User Synchronization with Identity Providers

This page tells you how you can set up user group synchronization between and other identity providers.

If you use , we strongly recommend subscription-level user provisioning. With on-premises servers, the recommended setup is the vault-specific plugin method.

Tip: is the recommended method for user provisioning. However, it is also possible to provision users with Other SCIM providers.

General Steps for subscription-level user provisioning

In , it is recommended to use user provisioning with to synchronize user groups with identity providers, for example and Okta. User provisioning uses the SCIM protocol. This means that the user group management is done in the identity provider, which then pushes the users to . The process creates users to the subscription. This lets you link an identity provider user group to many vaults.

Note: This method is available only on and on-premises environments where the server is joined to . For more information and configuration instructions, refer to the user guide.

Vault-level user synchronization

On the vault level, there are two methods to set up user synchronization with . With both methods, user group management is done in , but they are different in how users are brought to .

Important: It is strongly recommended that you do not use vault-level user synchronization. Instead, subscription-level synchronization is the recommended method to make sure of optimal performance and reliability.

With the plugin method, you specify the user groups in , and periodically pulls the users from . With the SCIM method, pushes the users to .

Plugin method: Importing User Information from Entra ID with the User Synchronization Plugin
- In on-premises environments, we strongly recommend this method over the SCIM method.
- In addition to the Azure AD synchronization plugin, you can also use the Okta user group synchronization plugin. For instructions, refer to Configuring Okta User Group Synchronization Plugin in M-Files Support Portal.
SCIM method with : Synchronizing Users from Microsoft Entra ID to with SCIM
- To use this method, you must have a Premium license.
- In an on-premises environment, this method lets you use authentication only for .

Tip: Please note that, while the linked instructions for the plugin and SCIM methods may not reflect the most recent updates, they can still serve as a helpful reference.

Optional settings for Active Directory importing with the vault-level plugin method

After you have configured the synchronization plugin, you can adjust the behavior of the user group synchronization. This is especially useful in environments with large vaults and Active Directory groups.

To open the settings, in the Advanced Vault Settings section of , go to User Groups > Active Directory Importing.

If the server has many vaults, we recommend that you set the synchronization to start at a different time in each vault to improve system performance. To do this, change the Start Time of First Import for each vault to specify different start times of the first import after the server startup.