User Synchronization with Microsoft Entra ID

This page tells you how you can set up user group synchronization between M-Files and Microsoft Entra ID.

If you use M-Files Cloud, we strongly recommend subscription-level user provisioning. With on-premises servers, the recommended setup is the vault-specific plugin method.

Subscription-level user provisioning

In M-Files Cloud, user provisioning with M-Files Manage is the recommended method to synchronize user groups with Microsoft Entra ID. User provisioning uses the SCIM protocol. This means that the user group management is done in Entra ID, and Entra ID pushes the users to M-Files. The process creates users to the M-Files subscription, which lets you easily link an Entra ID user group to many vaults.

Note: This method is available only in M-Files Cloud and on-premises environments where the server is joined to M-Files Manage. To use this method, you must have a Microsoft Entra ID Premium license. For more information and configuration instructions, refer to the M-Files Manage user guide.

Vault-level user synchronization

On the vault level, there are two methods to set up user synchronization with Entra ID. With both methods, user group management is done in Entra ID, but they are different in how users are brought to M-Files.

With the plugin method, you specify the user groups in M-Files Admin, and M-Files periodically pulls the users from Entra ID. With the SCIM method, Entra ID pushes the users to M-Files.

Plugin method: Importing User Information from Entra ID with the User Synchronization Plugin
- In on-premises environments, we strongly recommend this method over the SCIM method.
- In addition to the Azure AD synchronization plugin, you can also use the Okta user group synchronization plugin. For instructions, refer to Configuring Okta User Group Synchronization Plugin in M-Files Support Portal.
SCIM method: Synchronizing Users from Microsoft Entra ID to M-Files with SCIM
- To use this method, you must have a Microsoft Entra ID Premium license.
- In an on-premises environment, this method lets you use Entra ID authentication only for M-Files Desktop.

Optional settings for Active Directory importing with the vault-level plugin method

After you have configured the synchronization plugin, you can adjust the behavior of the user group synchronization. This is especially useful in environments with large vaults and Active Directory groups.

To open the settings, in the Advanced Vault Settings section of M-Files Admin, go to User Groups > Active Directory Importing.

If the M-Files server has many vaults, we recommend that you set the synchronization to start at a different time in each vault to improve system performance. To do this, change the Start Time of First Import for each vault to specify different start times of the first import after the server startup.