.