Federated Authentication

Organizations that require centralized identity management to control user access to systems such as M-Files often use federated authentication. This means that an external identity provider, such as Microsoft Entra ID, Okta, or Google, stores and manages user credentials.

Federated authentication offers several benefits:
  • Seamless user experience with single sign-on (SSO)
  • Improved security with multi-factor authentication (MFA)
  • Easier user onboarding and offboarding

For more information, refer to Using Federated Authentication with M-Files.

The most common external identity provider is Entra ID. User accounts authenticated through Entra ID are usually provisioned to the subscription in M-Files Manage or imported to the vault in M-Files Admin. However, you can also create and manage these accounts manually in M-Files Manage if Entra ID synchronization is enabled for the vault. In all cases, user information is synchronized between M-Files Admin and M-Files Manage. For more information on user provisioning, refer to Managing User Groups with User Provisioning.

Setting up federated authentication with Microsoft Entra ID

For new vaults created in M-Files Manage, Microsoft Entra ID authentication through M-Files Login Service is automatically configured. In the automatic configuration, an enterprise application is created to your Entra ID. Only one enterprise application is created to the directory. If you have many vaults, M-Files Login Service uses the same enterprise application in authentication.

If you have migrated on-premises vaults to M-Files Cloud, the existing authentication configuration is enabled but reconfiguration is usually necessary. Another option is to set up authentication through M-Files Login Service instead. Refer to Configuring Vault Authentication with M-Files Login Service for instructions on manual configuration of M-Files Login Service.

For a newly configured federated authentication with M-Files Login Service, user consent can be asked when users log in to M-Files. To make it easier for users to access M-Files, we recommend that an Entra ID administrator gives consent on behalf of all users. For more information, refer to Configuring Vault Authentication with M-Files Login Service.