Authentication Methods

There are two types of authentication methods that you can use:

User accounts with M-Files authentication are created and controlled in M-Files Manage. With federated authentication, user accounts authenticated through Microsoft Entra ID or other compatible identity provider are usually provisioned to the subscription in M-Files Manage or imported to the vault in M-Files Admin.

With both authentication methods, changes to user information are automatically synchronized between M-Files Manage and M-Files Admin.

Federated Authentication

Organizations that require granular control over user access to systems such as M-Files often use federated authentication. This means that an external identity provider, such as Microsoft Entra ID or Google, is used to store user credentials. With federated authentication, you can use solutions such as single sign-on (SSO) or multi-factor authentication (MFA). For more information, refer to Using Federated Authentication with M-Files.

The most common external identity provider is Entra ID. User accounts with Entra ID authentication are usually provisioned to the subscription in M-Files Manage or imported to the vault in M-Files Admin. However, you can also create and manage them manually in M-Files Manage if Entra ID synchronization is enabled for the vault. The user information is in all cases synchronized between M-Files Admin and M-Files Manage.

Setting up federated authentication with Microsoft Entra ID

For new vaults created in M-Files Manage, Microsoft Entra ID authentication through M-Files Login Service is automatically configured. In the automatic configuration, an enterprise application is created to your Entra ID. Only one enterprise application is created to the directory. If you have many vaults, M-Files Login Service uses the same enterprise application in authentication.

If you have migrated on-premises vaults to M-Files Cloud, the existing authentication configuration is enabled but reconfiguration is usually necessary. Another option is to set up authentication through M-Files Login Service instead. Refer to Configuring Vault Authentication with M-Files Login Service for instructions on manual configuration of M-Files Login Service.

For a newly configured federated authentication with M-Files Login Service, user consent can be asked when users log in to M-Files. To make it easier for users to access M-Files, we recommend that an Entra ID administrator gives consent on behalf of all users. For more information, refer to Configuring Vault Authentication with M-Files Login Service.

Setting up federated authentication with other identity providers

If you use other identity provider than Entra ID, you must configure authentication separately. For more information, refer to Configuring OpenID Connect and OAuth 2.0 for M-Files Authentication.

If you use Okta, a sample configuration is available in M-Files Support Portal.

M-Files Authentication

Instead of federated authentication, you can use the M-Files authentication method. With this method, you create vault users in M-Files Manage. After that, you can control vault-level permissions and user groups in M-Files Admin.

For instruction on how to create a user, see Creating Users.