User Synchronization with Identity Providers

This page tells you how you can set up user group synchronization between M-Files and other identity providers.

If you use M-Files Cloud, we strongly recommend subscription-level user provisioning. With on-premises servers, the recommended setup is the vault-specific plugin method.

Tip: Microsoft Entra ID is the recommended method for user provisioning. However, it is also possible to provision users with Other SCIM providers.

General Steps for subscription-level user provisioning

In M-Files Cloud, user provisioning with M-Files Manage is the recommended method to synchronize user groups with identity providers, such as Microsoft Entra ID, Okta, and so on. User provisioning uses the SCIM protocol. This means that the user group management is done in the identity provider, which then pushes the users to M-Files. The process creates users to the M-Files subscription, which lets you easily link an identity provider user group to many vaults.

Note: This method is available only on M-Files Cloud and on-premises environments where the server is joined to M-Files Manage. For more information and configuration instructions, refer to the M-Files Manage user guide.

Vault-level user synchronization

On the vault level, there are two methods to set up user synchronization with Entra ID. With both methods, user group management is done in Entra ID, but they are different in how users are brought to M-Files.

Important: Vault-level user synchronization is strongly discouraged. Instead, subscription-level synchronization is the recommended method to make sure of optimal performance and reliability.

With the plugin method, you specify the user groups in M-Files Admin, and M-Files periodically pulls the users from Entra ID. With the SCIM method, Entra ID pushes the users to M-Files.

Plugin method: Importing User Information from Entra ID with the User Synchronization Plugin
- In on-premises environments, we strongly recommend this method over the SCIM method.
- In addition to the Azure AD synchronization plugin, you can also use the Okta user group synchronization plugin. For instructions, refer to Configuring Okta User Group Synchronization Plugin in M-Files Support Portal.
SCIM method with Microsoft Entra ID: Synchronizing Users from Microsoft Entra ID to M-Files with SCIM
- To use this method, you must have a Microsoft Entra ID Premium license.
- In an on-premises environment, this method lets you use Entra ID authentication only for M-Files Desktop.

Tip: Please note that, while the linked instructions for the plugin and SCIM methods may not reflect the most recent updates, they can still serve as a helpful reference.

Optional settings for Active Directory importing with the vault-level plugin method

After you have configured the synchronization plugin, you can adjust the behavior of the user group synchronization. This is especially useful in environments with large vaults and Active Directory groups.

To open the settings, in the Advanced Vault Settings section of M-Files Admin, go to User Groups > Active Directory Importing.

If the M-Files server has many vaults, we recommend that you set the synchronization to start at a different time in each vault to improve system performance. To do this, change the Start Time of First Import for each vault to specify different start times of the first import after the server startup.