Using the Legacy Configuration Method for User Provisioning

We recommend that you use the M-Files application from the Microsoft Entra ID App Gallery for all new user provisioning configurations. To do this, follow the instructions in Configuring User Provisioning. If you want to create your own Entra ID enterprise application instead, follow the instructions given here.

If you have previously configured user provisioning in M-Files Manage with your own Entra ID enterprise application, you can continue to use the existing configurations. To check the configuration method, go to the Configuration tab of the Provisioning page in M-Files Manage, find the correct configuration for user provisioning, and see the title. If it is Microsoft Entra ID classic, the legacy configuration method is used.

If you want to switch to use the M-Files application that has been pre-integrated with Entra ID, delete the existing configuration from M-Files Manage and disable or delete the related Entra ID enterprise application. Then, follow the instructions in Configuring User Provisioning.

Configuring classic user provisioning in M-Files Manage

To configure user provisioning in M-Files Manage:

Log in to M-Files Manage at https://manage.m-files.com.
Go to Provisioning > Configurations.
In Create configuration for user provisioning, click Microsoft Entra ID classic.
Enter the necessary information to configure user provisioning.
1. In Configuration name, enter a unique name for the configuration.
2. Select Default license type for the provisioned users. All the provisioned users first get this license. You can change a user group's license type to a higher one after user groups have been provisioned. If there are not enough available licenses of the default license type in the subscription, all the users do not get a license.
3. In Issuer, enter the tenant ID of your Microsoft Entra ID.
  For information on how to find the tenant ID, refer to this Microsoft instruction.
Click the Copy link icon () to copy the tenant URL.
This URL is necessary to create an enterprise application for user and user group provisioning in your Entra ID.
Click Save.

The configuration is saved. You can see and edit it in the Configurations section. Do not edit the Audience value.

Configuring classic user provisioning in Microsoft Entra ID

To configure user provisioning in Microsoft Entra ID, refer to Synchronizing Users from Microsoft Entra ID to M-Files with SCIM.

Note: All the information in the referenced document does not apply to user provisioning configured in M-Files Manage. Use the document only to configure the steps listed here.

Do the steps in these sections of the document:

Section 3.1 (Creating the Entra ID Enterprise Application):

Important: In Tenant URL, enter the tenant URL that you copied from the user provisioning configuration. Do not follow the instructions in the referenced document on tenant URL.
Section 3.2 (Specifying Attribute Mappings):
Important: For best security, we recommend that you specify two attribute mappings differently than instructed in the referenced document. To do this, follow the instructions given here. See also Summary of attribute mappings.
- When you define attribute mappings for Provision Azure Active Directory Groups, instead of displayName to externalId attribute mapping, map objectId to externalId.
  - Set Match objects using this attribute to Yes.
  - Set Matching precedence to 2.
- When you define attribute mappings for Provision Azure Active Directory Users, instead of userPrincipalName to externalId attribute mapping, map objectId to externalId.
  - Set Match objects using this attribute to Yes.
  - Set Matching precedence to 2.
Section 3.3 (Selecting Users and Groups to Provision):
Important: We recommend that you limit the scope of users and groups to be provisioned. To do this, follow the instructions in the referenced document: Under Settings on the Provisioning page, select Sync only assigned users and groups.

After you have configured user provisioning in Entra ID, the provisioning starts automatically. However, it can take up to 40 minutes before it is started. About 5,000 users per hour can be provisioned.

If there were not enough available licenses of the default license type in the subscription, some of the provisioned users are waiting for a license. You can see the number of users waiting for a license on the Home page. In the list of users on the Users page, users waiting for a license have a waiting tag in the License type column.

Summary of attribute mappings

Make sure that these group mappings are done:


Mapping	Match objects using this attribute	Matching presedence
displayName to displayName	Yes	1
objectId to externalId	Yes	2
members to members

Make sure that these user mappings are done:


Mapping	Match objects using this attribute	Matching presedence
userPrincipalName to userName	Yes	1
objectId to externalId	Yes	2
Switch([IsSoftDeleted], , "False", "True", "True", "False") to active
mail to emails[type eq "work"].value
displayName to name.formatted

Optional: Specifying additional attribute mappings

To include additional user information, define two additional fields to be provisioned to M-Files Manage. The information is shown in Additional information 1 and Additional information 2 on the User information page.

To do this:

On the enterprise application's provisioning page in Microsoft Entra ID, click Edit provisioning.
Result:The Provisioning page is opened.
In Mappings, click Provision Azure Active Directory Users.
Result:The Attribute Mapping page is opened.
Select Show advanced options.
Click Edit attribute list for customappsso.
Enter a new attribute with this information:
- Name: urn:ietf:params:scim:schemas:extension:info:2.0:User:info1
- Type: String
Optional: To provision a second additional information field to M-Files Manage, enter another attribute:
- Name: urn:ietf:params:scim:schemas:extension:info:2.0:User:info2
- Type: String
Click Save.
On the Attribute Mapping page, in Attribute Mappings, click Add New Mapping.
Use these values:
- Mapping type: Direct
- Source attribute: Enter the Entra ID attribute
- Target attribute: Enter urn:ietf:params:scim:schemas:extension:info:2.0:User:info1 or urn:ietf:params:scim:schemas:extension:info:2.0:User:info2
- Match objects using this attribute: No
- Apply this mapping: Always
Click Ok.
Optional: To provision a second additional information field to M-Files Manage, repeat the steps from 8 to 10.
Click Save.

Creating Links Between Source and Target User Groups

When the user provisioning is complete, you can create links between the provisioned user groups and M-Files user groups in M-Files Manage. When there are provisioned user groups available, the User groups and Links tab in the Provisioning section in M-Files Manage are activate. In User groups, you can see the provisioned user groups and change their license type.

To create links between the provisioned user groups and M-Files user groups:

Log in to M-Files Manage at https://manage.m-files.com.
Go to Provisioning > Links.
In Source user group, select a provisioned user group.
In Target vault, select a vault.
In Target user group, select an M-Files user group.

Note: All existing user group members will be removed from the target group.

If you cannot find the correct user group, do these steps to create and select a new one:
1. Click Create new user group.
2. In the Create new user group dialog, enter a name for the group and click Create.
  Result:The dialog is closed and the user group created.
3. In Target user group, select the new user group.
Click Create.

The link is saved, and M-Files Manage starts to create the necessary vault users.

Note: It can take some time before M-Files Manage shows the link in the Links section.

Monitoring your deployment

When you have configured user provisioning, use these Microsoft resources to monitor your deployment:

Use the provisioning logs to see which users have been provisioned successfully or unsuccessfully.
Check the progress bar to see the status of the user provisioning cycle and how close it is to completion.
If the user provisioning configuration seems to be in an unhealthy state, the application goes into quarantine. Learn more about quarantine states here.