...
Overview
M365 is a web-based system that allows the user to access and share files and information. To integrate CAM with
...
M365, the
...
M365 cloud servers must be configured here. You can add and manage multiple
...
M365 servers, define the group name rules to be applied, and the default metadata mapping. The following instructions
...
describe how to configure M365 and CAM for team building and provisioning through the CAM and CAM Team app.
Table of Contents | ||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Pre-requisites
M365 tenant must be set up with at least a P1 license.
The user completing the initial configuration must be an M365
...
Administrator and
...
have access to the admin and Azure Active Directory pages in M365.
...
The service account that CAM will use should have a Teams license
...
if using MS Teams, or a Planner license
...
if using MS Planner.
Note: If the “Skype Token Renewal Failed.” error is displayed on CAM, ensure the user or service account has a Microsoft Teams license.
...
Azure & CAM Integration Notes
Note |
---|
As of January 30, 2021 Azure is not allowing custom token expiry settings. The conditional access policies determine how the token expires are configured. This requires at least a P1 license. See the Microsoft link here. |
...
Service Account Permissions
Service Account/Token User
For creating teams in MS Teams, you must have a service account in M365 and this account must have the permission/roles included in the following table that describes the Service Account Permissions and Roles.
Service Account Permissions (Roles) | Reason | ||
Application Administrator | Needs to be assigned for generating the token. Can be removed afterwards.
|
...
User Administrator
...
For user administration in a team for the addition or removal of users.
Microsoft Team Administrator | For creating and using team, channel, folder, tab, planner tab |
User Administrator | For user administration in a team for the addition or removal of users. |
When a team is created, by default, the service account is the owner of the team.
Planner User
To create and use the Planner tab in Teams, the delegated / service account user must be a member of the team.
To create a team, you must have a team owner. Because of this requirement, you need an additional service account so that you can switch to it to create a planner.
...
An Application Administrator role is not needed for this additional account.
Note: If you plan to create a planner, refer to Step 4: Setting Service Account Permissions for the use of Microsoft Planner in Teams.
Setting up M365
Expand | ||
---|---|---|
| ||
CAM App Registration |
...
This process allows adding the CAM App (by Litera) |
...
via the Azure Active Directory. User/organization can be imported |
...
to the Teams app once the registration completes. For iManage M365 App Proxy, see iManage Note: The following details are required when configuring M365 in CAM using External System Configuration:
|
...
|
...
|
...
|
...
|
...
|
...
|
...
|
...
|
...
Click Register to register the Add-in. The system will show a successfully created message with the information created. Save the retrieved information (client id and client secret), since you will need this in the next step ahead and to enter in the M365 configuration setup.
...
On the App Registration page, click into APP, find the Application ID, Directory(Tenant) Id field.
...
Save this information in Notepad - The ID and Directory(Tenant) Id fields will be used when completing the M365 configuration panel in CAM later in the process.
...
Click on the Certificates and Secrets page in the left hand menu.
12. In the Client Secret section, click New client secret, enter a description and select an expiry length. Save the Value in Notepad. You will need to put this into the Application Password field in the Office 365 Configuration panel in CAM later in the process.
Redirect Endpoint URI's
Redirect Endpoint URI's are as follows:
...
Domain
...
Region
...
URI
...
Staging/Production URLs are used for CAM to connect Office 365. Select staging or production URIs based on the environment you are setting up.
...
Staging
...
|
...
...
...
...
Staging
|
...
...
...
...
|
...
|
...
|
...
...
|
...
|
...
|
...
...
...
Production
...
APAC (ap-southeast-1)
|
...
Production
...
|
...
...
If you are using the CAM teams app, then Microsoft Office 365 URIs are required. It allows accessing documents that a user has access to in Teams or all shared documents like Teams/SharePoint/OneNote/OneDrive.
...
Microsoft Office 365
...
UK
...
EU
...
https://camteamapp.prosperowaredev.eu/team/euprod/web/auth-end.html
...
title | Step 2. Setting Microsoft Graph Permissions in M365 for the CAM App |
---|
Microsoft Graph Permissions in M365
The following permissions will need to be enabled in the Azure Portal.
Go to "Azure Active Directory".
Click on "App registration" in left side bar.
Select the registered app.
Click on "API permissions" in the left side bar.
To configure new permissions, Click on "+ Add a permission"
Select "Microsoft Graph"
Now add Delegated and Application Permissions provided below
Click on "Add permissions" and select "Grant admin consent for <global admin user>"
Required Permissions to Create or Manage Teams
...
Permission
...
Type
...
Operation
...
Description
...
Application
...
Create/Edit Group, Team, Channel
Set Group Owner
Delete Group
...
Used for creating and editing Groups, Teams, Channels, Planners, and Sharepoint folders. Allows to set the group owner. Allows to delete groups.
...
User.ReadWrite.All
...
Application
...
Create/Edit/Delete User
...
Used for creating, editing and deleting users.
You cannot delete a user without the Global Admin or User Admin role.
...
...
Microsoft Office 365
...
APAC
...
https://camteamapp.camapac.com/team/apacprod/web/auth-end.html
|
Expand | ||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||
Microsoft Graph Permissions in M365The following permissions will need to be enabled in the Azure Portal.
Required Permissions to Create or Manage Teams
|
...
Create/Edit Group memberships
...
Used for creating or modifying group memberships for groups.
...
Files.ReadWrite.All
...
Application
Can be Delegated
|
...
|
...
|
...
ChannelMember.ReadWrite.All
...
Application
...
Add Channel Members
...
Used for assigning and reassigning team channel members.
|
...
|
...
|
...
|
...
|
...
|
...
User_impersonation
...
Delegated
...
Have full access to the Team service.
...
Permissions for -APIs my Organization Uses-> Microsoft Teams Services
|
...
Needed for private channel creation. Sharepoint site won’t get created without this. This is a Request API Permission not a Graph Permission under API’s my organization uses. Find the permission under:
Microsoft Team Chat Aggregator
Microsoft Teams Service
Microsoft Teams Graph Service
Optional PermissionsThese permissions are optional and can be added based on your firm’s usage of CAM.
|
...
|
...
|
...
Read Team Members within the CAM Teams app
|
...
|
...
|
...
|
...
Files.Read.All
...
Delegated
...
Read Documents
...
|
...
OneNote
...
Read and write all OneNote notebooks and use OneNote in Teams.
...
User.invite.all
...
Application
...
Adding/Inviting external users to team and channel
...
Invite guest/external users to the Teams organization.
|
...
|
...
|
...
Read Mail
...
Used for reading mail and visualizing the Calendar tab in the CAM Teams App.
...
Calender.Read
...
Application
...
Read Calendar
...
Used for reading and visualizing the Calendar tab in the CAM Teams App.
...
User.Read.All
...
Application
...
Read Directory
...
Used for reading and visualizing the Directory (Person) tab in the CAM Teams App.
|
...
|
...
Used to get custom app detail from app store
|
Expand | ||
---|---|---|
| ||
Private ChannelCAM uses Azure AD - Microsoft Graph API - to access resources in |
...
M365 to create Groups and Teams. When you create a private channel, it has its own SharePoint site collection. The separate site collection is to ensure access to that private channel files are restricted to only members of the private channel compared to the team site where team owners have access to all the assets within the site collection. The site collection created using private channels as per Microsoft documentation is not visible in the SharePoint admin center unless someone manually clicks on the Files tab in teams once the SharePoint site will be available in 1-2 min or almost instantly. To trigger the click event on the Files tab, CAM needs the Microsoft native API permission which can be added by following the steps -
|
...
|
...
|
...
|
...
|
...
|
...
10. Click Save. 11. Now click on API permissions |
...
on the left |
...
bar. 12. On the right side, scroll down till the end. 13. Under "Microsoft Teams Services (1)", it will list user_impersonation under Microsoft Teams Services, status as Not granted for <global admin user>. 14. In order to provide admin consent, scroll to the top of the page and click on select Grant admin consent for <global admin user>. 15. Confirmation message pop up displays, select “Yes”, add other granted permissions to configured permissions.
|
...
Snapshot of Manifest |
Expand | ||
---|---|---|
| ||
Service Account Permission - Use Planner in TeamsNote: If you would like to have Microsoft's Planner app within MS Teams, refer to Microsoft’s Planner app documentation. To be able to create the Planner tab in Team Channels, Microsoft requires that delegated / service account users be created and is a |
...
member of the team. However, to build a team, there must be an appointed owner. Because of this requirement, you need an additional service account so that you can switch to it to create a planner.
|
...
|
...
|
...
|
...
Configuration in CAM PlannerFollow the steps to create a Planner inside a Channel. Follow |
...
these steps to create a Planner.
|
...
|
...
|
...
|
...
|
...
Note: Microsoft has a restriction, only group members can access Planners. As group owners cannot access Planners, you need an additional service account (group member) to create a Planner. Token roles can be assigned to group members while creating a planner. After a group member creates the Planner, the token role can be reassigned to the owner. A token role is assigned to a group member so that the group member is able to receive the token and approve the creation of planners.
|
...
|
...
|
...
|
...
|
Expand | ||
---|---|---|
| ||
Connecting M365 with the CAM PlatformTo add a New |
...
M365 Connection to the CAM Platform
|
...
|
...
|
...
|
...
|
...
|
...
If you have not gathered the clientid/client secret already, please follow the step below
...
|
...
|
...
|
...
|
...
|
...
Is Default
...
Select Yes to set as the default external system.
...
Dynamic Group
...
Select Yes to create a dynamic group in the Office 365 workspace. Selecting this option will allow you to add multiple users to the to the security list of the workspace. Read dynamic groups for more details to create and add users to the group.
...
Default Matter Container
...
Select the value from the drop down list.
The accepted values are -
Group
Teams
Channel
M365 Role Mapping
Click Edit Configuration in the Office 365 external System Configuration.
At the bottom, select the CAM Roles. Map them to the Office 365 role permissions.
Member
Owner
Click Save.
The configured O365 Authentication(s) displayed in the Office365 tab is as follows
...
Column Name
...
Description
...
Name
...
The Office 365 configuration name entered above. Hover your cursor over the name to view the Office 365URL.
...
Token
...
Token generated on successful login to Office 365.
...
Last Refreshed
...
The last updated date and time when changed.
...
Is Default
...
Is updated based on selection made during configuration. The selection sets if the record will be the primary default Office 365 system
...
Dynamic Group
...
Is updated based on selection made during configuration. The selection sets if the groups will be dynamic or fixed.
...
Updated By
...
Name of the user who was logged in when the change was made
...
Action
...
Click Edit to edit the configuration set up. The Office 365- Edit window is displayed. Make the necessary changes and click Update. Click Delete to remove the setup.
...
Metadata
...
|
...
SharePoint Resource
...
This string is used to connect CAM directly with SharePoint distinguishing from a connection to Teams. SharePoint is the document and data storage platform for Teams but CAM can also just create SharePoint Sites that don't have Teams.
The SharePoint Resource is comprised of three values:
The resource string: 00000003-0000-0ff1-ce00-000000000000
Note the resource string is the same for all systems.
Office365TenantId.sharepoint.com. For ex., tenantsite.sharepoint.com or company_name.sharepoint.com
The value entered in the Directory (Tenant) Id field above in the table.
Info |
---|
If the Azure AD tenant is set for single tenant mode only, the SharePoint resource string does not require the @directory_or_tenant_id component, but it never hurts to include it. |
The information must be entered in the format 00000003-0000-0ff1-ce00-000000000000/office365TenantId.sharepoint.com@Directory (Tenant) Id
...
SharePoint Client Id
...
Go to:
https://tenantname-admin.sharepoint.com/_layouts/15/appregnew.aspx
Fill out the form to register a new App.Copy Client Id and enter into the SharePoint Client Id.
Format: 2f1af3fc-74b2-4825-b355-591f0abcd3fd
...
SharePoint Client Secret
...
Enter the Application Password (entered earlier in the Application Password field above). Application password=client secret
...
Additional Service Account
...
For the Microsoft Planner tab, create a new user at Office365 and provide an email address. This account should be any account other than Token user. It can be any user with no specific requirement.
...
App Permissions
This will set permissions for Sharepoint to work with CAM using an app principal.
Before setting these permissions up, get the clientid/secret and appid.
...
Click Generate. This will generate the ID’s.
...
Go to the following URL edited for your tenant: https://tenantname-admin.sharepoint.com/_layouts/15/appinv.aspx
...
Set the required permissions as defined in the tables above. Use the clientid and secret from the Step 1 App Registration section or the ClientId step here if you have not done Step 1.
...
Add the following into the App Permission XML section:
<AppPermissionRequests AllowAppOnlyPolicy="true"> <AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="FullControl" /> </AppPermissionRequests>
Continue with the Get Token step.
...
Click the Get Token button, to log in to the Office 365 URL specified above. On successful login, the token is displayed here.
Note |
---|
Note: The default validity of the refresh token is 90 days which means the customer has 90 days until they need to generate a new token. An organization can extend the refresh token validity using the PowerShell scripts. For more details on configuring refresh token, refer to the following links: Customers will need to set a reminder for themselves re-authenticate the token after the designated token expiration date |
M365 Role Mapping
The configured O365 Authentication(s) displayed in the M365 tab is as follows
|
...
|
...
Editing an Existing Configuration
|
Expand | ||
---|---|---|
| ||
Group Name RulesDefine the |
...
M365 group names rules and format to be applied.
|
...
|
...
|
...
The configured group name rule(s) display in the table with the following columns:
|
Expand | ||
---|---|---|
| ||
Metadata MappingMap the metadata for |
...
M365 group with these steps.
|
...
|
...
|
...
|
...
|
...
|
...
|
...
|
...
The completed metadata displays in the following columns in the table:
|
...
|
...
|
...
|
...
|
Expand | ||
---|---|---|
| ||
M365 - Add Guest AccountGuest Accounts can be created in CAM for |
...
M365. If creating guest accounts externally, there are no password requirements, but a password can be set, as the user is created temporarily without a profile. Invite Guest Users from Request Workflow -> Default Security Or upload CSV. |
...
. |
Expand | ||
---|---|---|
| ||
M365 - User Default PasswordWhen creating users, a default password can be set. How to create a default password:
|
...
|
...
in M365. |
CAM Microsoft Teams app
Read the Teams page for more information on how to install CAM
...
Teams app, required permissions and creating Teams, Channels, OneDrive, OneNote and Planner. Also how to access CAM application from Teams.
Teams and
...
Content Mover
Read the
...
Content Mover page for more information on how to use
...
Content Mover to move or copy or link Teams, Channels, Tabs to a DMS system, and examples.
...
Teams and Template Editor
To use Template Editor to create Channels, Tabs and Teams, read here for steps.
Note: The job will not show errored if a user is missing from CAM during the Create Team/Tab or Channel process. The job inside will error in the log only.
Availability of Sharepoint Sites
While configuring M365 with CAM, there is now an option to make archived sharepoint sites read-only for Team Members.
...
In the Teams app, find a team you want to archive.
Click Archive button from the app menu.
The option now displays to Make the team read only if you choose to make it read only for all team members.Click Archive to complete.
Troubleshooting
If you encounter any error while creating a team, check the following to ensure your team is created correctly:
Service Account/Token user and Planner user has the correct permissions. Refer to the Service Account Permissions section to verify and ensure it.
Log into Teams as the Service Account/Token User and/or Planner User and check whether you can create a team. If you are still not able to create a team, liaise with your IT or Security Team and let them check whether you have any internal policies set outside of CAM and MS Azure that are affecting this user.
Teams app has the correct Application and Delegated permissions. Refer to the Microsoft Graph Permissions in M365 section to verify and ensure it.
Related Topics
[
...
M365 (CSV Parameter)] | [M365 Groups] | [M365 Users] | [CAM within M365 Team Apps]