Users in Synchronized Active Directory Groups
User synchronization
Subscription-level user provisioning
In M-Files Cloud, user provisioning with M-Files Manage is the recommended method to synchronize user groups with Azure AD. User provisioning uses the SCIM protocol. Thus, user group management is done in Azure AD and Azure AD pushes the users to M-Files. The process creates users to the M-Files subscription, which lets you easily link an Azure AD user group to many vaults.
This method is available only in M-Files Cloud. To use this method, you must have an Azure AD Premium license. For more information and configuration instructions, refer to M-Files Manage - User Guide.
Vault-level user synchronization
There are two methods to set up user synchronization with Azure AD on the vault level. In both methods, user group management is done in Azure AD, but they are different in how users are brought to M-Files. With the SCIM method, Azure AD pushes the users to M-Files. With the plugin method, you specify the user groups in M-Files Admin and M-Files periodically pulls the users from Azure AD.
- Synchronizing Users from Azure Active
Directory to M-Files with SCIM
- To use this method, you must have an Azure AD Premium license.
- In an on-premises environment, this method lets you use Azure AD authentication only for M-Files Desktop. In an on-premises environment, use the plugin method instead.
- Configuring Azure Active Directory
Synchronization Plugin
- This is the recommended method for user synchronization from Azure AD in on-premises environments.
In addition to the Azure AD synchronization plugin, you can also use the Okta user group synchronization plugin. For instructions, refer to Configuring Okta User Group Synchronization Plugin.
Optional settings for Active Directory importing with the plugin method
After you have configured the synchronization plugin, you can adjust the behavior of the user group synchronization with Active Directory (AD) importing settings. This is especially useful in environments with large vaults and AD groups.
To open the settings, in the Advanced Vault Settings section of M-Files Admin, go to .
Recommendations:
- If the M-Files server has many vaults, we recommend that you set the synchronization to start at a different time in each vault to improve system performance. To do this, change the Start Time of First Import for each vault to specify different start times of the first import after the server startup.
- If you have large AD user groups, we recommend that you use the Start Time of First Import and Sleep Interval settings to set the synchronization to run every night. The synchronization can otherwise have a negative impact on system performance.
Important information
Synchronization of changes in AD group members
See the table for information on what occurs in M-Files when the members of the synchronized AD groups have changed.
| Change | Effects |
|---|---|
| Users added to AD groups that are synchronized to M-Files |
|
| Users removed from all the AD groups that are synchronized to M-Files |
Note: Users are not automatically disabled if they are members of at least one synchronized
AD group.
|
Disabling and deleting synchronized users in M-Files
See the table for information on what occurs if you disable or delete synchronized users in the vault.
| Change | Effects |
|---|---|
| Synchronized users disabled in M-Files | By default, the users stay disabled. To enable the users again, they must be
enabled in M-Files. If you use a synchronization plugin, you can change the default behavior. To do this, go to the Active Directory Importing settings and set Enable Disabled Users from Imported Groups to Yes. |
| Synchronized users deleted in M-Files | The AD group synchronization does not create the deleted users again to the vault. |