Document Vault Authentication

The Authentication tab of the Document Vault Properties dialog contains settings related to vault user synchronization and authentication with Azure AD. The tab is available in the Document Vault Properties dialog of existing vaults. When you create a vault, you cannot see this tab.

User synchronization

There are two methods to set up user synchronization with Azure AD. In both, user group management is done in Azure AD, but they are different in how users are brought to M-Files. With the SCIM method, Azure AD pushes the users to M-Files. With the plugin method, you specify the groups that you want in M-Files Admin and M-Files periodically pulls the users from Azure AD.

Synchronizing Users from Azure Active Directory to M-Files with SCIM
- To use this method, you must have an Azure AD Premium license.
- To use this method in an on-premises environment, you must also enable vault-specific login accounts. With vault-specific login accounts, you manage all login accounts in each vault separately. For instructions, contact our customer support at support@m-files.com.
Configuring Azure Active Directory Synchronization Plugin
- This is the preferred method for user synchronization from Azure AD in on-premises environments.

User authentication

Refer to the specified instructions in this table to set up user authentication in your environment:


Deployment	Instructions
M-Files Cloud and Azure Active Directory	Enabling Azure AD authentication
On-premises server and Azure Active Directory	Configuring Vault Authentication with Azure AD in On-Premises Environments
Any environment and any OAuth 2.0 or OpenID Connect compliant identity provider	Configuring OpenID Connect and OAuth 2.0 for M-Files Authentication

Additional remarks:

If you use M-Files Web or the add-ins based on M-Files Web, also refer to Setting Up OAuth 2.0 for the New M-Files Web and Web-Based Add-Ins.
In on-premises environments, refer to this article for more details: Azure AD authentication with OAuth - which documents to follow and when.

Anonymous authentication

Enable this feature to set the new M-Files Web and M-Files Mobile users to have read-only access to this vault without username and password. When the feature is enabled, M-Files adds an anonymous user to the vault. The user has no login account on the server, but you can use it to set permissions, and add it to user groups. The anonymous user is created as an external user. However, you can change it to an internal user.

Important: When this feature is enabled, the vault always uses anonymous authentication and personal credentials cannot be used with the new M-Files Web and M-Files Mobile.

Prerequisites to set up the feature:

You must have External Connector license.
You must be a system administrator or have full control of the vault.
In on-premises and self-managed cloud environments, you must set up mappings between incoming connections and your vaults.

Remarks:

M-Files Desktop and the classic M-Files Web do not use this setting. To set up anonymous authentication for the classic M-Files Web, see Optional: Changing Publication Settings.
The anonymous user does not decrease the number of your read-only licenses.