Entra ID authentication with OAuth in on-premise - which documents to follow and when

1     Overview / Work Notes

This document is targeted for on-premises deployments and some restrictions and suggestions given here do not apply in the M-Files Cloud environment. 

There are three ways to configure Entra ID authentication for M-Files with OAuth. The three available options are:

1. M-Files Login Service that does not require Entra ID tenant-specific settings
2. Manual configuration built either in M-Files Admin or in the M-Files server's registry
3. Semi-automatic configuration that is done in document vault properties

2     Solution / Workaround

For each configuration option, there are two parts: 

1. User synchronization
2. Authentication

2.1      User sync

Before you can use Entra ID to log in to M-Files, you must import login accounts from Entra ID to M-Files. For on-premises environments, there are two options for user sync:

• If your M-Files server is joined to M-Files Manage, then we recommend configuring user sync also via M-Files Manage. Refer to these instructions: 
  https://userguide.m-files.com/user-guide/manage/latest/eng/managing_user_groups_with_user_provisioning.html
• If your M-Files server is not joined to M-Files Manage, then use the Azure AD User Synchronization Plugin. Refer to these instructions:
  Importing User Information from Entra ID with the User Synchronization Plugin
  
   

2.2      Authentication

After you have imported login accounts from Entra ID, you need to configure M-Files to use Entra ID to authenticate the users.

2.2.1      M-Files Login Service

1. M-Files Login Service uses an enterprise application to authenticate the users. The enterprise application is managed by M-Files Corporation and you don't get control over the application's configuration.
2. Setting up Login Service does not require your Entra ID administrator to be involved in the configuration work, since the configuration does not require any details from your Entra ID tenant. However, Login Service adds a few dialogues to the login procedure for end users, especially during their first login.
3. To configure Login Service, refer to this document:
4. Configuring Vault Authentication with M-Files Login Service.pdf

2.2.2      Fully Manual Configuration

If you want full control over the applications in your Entra ID tenant, then you can manually configure M-Files to use Entra ID App Registration for authentication. The authentication flow with a fully manual configuration also skips the few extra dialogues that M-Files Login Service will prompt users.

To configure M-Files to use App Registration, refer to this document:
Configuring Vault Authentication with Microsoft Entra ID in On-Premises Environments.pdf

• If you want to enable authentication to all vaults in one go, then build the configuration in the registry, instead of building it in Admin. The configuration built in Admin is for a specific vault only.
• If you build the configuration in Admin, then you will also need to add the VaultDNSConfiguration described at the bottom of this page:
  https://m-files.com/user-guide/latest/eng/document_vault_authentication.html

If the configuration outlined in the document above does not suit your environment, or you need so specific settings, then refer to this document for full reference on all the available OAuth configuration settings:
Configuring OpenID Connect and OAuth 2.0 for M-Files Authentication.pdf

The document above also details the configuration structure required if you want to build a registry-based configuration to cover all vaults.

The basic process for manually configuring authentication is:

1. Fill in the settings marked as required in the configuration guide.
2. Enable both Client and Server-side logging (under advanced settings).
3. Try to log in to M-Files Web or Desktop.
4. Make a note of the error you receive.
5. Check the M-Files server computer's Windows Event Viewer's Application log for further details.
6. Make changes to the configuration based on the error and the logs. If the error or event log refers to a specific setting, check the configuration guide to see what it says about that particular setting.
7. Try authenticating again.
8. Repeat this process until you get all the settings right.
   
    
9. For a more detailed configuration process suggestion, refer to this article:
10. /article/Azure-AD-configuration-process-for-on-premises-deployments

2.2.3      Semi-automatic Configuration

There is an option in document vault properties to enable authentication via Azure AD. However, in an on-premises environment, this option will only work for M-Files Desktop. No other M-Files client types are supported by this option in on-premises environments. For this reason, this option is rarely used in on-premises environments.

If you know your organization will not be requiring M-Files Web or Mobile in the foreseeable future, then this option is the fastest and easiest way to configure Entra ID authentication for M-Files. Refer to these instructions for more details:
https://userguide.m-files.com/user-guide/latest/eng/document_vault_authentication.html

Using this option will add two enterprise applications into your Entra ID tenant. The enterprise applications are managed by M-Files Corporation and you don't get control over the applications' configuration.

If you enable Entra ID authentication via the document vault properties, then you also have the option to enable user sync via the document vault properties. This is an additional option for the two user sync methods mentioned earlier. However, this option is rarely used in on-premises environments due to its dependency on the automatic authentication configuration, which does not support M-Files Desktop in on-premises environments.

Enabling user sync via vault properties also requires that you have a Premium subscription to Entra ID.

For instructions on configuring user sync via vault properties, refer to this document:
Synchronizing Users from Microsoft Entra ID to M-Files with SCIM.pdf