Document Vault Authentication

The Authentication tab of the Document Vault Properties dialog contains settings related to vault user synchronization and authentication. The tab is available in the Document Vault Properties dialog of existing vaults. When you create a vault, you cannot see this tab.

User synchronization

There are two methods to set up user synchronization with Azure AD:

Configuring Azure Active Directory Synchronization Plugin
Synchronizing Users from Azure Active Directory to M-Files
- To use this method, you must have an Azure AD Premium license.
- To use this method in an on-premises environment, you must also enable vault-specific login accounts. With vault-specific login accounts, you manage all login accounts in each vault separately. For instructions, write to our customer support at [email protected].

User authentication

Use these instructions to set up Azure AD authentication in one of these environments:
- A cloud environment.
- An on-premises environment where you only use M-Files Desktop with one or a small number of vaults.
If you use some other environment, refer to Configuring OpenID Connect and OAuth 2.0 for M-Files Authentication.

Enabling Azure AD authentication

To set M-Files Web and M-Files Mobile to use Azure AD authentication in an on-premises environment, refer to Configuring OpenID Connect and OAuth 2.0 for M-Files Authentication instead.
Before you set up this feature, log out of all Azure AD accounts that are not used for logging in to M-Files.

To enable Azure AD authentication:

Open M-Files Admin and go to a vault.
1. Open M-Files Admin.
2. In the left-side tree view, expand a connection to M-Files Server.
3. In the left-side tree view, expand Document Vaults, and then expand a vault.
Right-click the vault and select Properties.
Open the Authentication tab.
Enable Use Azure AD for authentication.

Select one of these options:

Option	Description
Prompt each user for consent upon first vault access	Select this option to let vault users decide whether they want to give the applications access to their user credentials in Azure AD. With this option, Azure AD shows a prompt when the user logs in to the vault for the first time. In the prompt, the user can give the permissions to the applications.
Give consent on behalf of all users in the directory (requires Azure AD administrator rights)	Select this option to give the applications access to user credentials in Azure AD on behalf of all vault users. Only an Azure AD global administrator can give consent on behalf of other users. When you click OK or Apply, M-Files displays a login prompt. Write the credentials for the Azure AD account that is used for logging in to M-Files.

Option

Description

Prompt each user for consent upon first vault access

Select this option to let vault users decide whether they want to give the applications access to their user credentials in Azure AD. With this option, Azure AD shows a prompt when the user logs in to the vault for the first time. In the prompt, the user can give the permissions to the applications.

Give consent on behalf of all users in the directory (requires Azure AD administrator rights)

Select this option to give the applications access to user credentials in Azure AD on behalf of all vault users. Only an Azure AD global administrator can give consent on behalf of other users.

When you click OK or Apply, M-Files displays a login prompt. Write the credentials for the Azure AD account that is used for logging in to M-Files.

The user credentials must have access to the Azure AD domain that you want to use for the user synchronization.

Optional: In an on-premises environment, complete the configuration with the instructions in Configuring Mappings Between Incoming Connections and Vaults.