Provisioning Users Automatically
Entra ID provides three methods for automatically provisioning users: SCIM provisioning, Just-In-Time (JIT) provisioning, and LDAP provisioning.
SCIM is the recommended method when your Entra ID configuration sends the same username value through both SAML and SCIM. JIT provisioning creates user accounts on first login and works well when group provisioning is not required. LDAP provisioning is an alternative when group-based filters are required or when user.mail and UPN cannot be aligned and SAML must identify users by email.
For SAML setup and username matching, see the Microsoft Entra ID page.
SCIM Provisioning
SCIM Provisioning is a standard that automatically provisions your users in Files.com from your Entra ID identity source. SCIM provisioning is only compatible with SAML-based integration, not OAuth. Files.com offers many configuration options for SCIM provisioning, detailed in the Configuration Options section of our SCIM provisioning documentation.
When you enable SCIM provisioning and save your provider configuration, the SCIM Secret Token is generated automatically. Edit your provider to copy the Secret Token and enter it in Entra ID for SCIM provisioning setup.
In your Entra ID portal, navigate to Microsoft Entra ID -> Enterprise Applications -> Files.com. Under the Manage menu, select Provisioning, set the Provisioning Mode to Automatic, enter the SCIM API endpoint URL as https://app.files.com/api/scim, and set the Secret Token to the access token generated above. Click Test Connection and wait for the confirmation message, then click Save to authorize and enable provisioning.
SCIM Token Expiration
The SCIM authentication token expires a year from the date you generated it. Site Administrators receive an alert email from Files.com before your SCIM token expires. You can extend the expiry date of the SCIM provisioning Secret Token in Files.com at any time. Edit your Entra ID provider's settings and enter a new date in the Token Expiration text box, or pick a new date from the date picker, and click Save.
To revoke the current token and get a new one, edit your Entra ID provider's settings and choose the Reset Token option. Save your provider configuration, and a new token is generated and available for you to copy from the Secret Token text box.
User Fields Mapping Between Entra ID and Files.com With SCIM Provisioning
When provisioning a user to Files.com via SCIM, Files.com maps the Entra ID User Principal Name to the Files.com username field and the Entra ID email address to the Files.com email field.
This mapping must align with the value Files.com receives during SAML login. If your Entra ID tenant uses different values for user.mail and UPN, review When UPN and Email Do Not Match before enabling SCIM.
Files.com combines First Name and Last Name into Full Name. When both are blank, the username is used as Full Name. Display Name and other fields from Entra ID are ignored.
Group Memberships
Entra ID SCIM provisioning runs as two separate operations. The User sync provisions user accounts but carries no group membership data. The Group sync runs independently and provisions group objects along with their member lists, placing users into their assigned groups. Group-based filters do not function with Entra ID SCIM provisioning because they evaluate group membership at User sync time, before that data has arrived.
Just-In-Time (JIT) Provisioning
JIT Provisioning creates user records on Files.com upon a user's first successful login. The method is easier than SCIM, but it has one major limitation when used with Entra ID.
Entra ID communicates Group Names as their Group IDs rather than the actual Group Name. Users are provisioned with a list of groups that appears as UUIDs (long strings of characters). These groups work, but they are not easily understood.
Some customers use our API to retroactively rename those groups, but this is not a clean solution. We strongly recommend SCIM provisioning instead when you need to provision group memberships from Entra ID.
This is a limitation of Entra ID itself, not Files.com. JIT Provisioning works correctly on Files.com for other SAML providers, including Okta, Auth0, and OneLogin.
JIT Provisioning works when your Entra ID users are not members of any groups, or when you disable group provisioning via SAML.
LDAP Provisioning
LDAP provisioning lets you use your LDAP directory as the sync source for user and group provisioning while Entra ID continues to handle authentication. Files.com reads group membership directly from your LDAP directory on an hourly schedule and uses that data to provision and deprovision users and groups in Files.com.
LDAP provisioning is configured directly on your existing Entra ID integration. You do not need to create a separate LDAP integration for provisioning. Both the Entra ID authentication configuration and the LDAP provisioning configuration are managed from the same place.
Use LDAP provisioning when you need group-based whitelist or blacklist filters to control which users are provisioned into Files.com. These filters evaluate group membership data that Entra ID does not include in its SCIM User sync, so they cannot function with SCIM or JIT provisioning. LDAP provisioning also works well when your Entra ID tenant uses different values for user.mail and UPN and SAML must continue identifying users by email.
The following fields are required to connect Files.com to your LDAP directory for provisioning:
| Field | Details |
|---|---|
| LDAP Host | The fully qualified domain name (FQDN) or IP address of your LDAP server. You can add a backup host that Files.com uses when the primary host is unreachable. |
| LDAP Server Type | The type of LDAP directory. Supported options are Active Directory and OpenLDAP. |
| LDAP Port | The port used to connect to your LDAP server. |
| Secure Connection | When enabled, Files.com connects using LDAPS, which encrypts communication with SSL/TLS. We recommend enabling this. |
| LDAP Username Field | The LDAP attribute used to match users to Files.com accounts. sAMAccountName is the default. Use userPrincipalName if your organization requires it. |
| LDAP Username | The service account username Files.com uses to connect to your LDAP server. |
| LDAP Password | The password for the LDAP service account. |
| Distinguished Name · Base Search Path | The distinguished name where Files.com starts searching the LDAP directory. For example: CN=Users,DC=mydomain,DC=local. |
| LDAP Domain | The domain suffix appended to usernames in Files.com. For example, mydomain.com creates usernames as user@mydomain.com. |
Files.com offers additional configuration options for LDAP provisioning. This includes group-based whitelist and blacklist filters, including Only provision users in these groups, Only provision these groups, and Exclude these groups from provisioning, which work against the LDAP-synced group membership data.
If LDAP provisioning repeatedly fails, Files.com automatically disables LDAP provisioning for that integration. The Entra ID integration remains enabled, so users continue to authenticate through Entra ID without interruption.
For LDAP connection prerequisites, firewall requirements, and troubleshooting, see LDAP/Active Directory SSO.