Authentication Methods

There are two types of authentication methods that you can use:

User accounts with M-Files authentication are created and controlled in M-Files Manage. User accounts with Entra ID authentication are usually provisioned to the subscription in M-Files Manage or imported to the vault in M-Files Admin.

With both authentication methods, changes to user information are automatically synchronized between M-Files Manage and M-Files Admin.

Federated Authentication

Organizations that require granular control over user access to systems such as M-Files often use federated authentication. This means that an external identity provider, such as Microsoft Entra ID or Google, is used to store user credentials. With federated authentication, you can use solutions such as single sign-on (SSO) or multi-factor authentication (MFA). For more information, refer to Using Federated Authentication with M-Files.

The most common external identity provider is Entra ID. User accounts with Entra ID authentication are usually provisioned to the subscription in M-Files Manage or imported to the vault in M-Files Admin. However, you can also create and manage them manually in M-Files Manage if Entra ID synchronization is enabled for the vault. The user information is in all cases synchronized between M-Files Admin and M-Files Manage.

Setting up federated authentication

Usually, it is not necessary to manually set up federated authentication for a vault. For new vaults, Microsoft Entra ID authentication through M-Files Login Service is automatically configured. In the automatic configuration, an enterprise application is created to your Entra ID. Only one enterprise application is created to the directory. If you have many vaults, M-Files Login Service uses the same enterprise application in authentication.

If the vault has been migrated to the new cloud, the existing configuration for federated authentication stays enabled. However, if you have migrated on-premises vaults to M-Files Cloud, the existing configuration is enabled but reconfiguration is usually necessary. For more information, see M-Files Cloud Requirements and Document Vault Authentication in the M-Files user guide.

If a manual configuration of M-Files Login Service is necessary, follow the instructions in Configuring Vault Authentication with M-Files Login Service. If you use other identity provider than Entra ID, you must configure authentication separately. For more information, refer to Configuring OpenID Connect and OAuth 2.0 for M-Files Authentication.

For a newly configured federated authentication with M-Files Login Service, user consent can be asked when users log in to M-Files. To make it easier for users to access M-Files, we recommend that an Entra ID administrator gives consent on behalf of all users. For more information, refer to Configuring Vault Authentication with M-Files Login Service.

M-Files Authentication

Instead of federated authentication, you can use the M-Files authentication method. With this method, you create vault users in M-Files Manage. After that, you can control vault-level permissions and user groups in M-Files Admin.

For instruction on how to create a user, see Creating Users.