Configuring User Provisioning in Microsoft Entra ID

This section tells you how to set up user provisioning in Entra ID with the M-Files application from the Microsoft Entra ID App Gallery.

Setting up the M-Files application

To set up the M-Files application:

  1. Log in to Azure Portal at https://portal.azure.com.
  2. Click Microsoft Entra ID.
  3. If you have more than one tenant, click Manage tenants and select your tenant from the list of available directories.
  4. On your tenant's Entra ID page, go to Enterprise applications and click New application.
    Result:The Microsoft Entra ID App Gallery is opened.
  5. Find and select the M-Files application.
  6. Click Create.
    Result:The application is added to your tenant. The application's Overview page is opened.
  7. Go to Provisioning and click Get started.
  8. Set Provisioning Mode to Automatic.
  9. In the Admin Credentials section:
    1. In Authentication Method, select OAuth2 Client Credentials Grant.
    2. Enter the data, that you copied after you saved the M-Files Manage configuration for user provisioning, to the related fields:
      • Tenant URL
      • Token Endpoint
      • Client Identifier
      • Client Secret
  10. Click Test Connection to start the connectivity test.
  11. In the Settings section, select Send an email notification when a failure occurs and enter the email address of a person or group who will receive the provisioning error notifications.
  12. Click Save.
Important: The necessary attribute mappings are already available. Do not make changes to them.

Next, you must select users and groups to provision and enable provisioning. Before that, you can specify additional attribute mappings to include additional user information to the information that is synchronized to M-Files Manage.

The next sub-sections tell you how to do these operations.

Optional: Specifying additional attribute mappings

The necessary attribute mappings are available in your M-Files application. In other words, it is not necessary for you to define them. However, if you want to include additional user information, you can define two additional fields to be synchronized to M-Files Manage. The information is shown in Additional information 1 and Additional information 2 on the User information page.

To do this:

  1. On the M-Files application's provisioning page in Microsoft Entra ID, click Edit provisioning.
  2. In the Mappings section, click Provision Azure Active Directory Users.
    Result:The Attribute Mapping page is opened.
  3. Select Show advanced options.
  4. In Attribute Mappings, click Add New Mapping.
  5. Use these values:
    • Mapping type: Direct
    • Source attribute: Enter the Entra ID attribute
    • Target attribute: Select urn:ietf:params:scim:schemas:extension:info:2.0:User:info1 or urn:ietf:params:scim:schemas:extension:info:2.0:User:info2
    • Match objects using this attribute: No
    • Apply this mapping: Always
  6. Click Ok.
  7. Optional: To synchronize a second additional information field to M-Files Manage, repeat the steps from 4 to 6.
  8. Click Save.

Selecting users and groups to provision

The last step is to select which users and groups to provision to M-Files.

  1. On the M-Files application's provisioning page in Microsoft Entra ID, click Edit provisioning.
  2. In the Settings section, open the Scope drop-down menu and select whether you want to provision only the users and groups that you have set to be synchronized or every user and group in your tenant.
    If you do not see the Scope drop-down menu, refresh the page.
    OptionDescription
    Sync only assigned users and groups (recommended) Do step 3 to limit the scope of users and groups to be provisioned. Then, enable provisioning and save.
    Sync all users and groups Go directly to step 4. Enable provisioning and save.
  3. Optional: To limit the scope of users and groups to be provisioned, go to the Users and groups page in the M-Files application and do these steps:
    1. Click Add user/group.
    2. On the Add Assignment pane, select None Selected under Users and groups.
    3. Find and select the users and groups that you want to assign to the application.
    4. Click Select.
    5. On the Add Assignment pane, click Assign.
  4. Set Provisioning Status to On.
  5. Click Save.
The user provisioning is now configured, and the provisioning starts automatically. However, it can take up to 40 minutes before it is started. About 5,000 users per hour can be provisioned.

If there were not enough available licenses of the default license type in the subscription, some of the provisioned users are waiting for a license. You can see the number of users waiting for a license on the Home page of M-Files Manage. In the list of users on the Users page of M-Files Manage, users waiting for a license have a waiting tag in the License type column.

Monitoring your deployment

When you have configured user provisioning, use these Microsoft resources to monitor your deployment:
  • Use the provisioning logs to see which users have been provisioned successfully or unsuccessfully.
  • Check the progress bar to see the status of the user provisioning cycle and how close it is to completion.
  • If the user provisioning configuration seems to be in an unhealthy state, the application goes into quarantine. Learn more about quarantine states here.