Users in Synchronized Active Directory Groups

User synchronization

Subscription-level user provisioning

In M-Files Cloud, user provisioning with M-Files Manage is the recommended method to synchronize user groups with Microsoft Entra ID. User provisioning uses the SCIM protocol. Thus, user group management is done in Entra ID and Entra ID pushes the users to M-Files. The process creates users to the M-Files subscription, which lets you easily link an Entra ID user group to many vaults.

This method is available only in M-Files Cloud. To use this method, you must have an Microsoft Entra ID Premium license. For more information and configuration instructions, refer to M-Files Manage User Guide.

Vault-level user synchronization

There are two methods to set up user synchronization with Entra ID on the vault level. In both methods, user group management is done in Entra ID, but they are different in how users are brought to M-Files. With the SCIM method, Entra ID pushes the users to M-Files. With the plugin method, you specify the user groups in M-Files Admin and M-Files periodically pulls the users from Entra ID.

In addition to the Azure AD synchronization plugin, you can also use the Okta user group synchronization plugin. For instructions, refer to Configuring Okta User Group Synchronization Plugin.

Optional settings for Active Directory importing with the plugin method

After you have configured the synchronization plugin, you can adjust the behavior of the user group synchronization with Active Directory (AD) importing settings. This is especially useful in environments with large vaults and AD groups.

To open the settings, in the Advanced Vault Settings section of M-Files Admin, go to User Groups > Active Directory Importing.

Recommendations:

  • If the M-Files server has many vaults, we recommend that you set the synchronization to start at a different time in each vault to improve system performance. To do this, change the Start Time of First Import for each vault to specify different start times of the first import after the server startup.

Important information

Synchronization of changes in AD group members

See the table for information on what occurs in M-Files when the members of the synchronized AD groups have changed.

Change Effects
Users added to AD groups that are synchronized to M-Files
  • The users are added as vault users to the vault that contains the user group.
  • If the added users do not yet have M-Files login accounts, new login accounts are automatically created for the users and the license specified in the synchronization settings is applied to the new login accounts.
  • No changes are made to existing M-Files login accounts. For example, if users have been assigned concurrent licenses, and they are added to a group with named licenses, the users keep the concurrent licenses.
Users removed from all the AD groups that are synchronized to M-Files
  • The users are removed from the user group in M-Files. They lose all permissions that were granted to them through the group membership.
  • The user accounts stay in M-Files but are disabled.
  • The login accounts stay active. They keep the licenses that are assigned to them.
Note: Users are not automatically disabled if they are members of at least one synchronized AD group.

Disabling and deleting synchronized users in M-Files

See the table for information on what occurs if you disable or delete synchronized users in the vault.

Change Effects
Synchronized users disabled in M-Files By default, the users stay disabled. To enable the users again, they must be enabled in M-Files.

If you use a synchronization plugin, you can change the default behavior. To do this, go to the Active Directory Importing settings and set Enable Disabled Users from Imported Groups to Yes.
Synchronized users deleted in M-Files The AD group synchronization does not create the deleted users again to the vault.