Enabling Microsoft Entra ID authentication in the classic M-Files Cloud

Important information

In the classic M-Files Cloud, follow these instructions to set all M-Files clients to use Microsoft Entra ID authentication.
- Before you set up this feature, log out of all Entra ID accounts that are not used for logging in to M-Files.
In the new M-Files Cloud and on-premises environment, do not follow the instructions given here.
- In the new M-Files Cloud, Entra ID is automatically configured for vaults created in M-Files Cloud. If the vault has been migrated from the classic M-Files Cloud, manual configuration is usually not necessary. For more information, refer to Setting up federated authentication in M-Files Manage User Guide. If the vault has been migrated from on-premises, see M-Files Cloud Requirements.
- In an on-premises environment, this configuration enables Entra ID authentication only for M-Files Desktop. Instead, refer to Configuring Vault Authentication with Microsoft Entra ID in On-Premises Environments for an example configuration and to Configuring OpenID Connect and OAuth 2.0 for M-Files Authentication for more information.

To enable Entra ID authentication for an M-Files Cloud vault:

Open M-Files Admin and go to a vault.
1. Open M-Files Admin.
2. In the left-side tree view, expand an M-Files server connection.
3. Expand Document Vaults.
4. Expand a vault.
Right-click the vault and select Properties.
Open the Authentication tab.
Enable Use Azure AD for authentication.

Select one of these options:

Option	Description
Prompt each user for consent upon first vault access	Select this option to let vault users decide whether they want to give the applications access to their user credentials in Microsoft Entra ID. With this option, Entra ID shows a prompt when the user logs in to the vault for the first time. In the prompt, the user can give the permissions to the applications.
Give consent on behalf of all users in the directory (requires Microsoft Entra administrator rights)	Select this option to give the applications access to user credentials in Microsoft Entra ID on behalf of all vault users. Only an Microsoft Entra global administrator can give consent on behalf of other users. When you click OK or Apply, M-Files displays a login prompt. Write the credentials for the Entra ID account that is used for logging in to M-Files.

Option

Description

Prompt each user for consent upon first vault access

Select this option to let vault users decide whether they want to give the applications access to their user credentials in Microsoft Entra ID. With this option, Entra ID shows a prompt when the user logs in to the vault for the first time. In the prompt, the user can give the permissions to the applications.

Give consent on behalf of all users in the directory (requires Microsoft Entra administrator rights)

Select this option to give the applications access to user credentials in Microsoft Entra ID on behalf of all vault users. Only an Microsoft Entra global administrator can give consent on behalf of other users.

When you click OK or Apply, M-Files displays a login prompt. Write the credentials for the Entra ID account that is used for logging in to M-Files.

The user credentials must have access to the Entra ID domain that you want to use for the user synchronization.

Optional: In an on-premises environment, complete the configuration with the instructions in Configuring Mappings Between Incoming Connections and Vaults.
Configure the user synchronization in Entra ID.
Refer to Synchronizing Users from Microsoft Entra ID to M-Files with SCIM.